Who has the right to control your PC?

Sony "rootkit" CD debacle spotlights broader clash over rights to control the way computers function.

John Borland
John Borland Staff Writer, CNET News.com

John Borland
covers the intersection of digital entertainment and broadband.

5 min read
Sony BMG Music Entertainment opened a rather ugly can of worms when it started selling copy-protected compact discs that planted so-called rootkit software on computers that played them.

Now, as Sony embarks on a nearly unprecedented recall and exchange program for the 4.7 million rootkit-carrying CDs already distributed to stores, industry experts say the record label's missteps highlight a broader question for the computer and entertainment industries: Who has the right to control your computer?

Sony's CDs, which installed a rootkit program that hid its copy protection tools deep inside computers' hard drives, crossed over a line of acceptable behavior, critics say. But the entertainment giant was hardly the first company to do something like this. Many other software programs also take over aspects of people's computers, often without consumers fully understanding what is happening.

"Consumers don't have any kind of assurance that other companies aren't going to do the same kind of thing (as Sony)," said Mark Russinovich, a software developer and blogger who first discovered the rootkit three weeks ago. "Which actions are considered actions for which users want really prominent disclosure? I think that's a complicated issue, but it needs to be addressed."

This issue cuts deep in the entertainment industry, whose music, movies and video games are particularly vulnerable to computers' ability to make perfect digital copies. But the question will increasingly cut across other industries as more products and services move online, requiring the use--or facilitating the abuse--of PCs.

"A personal computer is called a personal computer because it's yours," said Andrew Moss, Microsoft's senior director of technical policy. "Anything that runs on that computer, you should have control over."

Sounds simple, but it's not.

The average consumer PC is quickly filled with a myriad of applications, from instant messaging clients to media players to confusing DSL-networking software. Many of these make deep changes to the way a computer functions--often dropping automatic update features, for example--and rarely provide license agreements both technically specific and comprehensible to the nontechnical user.

"It really gets at how much control a user can reasonably expect to have over the amazing number of clowns that are inside the clown car of a computer," said Jonathan Zittrain, a professor of Internet government and regulation at Oxford University. "I don't know that there are good standards out there that respect the kind of colloquial property interest in computers that we as consumers have."

Culture clash inside the hard drive
The controversy over Sony's copy protection highlights two ideas of property that are clashing as the technology and entertainment worlds converge.

Record labels and movie studios have complained bitterly over the last few years that their intellectual property rights in films, music and games are routinely undermined by people burning copies of discs or DVDs, or trading files online. Recent analyst research suggests that nearly 30 percent of people in the United States have acquired music by burning a copy of a CD from a friend. Record labels are deeply worried that trend will do irreparable harm to their businesses.

They've responded by developing, supporting or lobbying for technology that shuts down the ability of a computer to make unrestricted copies. That ranges from Sony's rootkit software to the "broadcast flag" policies that would prevent digitally recorded television content from being traded online.

But if some computer owners have shown a lack of respect for intellectual property rights, Sony's invasive content protection tools displayed a similarly tone-deaf attitude to consumers' sense of ownership over their own PCs, critics say.

"If you wanted to take something from the lesson of Sony's rootkit, it should be that people want their demands for respect and autonomy to be taken more seriously," said Julie Cohen, a Georgetown University law professor who has written extensively on the intersection of property and technology.

Are these two sides always destined to clash? Executives on both sides of the technology and entertainment divide optimistically say no, and hope that gaffes like Sony's rootkit are a sign of digital growing pains.

"What this looks like is a collision of very legitimate interests," Mitch Bainwol, the Recording Industry Association of America CEO, told CNET News.com. "The next step is can you find a way to respect both interests in a way that advances the ball. I would submit that the answer is yes."

"People are doing way more with PCs than anyone anticipated even five to 10 years ago," Microsoft's Moss added. "We are in a period of transition, and the challenge in this transition is to find that balance."

A way forward?
Some of this squabble is old hat in policy and technology circles, which have buzzed for years with debates on how to control or regulate spyware and adware.

State and federal legislative attempts to pass laws regulating spyware have often stumbled when politicos have tried to deal with the technical differences between legitimate and malicious software.

But Congresswoman Zoe Lofgren, a California Democrat, said the Sony case underlines the necessity for federal anti-spyware legislation that she has co-authored. The bill is still being considered in the House but isn't likely to go anywhere this year.

"When we started working on spyware, we were not assuming that a major corporation would put spyware onto their customers' computers," Lofgren told CNET News.com. "This would fall in the category of behavior that was criminal under my bill?If they knew it was a felony, they probably would have been deterred."

Federal regulation or not, broad consensus has developed around notifying consumers of potentially controversial functions as clearly and specifically as possible.

A group of large Internet companies launched a new effort last week to certify that software downloads do only what they say they will do. To obtain a Trusted Download Program certification, any software must disclose what user settings are changed on a computer, what kind of user behavior is monitored or tracked, and must contain consent for the download. (One of the founding members of the group, which also includes Yahoo, America Online, Verizon and Computer Associates, was News.com publisher CNET Networks.)

Record companies have clearly watched Sony's public relations debacle over the past week and are drawing lessons. Without offering details, the RIAA's Bainwol noted that the last several weeks have been "instructive."

In a statement on its own plans for copy-protected discs, EMI Music said its antipiracy tools have been certified as "100 percent spyware free," and will not hide any files or download any software without a user's permission.

Sony BMG has also said that it continues to believe in the idea of copy-protecting music, as do movie studios and video game companies, but says it is reviewing its plans in light of the ongoing criticism.

"Sony BMG is committed to testing, verifying and disclosing to consumers its use of any copy-protection technology," the company said in a statement Friday. "(The company) is reviewing all aspects of its content protection initiatives to be sure that they are secure and user-friendly for consumers."

Russinovich, the computer programmer who discovered the Sony rootkit weeks ago, believes companies will pay at least some heed to this market response.

"I think other companies will look at this and say, 'We shouldn't try to hide things from the consumer, even in the interest of protecting content,'" he said. "I think they'll say, 'We need to be transparent about what we're doing, otherwise it's going to come back and bite us.'"