How Sony BMG lost its mind and rootkitted its CDs -- prepublication law paper

Aaron Perzanowski and Deirdre Mulligan have just posted a wonderful pre-publication paper called "The Magnificence of the Disaster: Reconstructing the Sony BMG Rootkit Incident," which will shortly be published in the Berkeley Technology Law Journal. Exhaustively researched and footnoted -- but written in clear, non-lawyerese prose -- The Magnificence of the Disaster comprehensively analyses the madness that led Sony-BMG to install dangerous, illegal rootkit anti-copying software as well as spyware (produced by a company founded to supply Elvis impersonators, no less!) on millions of its CDs, leading the company to enormous financial and legal penalties.

Potential customers who were aware of the existence and dangers posed by Sony BMG’s protection measures steered clear of XCP discs. The sales history of Get Right with the Man, an XCP-infected album by Van Zant that was released some six months prior to the rootkit announcement, is emblematic of the online retail impact of the rootkit incident. On November 2, just two days after the initial public announcement of the rootkit, Get Right with the Man ranked at number 887 on the music charts at Amazon.com.61 The next day, after Amazon user reviews alerted shoppers to the dangers posed by XCP, the album dropped to number 1,392.62 By the Thanksgiving holiday weekend, the XCP recall was underway and the album plummeted to number 25,802.63 In contrast, in retail environments in which customers had less immediate access to information about the dangers of XCP, sales of Get Right with the Man were relatively undisturbed.64 Since brick and mortar retailers like Wal-Mart, the nation’s leading seller of CDs,65 do not facilitate the sort of customer feedback common to online retailers, this outcome is hardly surprising...
SunnComm, the company that delivered MediaMax, offered even more cause for concern. The company began as a provider of Elvis impersonation services.114 After a change in management following a false press release announcing a non-existent $25 million production deal with Warner Brothers,115 the company purchased a 3.5” floppy disk factory in 2001, displaying a disturbing dearth of technological savvy.116 After two em- ployees announced their intention to leave the fledgling company to de- velop copy protection software, SunnComm convinced the pair to lead a new division, leaving both Elvis and floppy discs behind in order to de- velop what would become MediaMax.117

PDF Link

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Civlib • Copyfight • Gadgets • Make a Difference • Maverick Spirit • Safety

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

monquixote

What a superb report that is!
I think we should thank Sony. It takes this kind of train wreck / bull in a china shop hybrid of a business strategy to generate enough backlash for the regular media to cover this kind of story.
John Dallman

The analysis of the decision – was it simply a mistake, or a deliberate risk on Sony’s part? – neglects an important factor. Wish fulfillment.

Lots of corporate executives don’t understand the actual limits of information technology, and assume that most statements about the possibility or impossibility of doing something are governed purely by engineer’s views of what’s easy. They also really want powerful and effective DRM, because they are deeply uneasy about people using their products in new ways: it seems to be an invasion of their area of control, the thing they have power over as an executive.

The combination of these psychological factors means that they are highly unwilling to question someone who offers them DRM that is claimed to be “foolproof” and “effective”. They have very strong motivations to confirm the “truthiness” of this, and will resist any activity that might challenge it. It’s also the case that engineers who are inventing DRM systems naively tend to drastically overrate the power of their products.

My experience of these behaviors comes from two scenarios.

The first was making a testing attack against a DRM system (for an application’s built-in programming language) produced by a previous employer, where the responsible engineer considered it unbreakable, and then, when I’d opened it up in a morning’s work, mostly spent writing some simple tools, (I had the advantage of being familiar with his programming style) started to claim that I was far more skillful than any plausible attacker.

The second is from various attempts by a subsequent employer to design a DRM system for data, rather than media material. The requirements were always impossible to meet, but it was clear that if I claimed to have produced something that fulfilled them, I wouldn’t be questioned by management, who would try hard to defend the system against challenges, and there would be notable rewards.

So it seems very plausible to me that once Sony went looking for a DRM system, their managers had strong motivation to accept the one with the biggest claims – and likely the highest price – to accept its producer’s claims about its effectiveness, to defend it against challenges, and not to consider side-effects.

You also have to consider the nature of the music recording business. It’s a field where large sums are routinely risked on a combination of artistic and commercial judgment. The romantic view is of someone backing his artist to the top of the charts. That’s a situation where arbitrary decision-making can become entrenched in corporate culture really quite easily.
Jerril

The article has, alas, succumbed to Internet Bit-rot. Does anyone know of a re-hosted source?
Jerril

Der, teach me to Google. Available for free download here: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1072229
anthonys82

“the company purchased a 3.5â€ floppy disk factory in 2001, displaying a disturbing dearth of technological savvy”

This is my favorite part.
honestly, what the christ?
Teresa Nielsen Hayden / Moderator

What you said, Anthony.

SunnComm isn’t the first anti-copying software producer I’ve seen that was disturbingly far behind the technological curve. It would be interesting to find out if that’s a pattern.
Mark Levitt

I guess that guy from Warners was right. They don’t understand technology and they don’t have the skills to hire people who do.
Moon

Mark Levitt, there’s a LOT of those types out there and there was EVEN more in the late 90s, early 2000s.
Halloween Jack

When I googled for the Van Zant album mentioned above (I wasn’t sure how Little Steven’s last name was spelled, and wanted to see if it was one of his or one of the former Lynyrd Skynyrds; it’s the latter), this link from Amazon was one of the first that came up. Hmm… better check those Springsteen Dual Discs that I’ve bought to see if they’re in that group.
dustyrivers

Neil Diamond’s comeback record met a similar fate to that of Van Sant’s. Producer Rick Rubin is still bitter about it:
http://www.nytimes.com/2007/09/02/magazine/02rubin.t.html?_r=1&oref=slogin
flickersticks

I can just see the business school books of the future, addressing the music industry in their chapter on “How to Commit Industry Suicide”
realtymatching

This is no less than customer hara-kiri.