Doubtless everyone has heard by now the saga of Sony’s rootkit DRM. On some music CDs Sony has put some Digital Rights Management (DRM) software that it said was intended to prevent copying of the music on the CD. Actually, that software also hides itself so it’s hard to find or remove, and opens several security holes, including reporting information about the user back through the Internet. Thus it resembles what is commonly called a rootkit, which is software that is designed to get root (unlimited access) and to hide the fact that it did so. Everybody from music buyers to antivirus vendors to Microsoft to the U.S. government complained to Sony, after which Sony put out an uninstall kit. But that kit turned out to open even more security holes. EFF is suing Sony.

Apparently the software to call home and get advertising related to each tune gets installed even if the user says no to the End User License Agreement (EULA).

The news just keeps getting worse. Now the state of Texas is suing Sony under the new TX spyware laws.

I continue to wonder why Apple still seems to be the only company that understood that online music “piracy” translates as market demand; a demand that the iPod and iTunes satisfies.

The moral of this story could be that forcing your customers to run software they didn’t ask for, don’t want, said they didn’t want, and may be illegal besides, just isn’t good risk management. Sony already had to recall the original CDs due to the furor over the DRM, but their “fixes” still have the same kinds of problems, so their PR problem just keeps getting bigger, and continues expanding into a bigger legal problem.

Wouldn’t it be easier just to sell music the customers want? Or to come up with a way to leverage music copying as advertising without putting illegal spyware on music lover’s computers?

-jsq