The quirky boingboing.net website isn’t usually the type of media outlet to become embroiled in a contentious privacy issue, but the site has done yeoman’s work over the last few weeks in documenting a scandal involving Sony Music’s apparent complicity in installing spyware on its customers’ computers.
The incident centered on the discovery by a security expert in late October that Sony’s BMG music division had included spyware in music CDs distributed to legitimate customers. The software, known as a rootkit, enabled viruses, keyboard loggers and other nefarious programs to be parked on users’ computers without their knowledge, even if the users had declined the licensing agreement presented to them when they inserte
d the affected disc.
The existence of the rootkit was first documented by security expert Mark Russinovich in his blog on Oct. 31. Sony at first dismissed the complaint, then acknowledged the problem when F-Secure, a Finnish security company, confirmed that it, too, had identified the problem. However, Sony’s initial response was to deny that the problem was serious and to promise a fix when it was good and ready. The Recording Industry Association of America, which is always good at providing comic relief, worsened the situation by basically stating that rootkits are no big deal because every record company uses them. Meanwhile, the blogosphere went into overdrive.
Russinovich’s blog was flooded with comments, the issue spread to the computer security community in general and eventually two states attorneys general picked up the baton and promised to investigate the matter.
Sony eventually relented and promised to recall the offending CDs. The rootkit, it said, had been introduced by programmers at an outsourcing firm engaged by the company and had been shipped without Sony’s knowledge. BoingBoing.net members rubbed salt into the wounds by identifying posts by programmers engaged by Sony that asked as far back as 2001 how to install software that users couldn’t detect. Ouch!
It looks like Sony BMG is going to come clean and offer replacement CDs to all victimized users. But the incident serves notice of how the blogosphere is affecting corporate policy-making. If blogs didn’t exist, this problem would never even have come on Sony’s radar. Or, at the very least, the company could have contained the objections with a minimum of hassle. But bloggers not only uncovered the story but pressed it relentlessly until the national media took notice and forced a corporate response. Sony BMG gets a black eye out of all of this by looking like it dragged its feet in addressing a known security problem. And bloggers get a gold star for identifying the bug and pressing it until a big corporation was forced to respond. Score one for new media influencers.