Were not fans of surveys at Techworld, but couldnt help noticing the findings of a poll of 1,500 customers of anti-virus company Sophos.
According to the poll, 98 percent of those considered Sonys digital rights management software (see controversy here if youve been on a pacific island for last week) as a security threat. Only two percent thought it a legitimate way for the company to fight music pirates.
Hold that thought while you read Mark Russinovichs account of how he tracked down the offending spyware DRM, and how it first aroused his suspicions.
Even without the rootkit and dodgy DRM, there is a fundamental issue here and thats the end user license agreement or EULA.
In point of fact, the EULA used by Sony said only the following: As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.
Would Sony have been excused its actions had the EULA been more explicit, and therefore been given permission for what it was about to do from every person simply clicking yes? The answer is that at the very least Sony would have had a legal defence as long as the clauses of the agreement could not be shown to be in breach of U.S. law.
Almost no-one reads these EULAs, because its seen as the price to be paid for having the software at all. In this instance, remember, the software is performing no service other than protecting the companys intellectual property.
Imagine a world where security-conscious individuals legally agree to have a piece of code installed on their PCs that they later overwhelmingly decide is a potential security threat. The unregulated world of EULAs is ripe for reform somewhere, and perhaps this will be the moment where the population wakes up to the potential for abuse.
How many of us would have had the time, know-how or energy to pursue what was happening on a PC in the way that Russinovich did? Whatever we feel about the need to protect intellectual property, by taking a few hours of his time he has done us all a service.