Sony made an unpopular product decision and got its reputation incinerated by waves of flaming bloggers. That's a lesson for other companies.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 16, 2005

5 Min Read

Sony's decision to withdraw its controversial copy-protected CDs followed weeks of flames by bloggers.

Sony BMG Music Entertainment said Wednesday it will stop selling 50 CD titles with its XCP content protection software. Sony also said it will remove the discs from stores, and offer replacements without copy protection to customers.

Before Sony acted, the company suffered through weeks of angry posts by bloggers who stirred outrage against the company.

It started when security researcher Mark Russinovich first posted to his blog that Sony's music CDs surreptitiously installed digital rights management software based on a "rootkit"--a hacking tool widely considered to be spyware. Following that, bloggers of all stripes, from seasoned security experts to aggrieved consumers, vented about the record company's unethical and possibly illegal behavior.

"It seems crystal clear that but for the citizen journalists, Sony never would have done anything about this," says Fred von Lohmann, senior intellectual property attorney for the Electronic Frontier Foundation, a cyber liberties advocacy group that has been vocal in its condemnation of Sony and may eventually file a a lawsuit against Sony, in addition to three that have already been filed. "It's plain to me that it was Sony's intent to brush the story under the rug and forget about it."

Alan Scott, chief marketing office at business information service Factiva, said, "I think that we're in an entirely new world from a marketing perspective. The rules of the game have changed dramatically. The old way of doing things by ignoring issues, or with giving the canned PR spin response within the blogosphere, it just doesn't work."

Thomas Hesse, Sony BMG's Global Digital Business President, attempted to do just that by dismissing the online protests. "Most people, I think, don't even know what a rootkit is, so why should they care about it?" he said in a November 4 interview on National Public Radio's Morning Edition. He added, "The software is designed to protect our CDs from unauthorized copying and ripping."

Blog search site Technorati.com shows well over a hundred blog postings ridiculing this particular quote, each of which may have been linked to by other blogs.

Two days before the NPR interview, Sony attempted to mollify its critics by offering an update that "removes the cloaking technology component" of the XCP DRM software. The update notes claim, "This component is not malicious and does not compromise security."

That's simply not true--the rootkit component allows attackers to take control of target computers. Moreover, another component, the uninstaller Sony provided to remove the XCP software, did compromise security. And once again, it was the blog community that brought this fact to light.

In their Freedom-to-Tinker.com blog, computer researchers J. Alex Halderman and Edward Felten confirmed the findings of a Finnish computer expert that the uninstaller utilizes a poorly coded ActiveX control that allows any Web page a user visits to install and run any code its like on the user's machine. In a E-mail message, Graham Cluley, senior technology consultant at security company Sophos, condemned Sony's actions. "Business PC users have a very low opinion of any code that endangers the safety of their networks, and they have sent a loud and clear message to Sony and other companies that this kind of code is unacceptable," he wrote.

Indeed, judging by the online outcry, it's fair to say that PC users in general feel that way.

However, Cluley said that Sony XCP software isn't really comparable to a virus incident in terms of impact. "In many ways it can be argued that it's more similar to Microsoft security vulnerabilities which have later led to a worm infection," he explained via E-mail. "Sony's code wasn't intentionally malicious, but did open up a security hole on users' computers which could be exploited by malware. Rather than malware, I would term this as 'ineptware.'"

Finnish computer security company F-Secure Corporation contends the software is malware because it hides from the user and doesn't offer a way to uninstall itself.

But the company's intellectual property concerns have not disappeared. At a music industry conference in San Diego in August 2005, Recording Industry Association of America CEO Mitch Bainwol presented findings by market research firm NPD Group Inc. that suggested ripping songs--copying them to a computer from a CD--and sharing them has come to represent a revenue threat that's at least as significant as illegal peer-to-peer file trading.

In his presentation, Bainwol noted that the people in the music industry are seen as bad guys rather than the victims they perceive themselves to be. Yet winning the hearts and minds of the blogosphere, and by extension, consumers in general, will require more than marketing as usual.

"There's a whole new set of rules that people have to live by," Scott says. "Whether it's blogs or user groups or NGOs, it's all about honesty and authenticity. This is just the latest painful example of a major company finding that the old tools and the old actions don't work."

Scott's advice to companies is to look for text-mining software, which Factiva happens to make, to help follow what's being said online and then to participate in the conversation honestly. In an example of the sort of transparency called for under the "new rules," Scott admits his advice is self-serving. He says, nonetheless, he believes in what he's selling.

The same might be said for Sony BMG. The company no doubt believes in content protection technology. The trouble is few of its customers do. Either Sony's customers don't know what they're missing or the company is selling something no one wants.

As for participating in the conversation, Sony BMG has a ways to go. Repeated calls to the company's corporate press office for further comment met with the message, "Announcement not recorded. Try again later. Please disconnect."

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights