Management right or wrong?

Talking about digital rights management (DRM) is a sure-fire way to start an argument among computer techies. So I'm won't talk about the rights and wrongs of DRM. Rather, a recent case of its implementation has raised some interesting issues.

Recently, Sysinternals and F-Secure reported on a DRM system used by Sony to protect music CDs (see www.sysinternals.com blog and www.f-secure.com/weblog). While protected CDs are nothing new, this particular case was interesting as the DRM software used the same sort of techniques used by "rootkits", tools often used by computer criminals to hide their tracks.

What's worse, the software came with no clear indication in its licence agreement about such unusual features, and without a simple uninstall process. Software components were hidden from normal Windows tools and tasks given misleading names like "Plug and play device manager". Ironically, the licence for the music itself is fairly permissive, allowing several backup copies.

Astute readers will notice that so far we've ticked all the boxes in the "Is it spyware" column, and Sony's DRM arguably meets the definitions put forward by the Anti-Spyware Coalition.

As usual, the Sysinternals examination of the internals of the code is worth reading. Particularly interesting is the open nature of the rootkit – it will hide anything prefixed with "$sys$". More worrying is that lack of an uninstaller, as attempts at manual removal could cause problems by disabling the CD drive.

F-Secure's analysis raises a more worrying prospect; if multiple vendors use different systems that operate along similar lines, what's to stop them interacting and causing system problems? The irony is that users legally purchasing music may end up with broken computers, whereas those downloading illegal versions will not (or, at least, not from the DRM).

Sony has reacted and released a hasty patch, but seems to have missed the point. Informed consent is required to install such software. Just saying "we'll install some software" is not enough.

You might think this is just a home user concern. Think again. How many usage policies forbid playing CDs on company PCs (and how many users follow them?) And don't forget, DRM is being applied to all sorts of media, such as online manuals and books. What happens today with CDs might happen tomorrow with media your business uses on a daily basis. DRM, like other software, must be reliable and interoperable.