« Philly news libraries update | Main | 2005 World AIDS Day »

Looking at Sony

That is, Sony the corporation, not Sony the Supreme Court decision about fair use. Although there is a lawsuit in the works ...

Are many of you keeping up with the Sony CD/rootkit/bad juju story? If not, the short version is that Sony BMG added a bit of software to some of their CDs released in the U.S. that prevented unlimited copying/ripping. One of the features of the software is that it hid/cloaked itself deep inside the OS of the computer once installed without permission from the user -- sorta like how spyware, worms and malware work. Worse, the Sony rootkit (actually made by a UK firm, First 4 Internet) theoretically can be used by viruses and other malware. Worse yet, the uninstaller/patch opens up a bigger hole for malware to exploit.

Does that seem like all sorts of bad? I think so. If you want to geek out on more details, you can check out the guy who discovered the rootkit in the first place, various commentary by Prof. Ed Felten on Sony DRM (turns out there's two separate programs/protocols, both of which he takes to task and one of which affects Macs, too -- dangit).

Why am I bringing this up on a library blog. Well:

Sony BMG estimated [earlier this month] that about five million discs - some 49 different titles - had been shipped with the problematic software, and about two million had been sold.

There's already a recall and at least two lawsuits over this (one filed by EFF), but I think there's a couple of questions acquisitions and systems librarians should be asking themselves right now?

  • Are there Sony copy-protected CDs already in our system?
  • If so, have any of those CDs been played on library computers running Windows (and not just the public ones -- do the tech services staff "test-drive" CDs in the course of processing or cataloging them?

If the answer to the first one is "Yes," then now may be the time to act. Optimally, your users should not be warning you of this, but if they do, just go with it. Whether or not you want to be oblique about it or transparent, you really should yank the CDs from circulation. I'm not a lawyer and thusly have no clue about the potential of third-party liability of a patron's home computer is significantly damaged by the rootkit and/or the uninstaller by a disk they may have checked out from the library ... but once you know of the risk, you might as well do the reasonably prudent thing, right? Besides, you need to return the disks and get refunds/replacements.

As for the potential vulnerability of computers in the library -- The Depraved Librarian (what a great name) points to an article in eWeek where an Internet security expert estimates that half a million machines may have this rootkit. Or if you want a more dramatic-looking font:

500,000 computers

Could library computers be in that number? Is this something to think about? I'm not a tech librarian, so if I'm off-base, let me know.


Thanks for the link (I confess, I was ego-surfing).
Here's one library that won't be buying Sony CDs for awhile: