We sat on our Sony BMG CD spyware results for almost a full month. In the meantime, another researcher, Mark Russinovich, went public with a detailed technical report on one of the two CD spyware systems. When nobody sued him, we decided to go public.
In the weeks that followed, things happened quickly. Sony BMG recognized that it had overstepped, it distributed an uninstaller for the spyware, we discovered that the uninstaller opened further security holes in users’ computers, the record company recalled the affected CDs, and we determined that the CDs were reporting users’ listening habits back to the record company. Class action suits were filed. The Federal Trade Commission investigated, and the company eventually settled the FTC charges, agreeing to reimburse affected consumers up to $150 for damage to their computers.
We had managed to publish our results, but we were troubled by the incident. Our decision to withhold the news of the rootkit from the public seemed necessary, even in hindsight, but it was contrary to our mission as researchers. It was the last research Alex and I did on copy-protected CDs. Although I have a higher tolerance for lawyers than many of our research colleagues do, I still prefer the laboratory and the classroom to the courtroom. My peers seem to feel similarly—the volume of peer-reviewed research on copy protection technologies fell off about this time and has not recovered.
The good news is that this problem is easily fixed. Congress could amend the DMCA to create a robust safe harbor for legitimate research—not limited to encryption, not tied down with detailed requirements and limitations. There is a growing groundswell to address the DMCA’s ban on unlocking cellphones and its roadblocks to access for the disabled. Bills have been introduced in Congress to legalize cellphone unlocking. While we’re tinkering with the statute, let’s create a safe harbor for the researchers who can be our early warning system against unpleasant surprises in the next generation of technologies.
These days almost everything we do in life is mediated by technology. Too often the systems we rely on are black boxes that we aren’t allowed to adjust, repair, or—too often—even to understand. A new generation of students wants to open them up, see how they work, and improve them. These students are the key to our future productivity—not to mention the security of our devices today. What we need is for the law to get out of their way.
This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.