Sony, it’s your intellectual property but it’s not your computer.
[Update: It just gets worse and worse for Sony/F4I - now they've found GPL (not LGPL) code in the rootkit]
Credit where credit is due, this post’s title was taken from a comment made by Stewart Baker, recently appointed by President Bush as the Department of Homeland Security’s assistant secretary for policy. (I’m not sure about his insinuations that this might make a bird flu pandemic worse but that’s another discussion).
This statement sums up many peoples sentiments on this whole issue. If buying bread and sticking it in your toaster caused every door and window in your house to fall off their hinges you’d be a bit annoyed. You might even think “Hmmm, I don’t like bread that much”.
Unfortunately, many software users will realise that that in may cases the shrink-wrap software licenses (or EULAs) that they casually accept when installing downloaded software gives that software the right to do it wants on the users system. This can include removing files, killing processes, changing type associations (effectively disabling competitors products) phoning home with personal and usage information (hint: RealPlayer) etc. I know people are vaguely aware of these actions, but I’ve the feeling this while Sony XCP story will raise general awareness of just how draconian most EULA’s are.
Sony got caught fair and square and they are paying the price now. However, it does concern me that some are looking at what is happening to Sony right now and they are seeing opportunities. Brand sabotage, fuelled by the blogsphere, could easily be inflicted on a competing brand by paying someone to do some digging and then release the results in some vague, threatening (but still non-defamatory) language.
With the exposed misbehaviour of an industry giant we can all expect more false alarms and scare stories (and the occasional truth) over the coming weeks and months. Just don’t assume all of these alerts will be started by lone tech blogger who notices some new registry entries on their machine.
I’m afraid the days of casually downloading and installing applications from unknown vendors are drawing to a close. Meanwhile, I’ll be consulting tools like EULAlyzer a little more often. The growth of web based applications (or Web2.0 in hype-speak) is perhaps timely in this regard but the browsers and plugins (Flash etc.) will have to make sure they are so bullet-proof or they’ll suffer a similar backlash if they are ever caught in a similar situation.
on 17 Nov 2005 at 4:14 pm # amadan
aaaaaaaaaaaaarrrrrrrrrrrrrrrrggggggggggggghhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!
Sorry, I just despise and loathe EULAs. I feel personally violated when I have to click on a tickbox to “agree” to one. I don’t know if the Sony situation will make people aware of the dangers of EULAs. I think people will continue regardless ticking “yes I agree” until some a major court case persuades them otherwise or until they are stung in the tail.
Personally I think EULAs should be made illegal. I think that they allow companies to release badly written untested software because they can avoid liability for it. There are not many other industries where you can get away with avoiding liability. I am surprised that someone has not released a virus with a EULA (Ok, some people will say that MS has already done that).
Ok, removing EULAs involves lots of other issues but I think general software standards will improve and open source will also benefit. Anyway thats my soap box done
on 18 Nov 2005 at 2:58 pm # amadan
Brainwagon has another interesting take on thsi subject. Why did it take so long for anti virus companies to spot this?