I have been castigated by someone at blindmindseye for not taking the Sony DRM issue seriously enough. [Sorry, link not working... looks like the post might have been taken down? Will fix if possible] I am grateful, usually I have to pay extra for a good castigation.

The questions I intended to raise about the Sony DRM controversy were legal/policy, not technical. In particular, they were not intended to suggest that Sony's DRM was not malware. I am cheerfully content that it satisfies technical definitions of malware and that it does indeed create a vulnerability on consumers' computers. The question I intended to raise was how good our legal system is at addressing such a problem, as compared to the market (Sony's concern for its reputation, for losing business, etc.). Let me try again to point out some of the issues.

One question that comes up in considering possible legal responses is the question of intent. Now, as I understand the situation, Sony did not itself develop this particular bit of tech; rather, it was some little company in the UK. So here's one scenario that illustrates the problem I am getting at (I should stress that I have no inside knowledge of the process at Sony whatsoever, this is merely what seems like one plausible scenario to me):

After the debacle with the black pens, someone might well have been instructed to try again, and this time make a DRM that wasn't so easy to get rid of. Someone else thought he had a bright idea to take a page from the hacker tech manual. And so that product was delivered to Sony. It seems unlikely to me that there was a conversation along the lines of "you know that this is basically hacker tech that makes customers vulnerable to viruses and whatever, right?" Not impossible, but... implausible. So at this point it seems to me quite possible that this was a case of someone "should have been" more aware of security issues with the stuff. And so the line that one might draw between a bug and a deliberate attack can be more blurred than one would want. How many bugs "should have been" caught?

My larger point is, it isn't the technical characteristics of something alone that determine its legal treatment (whether or not we should think of it as an "attack"), it is partly the intent of the actors.

Set aside the intent issue for a second and look at the tech. Is it really always clear what is a "pure" hacker tool and what is not? Isn't it likely that in future programmers might well continue to experiment with "hacker tools" to see if they can use principles in those tools for a useful purpose? Isn't the argument that there is such a thing as a purely useless and bad tech usually made by advocates of tech bans? Are we saying that all software always has to be easily removable and detectable? By everyone? What about security software or content filters used by parents or schools or employers? Suppose experts could find and remove it but not beginners? Suppose a DRM system was hard to find or hard to remove, but didn't create a security vulnerability to outsiders? Or suppose it did, but was easy to find and remove? There are a million possible permutations of technology here--hard to imagine the legal system coming up with a top-down rule that makes sense for all of them, especially at this early stage of the game. Markets adapting after the fact are much more flexible.

I am cheerfully willing to concede that there is and ought to be such a thing as computer trespass. But in the case of a mistake that is being and can be fixed? On the basis of "should have known?" What then does one do about the Y2K bug, for instance? That necessarily or unecessarily cost a lot of companies a lot of money... and arguably was another case of "should have known..." Companies make tradeoffs in design all the time, knowing and unknowing...

And we then come to the issue of the harm. My point was *not* a technical one--I again cheerfully agree that the root kit did create a real vulnerability in user's computers. Just as if it had broken a lock on the front door, indeed (or maybe a side window, something less obvious). But if the lock is fixed and the vulnerability has never actually been exploited... surely the damages are different, that is, much less, than if it had been. Much, much less. And furthermore various parts of the legal system that have been set in motion in this case (class action suits, public prosecutions) rarely return anything of significance to actual consumers. Only to lawyers. The main impact on consumers is to raise prices or make a product less available.

Bottom line: No, I don't think the root kit should be regulated, in the usual sense of the word, as broadcasters or telecom companies are regulated. But then I don't think my critic meant that either. I do think that under some circumstances legal remedies would be appropriate for software that does damage. But in the meantime the legal system (to which market forces do not really apply) is more out of control than any DRM (to which market forces do apply). It is not clear to me what work is left for the legal system to do in this case.