Management and the Technology Professional – B302

Case study answer 1

Fundamentally the rootkit installs undetectable license management software (XCP and MediaMax) that can’t be managed (viewed or deleted), this circumvents inbuilt Operating System protection and aids attacks on computers as well as raising ethical and moral concerns.

Firstly the lead developer would have a duty to comply with their professions’ code of conduct, such as the British Computer Society’s. Another organisation (Association for Computing Machinery (ACM)) explicitly defines moral imperatives; ‘Be fair and trustworthy’ for example would in Sony case be questionably, especially in terms of its relationship with the general-public.Sony’s ethical policy (or code of conduct) should have prevented the software being commissioned, also First 4 Internet should not have accepted the request, this however would happen long before it was presented to the lead developer and thus beyond the scope of this exercise.

Secondly the company should have had policies in place that would determine ethical behaviour and moral guidelines for employees, such as a professional code of practice; this would be similar to the codes of conduct examples mentioned above. The lead developer should also have been aware of the vulnerabilities the rootkit would cause and, more seriously, how this may contravene the Computer Misuse Act (CMA) 1990 section 3, which is based on social ethics and responsibilities.

On reflection I feel that the most compelling argument for not developing the software would be from the ethical argument, on the grounds of the vulnerability opened up which could potentially lead to data loss, corruption or theft which would be wholly due to the rootkit.
Acknowledgement from Bitdefender qualifies this view point, they detected at least one Trojan that specifically used the rootkit to attack a system, this is the basis for the conflict with the CMA. [http://news.bitdefender.com/NW193-en--First-Trojan-Using-Sony-DRM-Detected.html]

Sony’s motivation for the rootkit was clear, the falling sales of CD media (specifically audio CDs in this case) and the rise of peer-to-peer sharing (i.e. torrents) of copyrighted music material. The business objective was to try and safeguard the consumer audio CD market whilst protecting their earnings from it. What’s concerning is the lengths they are prepared to go to in trying to achieve this, through arguably unethical and legally questionable means.

Ultimately I believe it’s the music industry, Sony and to a lesser degree First 4Internet Ltd, who will suffer. The general public (who may be aware of the DRM debate) will now be aware that Sony was shipping ‘hacker’ software that could ruin CD drives or even computers, this potentially means people will avoid Sony purely because of the association. In my opinion this fails Sony’s original objective by in effect encouraging people to try free unrestricted P2P alternatives as opposed to Sony’s (well publicised) restrictive and deceitful methods of copyright protection. On the other hand the anti-DRM security camp could use this to aid their argument relating to infringement, while still being able to circumvent XCP and rendering the whole exercise useless for the music industry, and in this case specifically Sony.