Management and the Technology Professional – B302

Case study answer 1

Imagining myself as the lead developer within First4Internet Ltd (F4I) of the rootkit software for Sony BMG Music Entertainment (Sony).

The most compelling reason why the rootkit software should not have been developed by the lead developer in First4Internet Ltd (F4I) for Sony BMG Entertainment (Sony) is that it had potential to make the computer that it was installed on unsecure. The software was developed to be in “root” control on the system it was installed on to prevent the undesignated copying of music, this allowed it access usually reserved for the computer administrator. It was also designed to be hidden on the hard drive of a computer to stop anyone from easily finding and removing this software. With the software having root control and being hidden on a computer system its behaviour could be likened to spyware or viruses, which damage computers and steal data.

The business objective for Sony to use the rootkit software was to attempt to prevent the loss of potential profits from music sales, through people obtaining illegal copies of its work. With the main problem identified to be users copying music from bought music CD’s and then sharing this over the internet, Sony decided placing restrictions on how users could use its music would solve the problem.

I believe the Code of Ethics of the Association of Computing Machinery (ACM) apply to the lead developer and company directors at F4I even though they are a UK company and not an ACM member these ethics are a universal standard that all computing professionals should strive to meet, with Code of Ethics 2.5, 2.6 and 3.1 being broken during the development of the rootkit software. Code 2.5 states “Give comprehensive and thorough evaluations of computer systems and their impacts, including analysis of possible risks”, if this ethic had been taken into account they should have been concerned about the impact on users’ computers as they would have carried out a comprehensive analysis. Code 2.6 states “Honour contracts, agreements, and assigned responsibilities”, this was not taken fully into account as they did not honour their responsibilities to users, such as a simple way to uninstall the software. Code 3.1 states “Articulate social responsibilities of members of an organizational unit and encourage full acceptance of those responsibilities”, this was not fully taken into account as they had a greater knowledge than users of potential unwanted consequences.

The Code of Conduct of the British Computer Society (BCS) could apply to the lead developer at F4I of the rootkit software with Code 9 of BCS stating “You shall not misrepresent or withhold information on the performance of products, systems or services, or take advantage of the lack of relevant knowledge or inexperience of others” as the EULA when asked to install the rootkit software does not inform the user with enough detail on what the software is and will do, but also implies it is easily uninstalled which is far from the truth.

I believe that under offence 3 of the UK Computer Misuse Act 1990 (c. 18) the directors of F4I could be charged due to how the rootkit software was designed to function and behaved on users’ computers without their full knowledge. The UK Data Protection Act 1998 could apply to Sony and the F4I directors if information was sent from users’ computers “phoning home” without them knowing by the rootkit software, as stated by Bruce Schneier in his Sony’s DRM Rootkit: The Real Story Blog.

I believe there were a number of consequences caused by Sony releasing the rootkit software developed by F4I into the public domain in its attempt to make the pirating of its music more difficult. Any computer system with the rootkit software installed on had the potential to be vulnerable to be attacked from virus writers, due to the unsecure design of the rootkit software. Attempts at removing the rootkit software from computer systems caused damage to the Windows operating system and corrupted the files controlling CD drives meaning they were unusable. Bloggers such as David Eisner believe the drive to copy- protect music will push more people to download music illegally. The events, breaking of Codes of Conduct and Ethics damaged the reputation of Sony and F4I including the lead developer, but for Sony this was a large problem as they were a global brand so people wanted to boycott all of their products. If there were to be any legal proceedings due to offences under UK law then potential charges could be brought against Sony, F4I directors and the lead developer.

In conclusion I understand why Sony is attempting to protect its profits via copy-protection on its music CD’s but I believe it restricts consumers’ access to music and may alienate them. Developing anti-piracy software with companies such as F4I will be a never ending saga as people find ways around the protection, with software embedding itself further into computer systems and causing more security and stability problems, with potential to be breaking Codes of Conduct, Personal Ethics and even National Laws. I believe it would be more prudent not to use copy-protection but to put more effort into stopping people distributing illegal material over the internet.