J. Alex Halderman has an interesting post today on Ed Felten’s blog on some new music CD DRM (digital rights management) that actually makes your computer less secure. In essence, it installs software on your computer which will replace the music on the CD with static when someone attempts to ‘rip’ the CD. But it hides the existence of that software, even from the administrator. Even worse, it creates a system that will hide other software as long as the file name starts with a particular set of symbols. So it creates a hole that viruses and other nasty things can hide in.

There are plenty of provisions in Australian criminal law that ban unauthorised access to or modification of data on a computer, particularly where the person doing the modification is reckless as to whether the modification will impair the ‘reliability, security or operation’ of data on the computer. However, all those offences have a requirement that the modification be unauthorised. This DRM installs itself when you put a copy-protected CD in your computer. If there is something in the fine print which says that the computer user gives permission for copy protection software to be installed on their computer, is that ‘authorisation’?

Update: Bleeding Edge has more commentary on this issue. If you’re technically minded, go to the original discussion here.

Update 3 November: CNet has a fairly detailed story, that suggests, among other things, that:
1. The risk to the computer is largely theoretical, and
2. The technology used by the company involved has moved on (ie, this technology was only used on some CDs).

But see Ed Felten’s response here, rebutting some claims in the story.

Obviously, I’m not expert enough to know who is right on the technology here. But I think the legal issues raised in the comments both on this blog, and on Weatherall’s Law are real: just how detailed – and prominent – must ‘authorisation’ in a EULA be, in order to allow a company to install hidden software on your computer, particularly software that might in some circumstances make the computer less secure? If the software did lead to some security breach, could Sony (or First4Internet, developers of the technology) be liable?

Ed Felten has some commentary on the EULA itself, for those interested in following this up.

And here’s another thought. The current LACA inquiry is all about what protection TPMs should get. All these legal questions raise the opposite question – what protection should we get from TPMs? This issue is explored in Kerr et al’s paper on TPMs, which I recommend.

Update 4 November: via Copyfight – the debate is still going over at Felten’s blog.