Ethical Behaviour Case Study Group Assignment Sony BMG Rootkit Scandal

3SF3 Formulating Tech Strategy

Instructor: Prof. Mike Piczak Submission date: Monday June 6, 2011

By: Leo Eikelman, Caitlin Cook, Daniel Wolski,

Manoj Gulati, Mohit Sachdeva, Oleg Dzyundzyak

McMaster University

TO: FROM: CLASS: DATE:

Mike Piczak Leo Eikelman, Caitlin Cook, Daniel Wolski, Manoj Sachdeva, Mohit Sachdeva, Oleg Dzyundzyak GENTECH 3SF3: Formulating Tech Strategy June 2011

Ethical Behaviour Case Study Group Assignment Sony BMG Rootkit Scandal
PURPOSE SCOPE The purpose of this ethical report is to investigate, analyze and present conclusions for the questionable business practices during Sony BMG s rootkit scandal. A central focus for the following report is to supply insight towards the business practices which transpired during the rootkit scandal. The report will derive around ethical situations and provide a comparison of ethical practices for Sony BMG. Sony BMG Products Services y CD production and y Global recorded music company distribution y Local artist contracts y Musical artist contracts y International artist contracts Product Market Focus Success y Focuses on both independent y Large catalog of recordings for artists and internationally artists known artists y Premier record labels Ethical Theory Value Pluralism - The notion that there are several values that may be correct yet conflict with each other. y Perspective that one may differ from another due to culture and temperament differences y Only people s opinions and perceptions are valid, there is no right and wrong Example: One person may like tea with sugar but the other may not. Relation The Sony CD copy protection scandal is clearly surrounded by value pluralism. Copyright protection contains conflicting measures: y Sony s opinion stated they were simply attempting to protect the entertainment industry from piracy y Software package that was automatically installed without consent y Method conflicted with privacy act and breached the Privacy Act as it compromised personal information y Lawsuit was filed against Sony Sony took the standpoint that copyright protection is moral and there is no other alternate option. Sony s Opinion: They were in the right to use any method necessary protect itself and its revenue stream y Very aggressive copy protection 1|P a ge

COMPANY OVERVIEW

ETHICAL STANDARDS

Moral Absolutism An ethical belief that certain actions are right/wrong regardless of the intentions behind the actions. y Actions are in complete violation of the law and not determined by the

Suggests that right is right and wrong is wrong .

Example: Child labour This is considered against the law but in underdeveloped countries can be the norm for survival in large families. Each member of the family needs to work in order to survive, regardless of age.

Utilitarianism The theory that there is a direct correlation between the choices which would yield the greatest ethical benefit to the most people. y Based on the ability to predict the consequences of an action Two Utilitarianisms: y Act utilitarianism - A person performs an act that benefits the most people, regardless of personal feelings or the law. y Rule utilitarianism - Takes into account the law and fairness. Example: A doctor is faced with a choice of saving five dying patients by sacrificing one healthy patient. He is justified as sacrificing the healthy patient maximizes utility. Virtue Theory This theory judges a person by its character rather than by an action. y Unethical behaviour analyzed by looking at the person s character, moral behaviour, reputation or motivation before deciding if the act was morally correct or incorrect y Virtue places less emphasis on rules and instead emphasizes the need to create good character traits, self respect and sincerity

method would continue until they incurred too much loss y Unethical thought process of Sony during the implementation of this software for their CDs y Other companies implemented similar methods, which does not indicate that it is ethical Key Unethical Factor of Rootkit Scandal: y Technology used by Sony contained security vulnerabilities and exploits which they were aware of Sony violated this theory regardless of rule or act utilitarianism. Disregarded the rule utilitarianism y Installed the rootkit without prior consent from the consumers y Violated the Privacy Act and ignored the law towards a consumer Disregarded the act utilitarianism y Installation of the rootkit only benefited Sony financially and not publicly Sony was in violation of utilitarianism making the copy protection, rootkit installation, unethical. Virtue theory suggests that Sony s actions surrounding the rootkit scandal were ethical because they have a respectable reputation. Sony s Ethical Actions: y Well known for their customer service, reputation in the industry Sony s Unethical Actions: y Intention of software y Comments made by Sony executives after implementation y Regardless, copy protection and rootkit installation was unethical y Customers were unaware of the 2|P a ge

end result after playing those CD s y Personal information was compromised y Installation of the rootkit created vulnerabilities in computer systems SUCCESSFUL The following section specifies and illustrates several companies who have COMPANY successfully dealt with considerable ethical situations in the past. ETHICAL Company/Industry Ethical Situation Handling of Situation: Final SITUATIONS Outcome Year of Occurrence: 1982  Truthful towards the Several people died after public and offered consuming pain-relief honest explanations1 Johnson & extra strength Tylenol  Issued a recall for all Johnson capsules which had been products1 poisoned with potassium  Established relations cyanide1 with all departments in investigation1 Year of Occurrence: 2008  Apologized to the Widespread outbreak of public and offered listeriosis in meat sympathies2 products caused some  Intense sanitation Maple Leaf Foods illness and loss of life of occurred 2 2 some customers  Voluntary recall transpired 2  Money was refunded 2 Year of Occurrence: 2010  Reported a recall3 Notified that laboratory  Money was refunded3 McDonald s tests showed cadmium in  Customer safety and the paint on promotional well being very Shrek drinking glasses3 important3 QUESTIONABLE The following section depicts a collection of questionable business practices that Sony BUSINESS BMG has been involved in during the course of their existence. Questionable business PRACTICES practices can be defined as any practice which violates the overall vision or values of a corporation. This practice could identify a negative aspect of the business directed towards customers of the corporation. Questionable Ethical Details Business Practice Shipped millions of  Exploit was not voluntarily publicly released by CD s with Extended Sony BMG5 Copy Protection(XCP)  Automatically installed software onto a user s
1 2

Example: A person who lies to another person. Virtue ethicists would consider the underlying reason behind that person telling the lie, and how it reflects that person s character and moral behaviour.

Chicago Tylenol murders May 2011. < http://en.wikipedia.org/wiki/1982_Chicago_Tylenol_murders> 2008 Canadian listeriosis outbreak 2008. < http://en.wikipedia.org/wiki/2008_Canadian_listeriosis_outbreak> 3 CBC News. Shrek glasses recall extends to Canada . June 4 2010. < http://www.cbc.ca/news/story/2010/06/04/mcdonalds-us-shrek-recall.html>

3|P a ge

and MediaMax CD-34   Installed rootkit type software onto the users computers without their knowledge and consent       Opened hundreds of thousands of networks and computers to vulnerabilities and malicious attacks  

   

Obtained and stored private information from user s without consent Poor Public Relations

 


5

computer when customers attempted to play a CD5 Did not notify and publicly detail the software to the general consumer population5 Code modified Windows Operating Systems so that users could not visibly detect the software6 No consent from the user was necessary for the program to install5 Lack of notice for hidden and integrated files7 Program would continue to run without a user s knowledge or awareness7 Rootkit is invisible to the user and embeds itself into system files6 Copyright-protection software prevented users from playing music legally purchased for an iPod7 Prevented a user from copying the CD more than twice onto a computer7 Copy-protection software is invisible to antivirus software7 Virus programmers and hackers can use rootkit as a backdoor to infect a system and the antivirus software would not detect it7 Vulnerabilities used to conceal tracks of virus programmers when entering a system6 Removal of the software caused a large vulnerability within user s system5 Removal tool opened up new exploits that virus programmers used to develop new ones5 Detection of malicious software on the Internet aimed at the vulnerability created by the rootkit was developed by hackers5 Retrieved private information using the malicious code installed on the computers of users and sent the information to Sony BMG s Headquarters5 Accessed and monitored the information obtained from a user s computer5 Initially denied that the software acted as a rootkit and indicated to the public that the rootkit was not malicious and does not compromise security 6 Thomas Hesse informed viewers that most people,

Schneier Bruce. Real Story of the Rogue Rootkit . Nov 17, 2005. <http://www.wired.com/politics/security/commentary/securitymatters/2005/11/69601?currentPage=1> 4 Evers Joris. Sony halts production of rootkit CDs . Nov 11, 2005. <http://news.cnet.com/Sony-halts-productionof-rootkit-CDs/2100-1029_3-5946825.html> 6 Mitchell Dan. The Rootkit of All Evil . Nov 19, 2005. <http://www.nytimes.com/2005/11/19/business/media/19online.html> 7 Pogue David. Sony s BMG s Copy-Protecting Watchdog . Nov 9, 2005. <http://www.nytimes.com/2005/11/09/technology/circuits/09POGUE-EMAIL.html?pagewanted=print>

4|P a ge

I think, don t even know what a rootkit is, so why should they care about it? 6  Attempted to overlook the situation by providing no formal apology to the public5  Refused to admit that the rootkit contained features which were both illegal and violated regulations5 COMPANY PRACTICES AGAINST ETHICAL STANDARDS Corporate Statement Mission / Vision Statement Assessment Against Corporate Actions  Sony s mission and vision statements insinuate unilateral focus on technology and content.  Sole concentration on technology and protecting Sony s best interests, while ignoring the consequences of the rootkit implications for the consumer, could be one of the primary reasons why Sony s executive team approved the launch of the rootkit.  Originated for the purposes of viewing products and services from the customer s perspective.  The actions observed during and following the rootkit scandal directly contradict this initiative.  The rootkit application was never disclosed during the installation process.  Abstraction regarding Sony s Customer Viewpoint Initiative was amplified by Sony BMG s Global Digital Business President when he told reporters, Most people, I think, don t even know what a rootkit is, so why should they care about it? . 8  From a customer perspective, if they had broad knowledge of the potential harm Sony s product may cause, they would reconsider installing their products on any system.  Gemba refers to the place of business , originating from a Japanese term.9 The corporate philosophy surrounding this term is that problems are visible by directly accessing real facts and data. By closely observing operations and being inquisitive, optimal solutions and improvements can be made to operational tasks.  Ironically, Sony already knew the implications of rootkits and instead of avoiding the foreseen implications they injected problems into their operations.  It is almost certain that Sony was tracking the data originating from the rootkit installations, but they were not

Corporate Initiative Customer Viewpoint Initiative

Corporate Initiative Gemba Initiative

Wikipedia contributors. "Sony BMG copy protection rootkit scandal." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 18 May. 2011. Web. 29 May. 2011.
9

Wikipedia contributors. "Gemba." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 5 Apr. 2011. Web. 29 May. 2011.

5|P a ge

TIMELINE CONCLUSIONS

WHAT SONY SHOULD OF DONE

LESSONS LEARNED

adequately monitoring associated risks. A lack of monitoring was unmasked when Mark Russinovich, cofounder of Sysinternals, posted about vulnerabilities created by the installation of the rootkit application. Please view the Timeline in Appendix A: Timeline. Several conclusions can be supplied for the ethical practices of the Sony BMG s rootkit incident. In the aftermath of the incident, Sony provided very little explanation and general knowledge towards the software installed by the CDs. Sony BMG was very dismissive towards the entire incident and initially denied the severity of the software exploit. An apology from Sony BMG intended for the general public would have been adequate in aiding to lighten the controversy and uproar during the incident. Sony s use of exploits restricting users from copying tracks from a CD was not ethical because Sony lacked disclosure of the entire procedure towards the public. Many legal rights of users were violated because the software tracked and stored the user s information on Sony s hardware. Overall, there was a lack of balance between the fair use and copy protection of illegal downloading and prevention of illegal copying. There are several practices that Sony should of applied during this incident to prevent further repercussions from the community:  Admit that they were involved in developing and implementing a rootkit type software in their products  Immediately report a recall of each infected product  Officially apologize to the public and offer compensation and forthcomings about the incident  Offer detailed support, guidelines and aid for removing the integrated software  Inform the customers of the hazards of the software lingering within their computers Several important lessons can be provided for the Sony BMG s rootkit incident. Some of these lesson include the following: 1. In the present technological age, it is not simple to secretly conceal software and violate privacy rights without being almost immediately detected. 2. Explaining a negative situation poorly is often worse than the incident itself. 3. Concealing the true details of an incident from the public is often worse than the crime itself. 4. A well versed apology is often the most imperative aspect of diffusing a situation and a step towards re-establishing relationships with all involved parties. Without a proper apology, the affected parties cannot observe the true company morals. 5. Always be familiar with the viewpoints of both parties. Respect the rights of both sides of a situation, in order to diffuse an escalating situation. 6. Be truthful towards the public and offer honest explanations about the incident at hand. Do not omit any insights of an incident. Every little piece of information is significant in order to restore unity. 7. A corporation should always strive to gain respect and loyalty of customers. Often times, respect aids in returning financial profits for the corporation.

6|P a ge

Appendix A: Timeline