How could have the Sony Rootkit been prevented?

Aaron and Deirdre are featured in an article by Anne Broache and Declan McCullagh about their arguing for an exemption from the DMCA anti-circumvention provisions ("Seeking changes to the DMCA"). They want an exemption granted "for sound recordings and audiovisual works distributed in compact disc format and protected by technological measures that impede access to lawfully purchased works by creating or exploiting security vulnerabilities that compromise the security of personal computers."

In the past, security researchers would notify the vendors first of any bugs, but now they're afraid to disclose such flaws without first consulting a lawyer, Felten said. He added that the DMCA has discouraged security researchers from embarking on new projects and has driven some away from the field. (Felten once was threatened with a DMCA lawsuit by the recording industry for exposing weaknesses in a music-watermarking scheme.)

After a public outcry last fall, Sony voluntarily said it would halt production of certain copy-protected CDs. Those CDs installed a bundle of software, including a "rootkit" used to mask the presence of copy-protection software--and, if abused, malicious programs as well. The incident prompted one Homeland Security official to suggest banning rootkits.

Aaron Perzanowski, a law student at the University of California at Berkeley's Samuelson Law, Technology and Public Policy Clinic, and clinic director Deirdre Mulligan, said that Felten could have been subject to legal liability if he had disclosed his findings about the Sony rootkits. After he found the flaw, Felten said he called lawyers and spent a month in negotiations with them, and decided not to publish his results right away. Programmer Mark Russinovich did instead.