With the notable exception of the issues that surfaced this weekend about Sony BMG’s lack of a plan to address their international customers’ issues, it seems like most of the primary news about the rootkit fiasco has broken. I thought this might be a good time to take a look at how the story broke and became mainstream news, for a few reasons. First, from a theoretical standpoint we are still in the process of developing an understanding of the relationship between blogs and the media, and are rather shy on good case studies–and as I believe I mentioned once before, the Sony BMG story makes a heck of a good case study.
Second, one of the reasons I started this blog was to actually make a difference. I was reading commentary on Slashdot about the original Sysinternals blog post, and many commentators were griping about how evil Sony was and how something should be done. I thought to myself, Well, yes, something should be done. So why don’t we put our money where our mouths are and do something? In other words, I thought of this blog as a way to raise awareness of the nasty business practices of Sony BMG, and as a result I have a keen interest in how the story spread from the tech blogosphere to the mainstream media.
So what happened? A few notes, starting with a selective timeline that focuses on media coverage and major themes:
- On October 31, the story first breaks on the Sysinternals blog. The same day at 6 pm, Slashdot picks up the story.
- November 1: I make my first post on the topic. The first report of the issue in a non-blog format, as far as I can tell, is filed on CNet’s News.com. The same day, the Washington Post’s tech blog covers the story.
- November 2: UK computer site PC Pro started covering the possibility of exploits of the XCP rootkit. Wired picks up the story online in a rant.
- November 3: IT webmag The Inquirer produces a summary commentary of the case to date.
- November 4: NPR picks up the story, the first mainstream news organization to do so.
- November 7: IDG’s Swedish web site is covering the story. PCWorld reports about an incipient Italian lawsuit.
- November 10: Viruslist.com writes about the first live exploit of the XCP rootkit. The story hits Reuters. This is the first occurrence of the story, as far as I can tell, to hit a print news service, unless the Post included any of their blog posts in a paper edition.
- November 11: The BBC picks up the story. The Washington Post (broken link) reports in its print edition that Sony is temporarily halting production of audio discs with XCP.
- November 13: Microsoft announces through a product team blog that it will start removing the rootkit portion of XCP with its antispyware tool.
- November 14: Various print outlets catch up with the story, including the New York Times, USA Today, and my hometown newspaper, which is owned by the Tribune Company. Also reported that Sony BMG will be recalling the infected discs.
- November 21: Texas and the EFF sue Sony; I go on a Canadian talk radio show.
That’s a lot–but it’s a lot of events. A few things to note: first, the usual suspects — Slashdot, News.com, Wired, various trade publications, etc.–were on the story from the beginning. The NPR spot was the first mainstream article on the brouhaha, and picked up on the rootkit angle. After that, it took a full six days–and the announcement that trojans were spreading that exploited the rootkit and that several states were filing lawsuits–for the story to make any more traction in the mainstream press. The following day, Sony BMG began to retrench its position, announcing a halt to production of XCP-protected discs. Still, it took three more days after that for the story to hit critical mass with the mainstream print media.
So here’s the point: the story only made the mainstream after the threat to the customer, or the threat to the company, is clear and present. If you are a technologist who wants to shift public opinion regarding some technology development, writing about it is an important first step. But without smoking guns like actual exploits that target rootkitted systems, it’s hard to get the story heard.
For proof of that, one has only to look at the Broadcast Flag and Analog Hole initiatives that keep popping up. Both arguably represent greater threats to customers than this rootkit case; both seek to redesign hardware, either the PC or mass market electronics, to restrict the rights of customers. But both lack a compelling smoking gun to show the harm that implementation of the restrictions would do to customers.
Another point, and one that some readers may not want to hear: the legal system and the class action lawsuit were clear contributors to the eventual decision that Sony took to withdraw XCP from the market. In fact, class action lawsuits may be the most important arrow in the quiver when faced with a company that just doesn’t want to listen to the market.
Last point: while blogging about the story is important, sometimes the type of blog makes a difference. I got very few hits on the first two posts I wrote about this back on my own blog. But the same storyline on a dedicated, single subject blog with a catchy URL and title got huge traction. While the media struggles to deal with the all embracing scope of most blogs, perhaps meeting them halfway with special blogs with a singular focus and (possibly) limited scope is the right way to get the message across.