In January 2011, well-known computer hacker George “GeoHot” Hotz discovered and published the keys to the Sony PlayStation 3 game console. GeoHot had previously cracked the iPhone, allowing users to “jailbreak” their phone and run any software they want.
Crack Goes the PS3
Around the same time, another hacker group fail0verflow had also cracked the PS3 and released tools that enabled users to install the Linux operating system on the PS3. The capability to turn the PS3 into a regular Linux computer was a favorite among geeks and hackers. Sony originally provided this feature, but later angered the hacker community when it turned off the feature in 2010.
GeoHot took it to the next level and released the PS3’s “root key.” This key authorizes hackers to run essentially any software on the PS3. And a root key is nearly impossible to change without breaking all existing PS3 software. Hence, GeoHot permanently and publicly cracked the PS3 platform.
Needless to say, Sony was not amused. A few days later, Sony sued GeoHot, fail0verflow, and other John Does for violating the Digital Millennium Copyright Act, the federal Computer Fraud and Abuse Act, and Sony’s Terms of Service. Sony also sued for copyright infringement, computer fraud, and even digital trespassing.
But Sony didn’t just sue. The company also demanded the defendants shut down their websites and turn over their computer equipment and storage drives to Sony’s lawyers. A federal magistrate granted Sony access to the IP address of every visitor to the defendants’ websites and even their YouTube videos. Sony was trying its best to scrub the PS3 crack off the Web and intimidate every person who had ever viewed it.
But as any Hollywood star who has ever made a sex tape knows, the Internet is forever. Mirror sites immediately popped up with the crack. Even Sony itself accidentally perpetuated the PS3 crack in a tweet. How does one sue oneself?
Control vs. Innovation
The arguments on both sides are easy to understand. Sony grants its customers a license to use its hardware and software under its restrictive terms. If you don’t agree to the terms, don’t buy the PS3. On the other hand, customers shell out hundreds of dollars to purchase Sony equipment and believe they should be able to do whatever they want to the equipment in exchange for their hard-earned money.
In this stalemate, both sides are correct. Licensing is a common legal practice in the computer industry. But computer companies should be more open with their products. Instead of restricting users, companies like Sony should encourage customers to use and extend their systems in exciting and innovative new ways. It’s generally bad business to sue your customers.
Sony surprised everyone on March 31 by dropping its lawsuit and settling out of court. In the agreement, GeoHot agreed to stop publishing the PS3 crack and never produce another jailbreaking tool. GeoHot is also shielded from any claims of wrongdoing.
“Sony is glad to put this litigation behind us,” said Riley Russell, General Counsel for SCEA. “Our motivation for bringing this litigation was to protect our intellectual property and our consumers. We believe this settlement and the permanent injunction achieve this goal.”
GeoHot responded in the official Sony statement, “It was never my intention to cause any users trouble or to make piracy easier. I’m happy to have the litigation behind me.” But GeoHot remained defiant with this parting shot on his GeoHot Got Sued blog: “As of 4/11/11, I am joining the SONY boycott. I will never purchase another SONY product. I encourage you to do the same.”
Hackers Strike Back
On April 19, Sony discovered unusual activity on its PlayStation network. A full week later, Sony notified its customers that hackers stole credit card data, email addresses and other personal information from 77 million user accounts. Then on May 2, Sony revealed that personal data from an additional 24 million online gaming accounts had also been stolen.
A Sony executive said the data breach resulted from a “very carefully planned, very professional, highly sophisticated criminal cyber-attack designed to steal personal and credit card information for illegal purposes.” Sony claims it knows who is responsible for the attack and is working with the FBI and outside security consultants.
The data breaches followed a series of distributed denial-of-service (DDoS) attacks by the “Anonymous” group of international hackers in retaliation for Sony’s lawsuit against GeoHot. Sony said it didn’t detect the PlayStation breach because its security teams were busy trying to defend against the DDoS attacks.
Users and security analysts criticized Sony for waiting so long to notify everyone of the data breaches. Sony defended itself, saying it purposely waited until it had “a solid understanding and confirmation of the extent of the attack and its implications.”
As with most wars, the true victims are the collateral damage, in this case, the 100 million users whose personal information was compromised and must now closely monitor their finances for identity theft.
Did Sony Deserve the Cyber-Attack?
Yes, Sony is shortsighted by pulling the Linux feature and restricting its users’ innovations. But Sony has the full legal right to do so. If you don’t like it, don’t buy it.
Yes, Sony was a bully for suing its users. But Sony has the right to protect its intellectual property in a very competitive industry. Besides, Sony felt its point was made and eventually pulled the lawsuit. And the defendants escaped relatively scot-free. So…
No, Sony did not deserve the cyber-attack. And Sony’s 100 million users certainly didn’t deserve having their personal information compromised. Hopefully lessons were learned on both sides.
Article published on May 21, 2011
|If you like this article, please share it:|