Wow, its been some weekend!
I've read through Halderman's report and I'm not so despondent as some here are. The best case scenario is that he is wrong on all three points he makes and if he is wrong, lets just prove him wrong.
The worst case scenario is that he is right on all 3 points and I suspect that is the case, to a degree. But assuming he is right, what do we do.
From what I can tell, when it comes to what SunnComm needs to do to copy protect CDs and to deliver the extras, these 3 issues are not fundamental to the software.
1. MediaMax installs without meaningful consent or notification
This is suggesting that MediaMax doesn't correctly inform you of what is going to be installed, including how long it is going to be there for, and also installs even if the EULA is not accepted.
Solution. Fix it. Be clearer in the EULA of what is going to happen (They will eventually find out through the likes of Halderman what is happening anyway, so why try to hide our intent). Remove all software if the EULU isn't accepted.
2. MediaMax discs include either no uninstaller or an uninstaller that fails to remove major components of the software
Solution. Fix it. There is no reason why we cannot include an uninstaller to remove MediaMax if ever the user wants to remove it. If we need MediaMax to be on the PC to control the tracks already downloaded, then we let the user know that by running the uninstaller, all tracks downloaded will have to be deleted too. That is entirely within the rights of the label.
3. MediaMax transmits information about you to SunnComm without notification or consent
If we need to transmit some information, perhaps CD identifier, to obtain the license to download or whatever, then be forthright about it. State that "a, b and c is being uploaded to SunnComm or the label for the following reason" Being open, the user can chose whether to go ahead or not.
Doing the above would make Halderman's complaints obsolete or at least mitigate them if the user is clearly informed beforehand about what will happen and still choses to go ahead. These changes are all in the periphery of the product and would be minor in nature.
That IMO is the worst case scenario and is not difficult to fix.
We should act courteously to Halderman, thank him for highlighting issues that escaped our radar and let the world know we are going to rectify those small issues (re-iterating how we always strive to make the user experience more enjoyable). Try and turn it into a positive.
What not to do is make a personal attack on Halderman. Suggesting that he is "connected" to Macrovision and doing all this at their behest because someone in Macrovision once graduated from Princeton is too dumb to contemplate and will make us look just that, dumb.
The other thing we should do as I suggested last week and it seems it is now underway, is apply for Spyware Free Certification.
This will blow over quickly if we handle it right. Getting our backs up and calling everyone liars is not the way to go. If the issues are genuine, thank him for highlighing them, fix them and move on.
BMG's Hesse did a great disservice last week when he downplayed rootkits. He is the one now with egg on his face.
AI
