Sony Got Hacked Big (But It Hacked You Bigger)

So we’ve been here before. When you hand over your personal info to a large company in exchange for a service, we’ve all come to the agreement that you are assuming a certain degree of risk, right?

But when that company happens to have a history of doing things like illegally installing DRM rootkits, gathering the personal information of children, not revealing data breaches, and other such sins, we can’t help but wonder whether the more important thing being hacked is our data, or the common sense of the people who control it.

The company I’m referring to is, of course, Sony, who on Tuesday revealed that the mysterious ongoing outage of their online gaming service, PlayStation Network, was in fact due to a high-level security breach that has compromised the personal data of approximately 75 million subscribers. The company admitted that information including names, home addresses, purchasing history, email addresses, and possibly even credit credit information, were all at risk. Whoops.

What really got people steamed, however, was the fact that Sony waited nearly a week to reveal the details of the intrusion and brief subscribers on the potential risks to their financial well-being. Some customers even claim that when contacting their banks to change their credit or debit card info, they were told that Sony had already informed the banks of the security risk before the customers themselves. We’re talking potential identity theft on a massive scale here, and the frustratingly opaque nature of Sony’s internal investigation was enough to draw the ire of Connecticut senator Richard Blumenthal, who wrote to SCEA President Jack Tretton on Tuesday demanding answers.

But this breach isn’t a big deal solely because of Sony’s security botch-job and their subsequent failure to provide transparency: It’s part of a larger, far more troubling trend that suggests that the folks who get our money just don’t seem to “get it” when it comes to common sense basics of consumer rights and privacy. And while I hate to pick on the most popular target of the moment, when it comes to companies who are completely out to lunch on these issues, Sony in particular has proven again and again to be, well, utterly clueless.

In 2005, it was discovered that Sony’s music branch, Sony BMG, was loading its music CDs with DRM malware that would automatically and surreptitiously install itself on customers’ computers when placed into a CD-ROM drive via rootkits. This was of course done as part of a misguided effort to — wait for it — prevent unauthorized duplication of copyrighted material, and when the jig was up, all of the affected products were recalled after a series of lawsuits. To add irony to injury, it was later discovered that Sony had been using protected code in the construction of these rootkits, therefore violating the GNU Public License. No honor among thieves, I suppose.

What’s troubling about this is that Sony didn’t even think to consider they might be found out, or that people would care. Did they honestly think they could get away with installing malware on people’s computers? Taking even a brief moment to mull over the implications, especially in light of the debates concerning privacy in relation to Facebook that were going on at the time, would have revealed this plan for what it was: a really, really shitty idea.

What’s the number one rule of customer satisfaction? We all know the “customer is always right” mantra, but here’s a better one: Don’t gather personal information on your customers’ kids. In 2008, that’s exactly what Sony did, and they were promptly sued by the U.S. government for accepting personal data from children under 13, in clear violation of the Childrens Online Privacy Protection Act. It was another slip up that could have been avoided with a little bit of common sense and a pinch of oversight.

See what I’m getting at here?

This was Sony’s most recent PR scar, and sits in chilling proximity to the current PSN SNAFU that has everyone in a tizzy. Sony, acting again under the pretext of copyright protection, persuades the U.S. government to launch a criminal investigation of PlayStation 3 home-brewer George “GeoHot” Hotz, who posted security keys that allow the console to be used as a development platform. Again, the slip-up comes in the way the situation is handled: Hotz is labeled a criminal and the records of anyone who has accessed his site, donated to his PayPal, or viewed his channel on YouTube has identifying records subpoenaed by the government at Sony’s request. It ends in a Whack-a-Mole-style stalemate with Hotz subject to an injunction that prevents him, but not necessarily others, from distributing information that enables customers to modify the console to their liking.

We know the rest of the story: Sony accomplishes nothing and looks clueless in an attempt to scare their own customers away from doing what they want with the product they’ve bought. All the while, plenty of people are getting pretty upset over the company’s consumer-unfriendly arrogance.

Everything above might seem like malicious attack against one company, but Sony is no innovator in ignorance, and I posit them simply as a really good example of what’s wrong with how corporations view privacy. We can’t forget Facebook, whose complete lack of transparency with regards to upgrades has us constantly fumbling with settings to make sure our data isn’t going where we don’t want it. Google, too, has had its fair share of embarrassments, the most prominent being Buzz, which made public the email addresses of millions of users without their knowledge or consent, and was fairly difficult to disable.

Apple hasn’t been doing too hot on the privacy front either — Considering all the strict guidelines they impose for their locked-down iOS platform under the guise of “security,” it’s disturbing to see the company waiting until they’re called out to declare the long-term storage of location data as a “bug” they plan on fixing.

And yet, after all this, do companies still really not get the idea of privacy? For all the effort they spend locking down their own “property,” they sure don’t seem to spend much time working to protect what’s most important — their customers. If there’s a bright side to tens of millions of hacked PSN accounts, it’s that there stands the possibility that it will initiate some kind of big corporate wake-up call. Trust is a two-way street, and if there’s any hope for the future security of our digital selves, it relies heavily on the fact that those in charge will un-hack their own perceptions and realize the profound nature of their obligation to respect and protect the people who actually buy and use their technology, and make them the corporate giants they are.