On November 4 Thomas Hesse, president of global digital business for Sony BMG Music Entertainment, appeared on Morning Edition to discuss the commotion over its latest digital rights management scheme. Earlier this year Sony started releasing CDs with software called Extended Copy Protection, or XCP, which was designed to limit users’ ability to make copies. But bloggers were reporting that XCP installed a potentially malign piece of code called a rootkit on Windows-based computers. Hesse insisted there was nothing to worry about. “Most people, I think, don’t even know what a rootkit is,” Hesse said. “So why should they care about it?”
His question was disingenuous, given the nastiness of the software in question and the nastier “solution” Sony offered as a fix. The mess started on Halloween, when software engineer Mark Russinovich posted on his blog (sysinternals.com/blog) that he’d found a rootkit on his computer. Rootkits hide files from security programs, and they tend to be used by hackers to disguise malware–malicious software that can spy on or damage computers. The rootkit on Russinovich’s computer came by way of XCP, a program made by a British company called First 4 Internet and installed on his machine by a Sony CD, Van Zant’s Get Right With the Man.
XCP was designed to prevent users from making more than three copies of a CD, but the rootkit, Russinovich noted, left his computer vulnerable to attack. And there was no easy way to uninstall XCP–he wound up disabling his PC’s CD-ROM drive after his first attempt. His post detailing what he’d learned was promptly linked all over the Web, and on November 2 Sony responded by offering a “service pack” to users who’d purchased any of 52 CDs that included XCP–notably the Bad Plus’s Suspicious Activity?, the Coral’s The Invisible Invasion, and Neil Diamond’s 12 Songs. The first problem was that the service pack didn’t uninstall XCP–it removed the code that hid the rootkit but not the rootkit itself. The second problem was that the service pack made the problem worse: Princeton computer science professor Ed Felten and one of his students, J. Alex Halderman, discovered that it created a security hole that could allow a Web page to automatically seize control of a user’s computer.
The biggest problem with XCP, though, is that it showed how willing Sony was to actively attack its customers in the name of self-defense. To listen to a CD with XCP in your Windows machine, you have to agree to Sony’s end-user license agreement. Among its conditions: if anything bad happens because of the software included on the CD, well, tough. In fact, the agreement says that Sony isn’t liable for more than five dollars no matter what. So if you end up having your computer hijacked by a spammer or your hard drive abruptly erases itself when you surf to the wrong site, that’s your problem. You wanted to listen to Neil Diamond, and you probably wanted to burn 50 copies of his new album for other people. Thief.
(Given how gung ho Sony and First 4 Internet are about intellectual property copyright protection, what Finnish programmer Matti Nikki discovered about XCP in the midst of all this was rather ironic. The software appears to include pieces of code lifted without attribution from LAME, an open-source audio encoder; other programmers have joined in the dog pile, finding more of what they claim is borrowed code.)
By November 10 hackers had launched a Trojan horse called Troj/Stinx-E that exploits XCP, and the next day Sony announced that it would stop manufacturing and shipping XCP-enabled CDs; by the end of the month it had announced a recall and exchange program. Too late: reportedly more than two million CDs with XCP on them have been sold. Texas Attorney General Greg Abbott is invoking the state’s antispyware laws to sue Sony, seeking $100,000 for each XCP-loaded CD used in the state. The Electronic Frontier Foundation, a digital-rights advocacy group, filed a class-action suit against Sony on November 22; U.S. representative from California Zoe Lofgren told ZDNet that Sony’s installing software on users’ computers without their knowledge would be criminal under the federal antispyware legislation she’s coauthored.
On its FAQ page about XCP, Sony BMG claims “the software was intended simply to prevent copying beyond the level appropriate for personal use.” Never mind the gall of their deciding what’s an appropriate level of personal use–the statement’s false. As Russinovich has noted, every time you play a CD with XCP on your Windows computer, it launches a program called Music Player that’s capable of sending Sony a message identifying the CD you’re listening to and the IP address of your computer. Why would Sony want to know that? Who knows? The bigger issue is that Sony assumes it has the right to that information whether you want the company to have it or not. (The end-user license agreement says the software gathers no personal data.)
But the story doesn’t end there: Sony also uses another form of digital rights management software, MediaMax, which according to the EFF’s suit is included on 20 million Sony CDs (five million CDs with XCP were released). MediaMax doesn’t install a rootkit, but much like XCP it contacts a Web server with your computer’s information every time you play a CD encoded with it, and an early version of its uninstaller seemed to open a security hole.
The punch line to all this is that XCP, MediaMax, and every other piece of DRM software currently gunking up CDs and computers don’t actually work. They’re supposed to stop duplication and file sharing, but anyone who buys a Sony CD and intends to mass-produce copies of it isn’t going to rely on a Windows computer to duplicate it. That person will simply go where DRM isn’t: XCP, for example, doesn’t work on Macs or Linux-based machines. It takes almost no time or effort to circumvent copy protection and generate easily swapped MP3s, and a single seed copy is all it takes to propagate a recording around the Web; every track on every XCP-protected disc can be found easily on file-sharing networks. In fact, if there’s one thing listeners have learned from the revelations of the past month, it’s that illegal downloading can be safer for their computers than buying either contaminated CDs or Sony’s bogus defenses.