Sony copy protection software raises security, privacy concerns

The sneaky software is designed to stop CDs from being copied

Mark Russinovich couldn't understand how the rootkit had sneaked onto his system. An expert on the internals of the Windows operating system, he is careful when it comes to computer security and generally has a good idea of what is running on his PC at any given time.

And yet the security tool he uses to check his PC was pretty clear: It had found the "rootkit" cloaking software typically used by virus and spyware writers.

After a bit of detective work, Russinovich eventually tracked down the source: a Sony BMG Music Entertainment CD titled Get Right with the Man, performed by country music duo Donnie and Johnny Van Zant.

It turns out that Sony is using techniques normally seen only in spyware and computer viruses to restrict the unauthorized copying of some of its music CDs. Sony's software, licensed from a Banbury, England-based company called First 4 Internet Ltd., has become the basis of a dispute that pits computer advocates against an entertainment company experimenting with new ways to prevent unauthorized copying of its products.

After news about the anticopying software emerged, Sony last week issued a patch that removes the controversial cloaking technology used to hide it. But that patch has been blamed for crashing some PCs that run Windows (see "Sony XCP patch might crash Windows").

Sony has been using First 4's Extended Copy Protection (XCP) software since early 2005 as a copy protection mechanism, according to Sony spokesman John McKay. Added so far to about 20 of the company's music titles, it is one of two digital rights management products used by Sony. The other is SunnComm Inc.'s MediaMax software, he said.

The XCP software prevents users from making more than three backup copies of any CD, and Sony puts an XCP notification on the back of CDs that use the mechanism, according to Mathew Gilliat-Smith, First 4's CEO.

The Van Zant CD software came with an end-user license agreement (EULA) informing Russinovich that he would be installing software that would reside on his PC until removed. But Russinovich, chief software architect at systems software company Winternals Software LP, said he never expected to be installing a product that would then prove to be virtually undetectable and extremely difficult to remove.

McKay believes that the disclosures in the license agreement are adequate. "I think the EULA's pretty clear about what it is," he said. "The reason why consumers have really high acceptance levels of these content-protected disks is because they have the functionality that people want."

The First 4 software does nothing malicious and can be uninstalled, should the user want to remove it, McKay said.

That uninstall process is not exactly straightforward, however, and cannot be done through the "Add or Remove Programs" utility in the Windows control panel. Sony referred questions about deleting the software to a page on the company's Web site.

Although many computer users may not care about the finer points of EULAs, people like Russinovich say Sony's software calls a more important issue into question: Who gets to have control over your computer?

"When something like this installs and doesn't advertise itself, you've lost control of your own computer," he said. "And the EULA description that they've presented doesn't let you make an educated decision about whether you'd want this installed or not."

Ironically, the invasiveness of the XCP software punishes users who pay for their music, said Fred von Lohmann, staff attorney at the Electronic Frontier Foundation (EFF), a digital rights advocacy organization in San Francisco. "They are installing software in a way that makes it very difficult for you to know what was installed and makes it very difficult to uninstall it. And, worst of all, the software is not very well written. I think most computer users will find that to be very outrageous."

Lawyers might also be interested in the software, von Lohmann said. The EFF attorney said a lawsuit is conceivable. "Sony is using a piece of your computer in a way that you didn't expect or authorize," he said. "Depending on how clearly this was disclosed, some consumers may be able to make an argument that this is actually an unauthorized intrusion," he said. "It's not beyond the realm of possibility that Sony BMG could be liable for this."

In fact, an Italian digital rights organization yesterday took the first step toward possible criminal charges in the matter by asking police to investigate Sony's use of XCP (see "Italian police asked to probe Sony copy protection code").

In 2001, the other provider of Sony copy protection software, SunnComm, was involved in a lawsuit alleging that its software -- then being used by Music City Records Inc. -- did not adequately notify consumers of its capabilities.

In the long term, Sony appears to be moving away from the techniques that have incensed Russinovich.

First 4's Gilliat-Smith said his company has spent the last month developing a new version of the XCP software that does not use the controversial rootkit techniques. "We won't use the same methodology that makes the software hidden in the way that people are concerned about," he said.

Neither Gilliat-Smith nor McKay could say when this software would appear in Sony's products.

Copyright © 2005 IDG Communications, Inc.