In 2005, it was revealed that the implementation of copy protection measures on about 22 million CDs distributed by Sony BMG installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.
Sony BMG initially denied that the rootkits were harmful. It then released an uninstaller for one of the programs that merely made the program's files visible while also installing additional software that could not be easily removed, collected an email address from the user and introduced further security vulnerabilities.
Following public outcry, government investigations and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs and the suspension of CD copy-protection efforts in early 2007.
Background
In August 2000, statements by Sony Pictures Entertainment U.S. senior vice president Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems: "The industry will take whatever steps it needs to protect itself and protect its revenue streams ... It will not lose that revenue stream, no matter what ... Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC ... These strategies are being aggressively pursued because there is simply too much at stake."[1]
In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album White Lilies Island without warning labels stating that the CD contained copy protection.[2][3] The CDs were eventually replaced.[2]
Copy-protection software
The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs[7] marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG's recorded music divisions. About two million of those CDs,[7] spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted the EULA, which made no mention of the software. The remaining 20 million CDs,[7] spanning 50 titles,[8] contained SunnComm's MediaMax CD-3, which was installed on either Microsoft Windows or macOS systems after the user was presented with the EULA, regardless of whether the user accepted it. However, macOS prompted the user for confirmation when the software attempted to modify the OS, whereas Windows did not.
XCP rootkit
Legal and financial problems
Product recall
On November 15, 2005, vnunet.com announced[18] that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores and allowing consumers to exchange affected CDs for versions without the software. The Electronic Frontier Foundation compiled a partial list of CDs with XCP.[19] Sony BMG maintained that "there were no security risks associated with the anti-piracy technology" despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. It said that XCP uses rootkit technology to hide certain files from the user and that the technique is a security threat to users. They also said that one of the uninstallation options provided by Sony BMG introduces further vulnerabilities. US-CERT advised: "Do not install software from sources that you do not expect to contain software, such as an audio CD."[20]
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.
Company and press reports
Russinovich's report was discussed on popular blogs almost immediately following its release.[52]
NPR was one of the first major news outlets to report on the scandal on November 4, 2005. Thomas Hesse, Sony BMG's president of global digital business, said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"[53]
In a November 7, 2005, article, vnunet.com summarized Russinovich's findings[54] and urged consumers to temporarily avoid purchasing Sony BMG music CDs. The following day, The Boston Globe classified the software as spyware, and Computer Associates' Security Management unit VP Steve Curry confirmed that the rootkit communicates personal information from consumers' computers (the CD being played and the user's IP address) to Sony BMG.[55] The methods used by the software to avoid detection were likened to those used by data thieves.
Sources
- "Sony Music CDs Under Fire from Privacy Advocates", National Public Radio, 2005-11-04
- Bergstein, Brian (2005-11-18). "Copy protection an experiment in progress". Seattlepi.com.
- Halderman, J. Alex, and Felten, Edward. https://wayback.archive-it.org/all/20120712181539/http://citp.princeton.edu/pub/sonydrm-ext.pdf (PDF format), Center for Information Technology Policy, Department of Computer Science, Princeton University, 2006-02-14.
- Wikinews: Sony's DRM protected CDs install Windows rootkits
- Gartner: Sony BMG DRM a Public-Relations and Technology Failure
- Bush Administration to Sony: It's your intellectual property -- it's not your computer - 2005-11-12 MP3 Newswire article
External links
- Academic article examining the market, legal, and technological factors that motivated Sony BMG's DRM strategy
- List of titles affected by MediaMax
- List of titles affected by XCP
- List of titles included in settlement
- SonySuit.Com - Tracking The Sony BMG XCP and SunComm Lawsuits
- "Sony anti-customer technology roundup and time-line", Boing Boing.
- , Groklaw
References
- Anastasi, Michael A. "Sony Exec: We Will Beat Napster", New Yorkers For Fair Use, August 17, 2000. Retrieved November 13, 2006.^
- Smith, Tony. BMG to replace anti-rip Natalie Imbruglia CDs The Register, November 19, 2001, retrieved August 24, 2009^
- Borland, John. Customers put kibosh on anti-copy CD