Sony ships sneaky DRM software

Mark Russinovich couldn't understand how the rootkit had sneaked onto his system. An expert on the internals of the Windows operating system, he was careful when it came to computer security and generally had a pretty good idea of what was running on his PC at any given time. And yet the security tool he was using to check his PC was pretty clear: It had found the "rootkit" cloaking software typically used by virus and spyware writers.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

After a bit of detective work, Russinovich eventually tracked down the source: a Sony BMG Music Entertainment CD entitled "Get Right with the Man," performed by country music duo Donnie and Johnny Van Zant.

It turns out that Sony is using techniques normally only seen in spyware and computer viruses in order to restrict the unauthorized copying of some of its music CDs. Sony's software, licensed by Sony from a Banbury, U.K., company called First 4 Internet, has become the basis of a dispute that once again pits computer advocates against an entertainment company experimenting with new ways to prevent unauthorized copying of its products.

Sony has been using First 4's XCP (Extended Copy Protection) software since early 2005 as a copy protection mechanism for some of its music CDs, according to Sony spokesman John McKay. He could not say how many of Sony's CDs currently use the XCP software, but he said it is one of two digital rights management products used by the company. The other is SunnComm's MediaMax software, he said.

The XCP software prevents users from making more than three backup copies of any CD, and Sony puts an XCP notification on the back of CDs that use the mechanism, according to Mathew Gilliat-Smith, First 4's chief executive officer.

Although the Van Zant CD software came with an end user license agreement (EULA) informing him that he would be installing software that would reside on his PC until removed, Russinovich, who works as chief software architect with systems software company Winternals Software, said he never expected to be installing a product that would then prove to be virtually undetectable and extremely difficult to remove.

Sony's McKay believes that the disclosures in the license agreement are adequate. "I think the EULA's pretty clear about what it is," he said. "The reason why consumers have really high acceptance levels of these content-protected disks is because they have the functionality that people want."

The First 4 software does nothing malicious and can be uninstalled, should the user want to remove it, McKay said.

That uninstall process is not exactly straightforward, however, and cannot be done through the Windows "Add or Remove Programs" utility in the Windows control panel. When asked for instructions on how to uninstall the software, McKay directed the IDG News Service to a section of the Sonybmg.com Web site where users could ask Sony customer support for uninstall directions.

That Web page can be found here: http://cp.sonybmg.com/xcp/english/faq.html#uninstall

Although many computer users may not care much about the finer points of EULAs, people like Russinovich say Sony's software calls a more important issue into question: Who gets to have control over your computer?

"When something like this installs and doesn't advertize itself, you've lost control of your own computer," he said. "And the EULA description that they've presented doesn't let you make an educated decision about whether you'd want this installed or not."

Ironically, the invasiveness of the XCP software punishes users who pay for their music, said Fred von Lohmann, staff attorney with the Electronic Frontier Foundation, a digital rights advocacy organization based in San Francisco. "They are installing software in a way that makes it very difficult for you to know what was installed and makes it very difficult to uninstall it. And, worst of all, the software is not very well written," he said. "I think most computer users will find that to be very outrageous."

Lawyers might also be interested in the software, von Lohmann said. The EFF attorney said a lawsuit was conceivable. "Sony is using a piece of your computer in a way that you didn't expect or authorize," he said. "Depending on how clearly this was disclosed, some consumers may be able to make an argument that this is actually an unauthorized intrusion," he said. "It's not beyond the realm of possibility that Sony BMG could be liable for this."

In 2001 the other provider of Sony copy protection software, SunnComm, was involved in a lawsuit that alleged that the company's software, which was then being used by Music City Records, did not adequately notify consumers of its capabilities.

In the long term, Sony appears to be moving away from the techniques that have incensed Russinovich.

First 4's Mathew Gilliat-Smith said his company has spent the last month developing a new version of the XCP software that does not use the controversial rootkit techniques. "We won't use the same methodology that makes the software hidden in the way that people are concerned about," he said.

Neither Gilliat-Smith nor Sony's McKay could say when this new software would being appearing in Sony's products or how many existing titles were shipping with the XCP software.

"This is a legitimate technology that we've been charged to produce," Gilliat-Smith said. "People who aren't comfortable with the technology can apply to have the software removed."