"When something like this installs and doesn't advertize itself, you've lost control of your own computer," he said. "And the EULA description that they've presented doesn't let you make an educated decision about whether you'd want this installed or not."
Ironically, the invasiveness of the XCP software punishes users who pay for their music, said Fred von Lohmann, staff attorney with the Electronic Frontier Foundation, a digital rights advocacy organization based in San Francisco. "They are installing software in a way that makes it very difficult for you to know what was installed and makes it very difficult to uninstall it. And, worst of all, the software is not very well written," he said. "I think most computer users will find that to be very outrageous."
Lawyers might also be interested in the software, von Lohmann said. The EFF attorney said a lawsuit was conceivable. "Sony is using a piece of your computer in a way that you didn't expect or authorize," he said. "Depending on how clearly this was disclosed, some consumers may be able to make an argument that this is actually an unauthorized intrusion," he said. "It's not beyond the realm of possibility that Sony BMG could be liable for this."
In 2001 the other provider of Sony copy protection software, SunnComm, was involved in a lawsuit that alleged that the company's software, which was then being used by Music City Records, did not adequately notify consumers of its capabilities.
In the long term, Sony appears to be moving away from the techniques that have incensed Russinovich.
First 4's Mathew Gilliat-Smith said his company has spent the last month developing a new version of the XCP software that does not use the controversial rootkit techniques. "We won't use the same methodology that makes the software hidden in the way that people are concerned about," he said.
Neither Gilliat-Smith nor Sony's McKay could say when this new software would being appearing in Sony's products or how many existing titles were shipping with the XCP software.
"This is a legitimate technology that we've been charged to produce," Gilliat-Smith said. "People who aren't comfortable with the technology can apply to have the software removed."