article

The 2005 Sony CD copy protection scandal is a public scandal dealing with Sony BMG Music Entertainment's surreptitious distribution of software on audio compact discs.

As a copy protection measure, Sony BMG included the Extended Copy Protection (XCP) and MediaMax CD-3 software on music CDs. This software was automatically installed on desktop computers when customers tried to play the CDs. The software interferes with the normal way in which the Microsoft Windows or Mac OS X operating systems play CDs, opens security holes that allow viruses to break in, and causes other problems. It is widely described as spyware.

As a result, a number of parties have filed lawsuits against Sony BMG; the company ended up recalling all the affected CDs; and greater public attention was drawn to the issue of commercially-backed spyware.

History & technical information

Background

In August 2000, Sony Pictures Entertainment US senior VP Steve Heckler foreshadowed events of late 2005. Heckler told attendees at the Americas Conference on Information Systems "The industry will take whatever steps it needs to protect itself and protect its revenue streams...It will not lose that revenue stream, no matter what...Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source - we will block it at your cable company, we will block it at your phone company, we will block it at your We will firewall it at your PC...These strategies are being aggressively pursued because there is simply too much at stake."[http://www.nyfairuse.org/sony.xhtml http://www.nyfairuse.org/sony.xhtml

Sony BMG software issues

On October 31, 2005, Mark Russinovich posted to his blog a detailed description and technical analysis of the characteristics of the software contained on Sony BMG music CDs. Called Sony, Rootkits and Digital Rights Management Gone Too Far, the article asserts vocally that the software is illegitimate and that digital rights management had "gone too far."
Security holes
Russinovich stated that there were shortcomings in the software design that manifest themselves as security holes that can be exploited by malicious software such as worms or viruses. He also mentioned that the XCP software installed silently before the EULA appeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions. Several comments to the entry recommended a lawsuit against Sony BMG.

Freedom To Tinker had an article on November 12, 2005 discussing the SunnComm DRM found on some Sony BMG CDs, which is very similar to the F4I software in that it installs without authorization or notification, and does not have an uninstaller.

Resource drain
The article also asserts that the software runs in the background and consumes system resources, slowing down the user's computer, regardless of whether there is a protected CD playing or not.
Poor design
Russinovich presented evidence that the software employs unsafe procedures to start/stop the rootkit, which could lead to system crashes (the famous BSoD) and that inexpert attempts to deinstall the software can lead to the Windows operating system failing to recognize existing drive(s).

Rootkit removal program

Sony BMG released a software utility to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers, but this removal utility was soon analyzed by Russinovich again in his blog article *" target="_blank" >In fact, the Sony BMG program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. In addition, this program was reported to install additional software that cannot be uninstalled. In order to download the uninstaller, it is necessary to provide an e-mail address (which the Sony BMG Privacy Policy implies to be added to various bulk e-mail lists), and to install an ActiveX control containing backdoor methods (marked as "safe for scripting", and thus prone to exploits). [http://hack.fi/~muzzy/sony-drm/

On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of Extended Copy Protection from affected Microsoft Windows computers. *

Opponents of Sony BMG's actions, including Slashdot and Digg contributors, later accused Sony BMG of violating the privacy of its customers to create a backdoor onto their machine using code that itself violates an open-source license. They claimed that this DRM program, designed to give Sony BMG control over the customer's machine in the name of copyright protection, is itself infringing copyright by including code from the LAME MP3 library. * It appears that, since LAME is under the LGPL, this situation could be rectified by SONY BMG offering a copy of the LAME source code, as well as adding a notice that it was using code from the library (though this would not be a defense against past damages).

Prevention

The XCP software can be prevented from installing in several ways. First of all, a user can refuse to purchase such copy-protected CDs, perhaps downloading the music from a digital music distributor. Second, it is possible to disable autorun so that the software will not run automatically (this can be done, temporarily, by holding the SHIFT key while inserting the CD). Putting a piece of opaque (to infrared) tape or some other light blocker on the portion of the CD where the executable is stored will also prevent the DRM from running *. An alternative is to use an operating system which the software does not automatically install itself on, such as Linux or Mac OS X, or running Windows under a restricted account instead of an administrator account, in which case the installation program will not have the sufficient rights to install the rootkit.

Legal and financial problems

Product recall

On November 15, 2005, vnunet.com announced that Sony BMG is backing out its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. The Electronic Frontier Foundation compiled a partial list November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony BMG introduces further vulnerabilities to a system. US-CERT advised, "Do not install software from sources that you do not expect to contain software, such as an audio CD." [http://www.us-cert.gov/current/current_activity.html#xcpdrm" target="_blank" >*

Sony BMG announced that it has instructed retailers to remove any unsold music discs containing the software from their shelves. * It is estimated by internet expert Dan Kaminsky that XCP is in use on more than 500,000 networks. *

CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD.

On November 18, 2005, Reuters reported that music publisher Sony BMG would swap affected insecure CDs for new unprotected disks as well as unprotected MP3 files. *

Information about the swap can be found at the Sony BMG swap program website *. As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and would be sent an unprotected disc via return mail. On November 29, 2005 the New York Attorney General Eliot Spitzer found through his investigators that despite the recall of November 15 Sony BMG CDs with XCP were still for sale in New York City music retail outlets. Spitzer said "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."* On November 30, 2005 Massachusetts Attorney General Tom Reilly issued a statement saying that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15. Attorney General Reilly advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.*

As of January 26, 2006, Sony BMG's website offered consumers no reference to this issue and no way to locate Sony BMG's explanation or list of affected CD's. (The link below, however, will bring up the explanation and list.) *

As of May 11, 2006, Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And Mediamax Content Protection." It has online claim filing and links to software updates/uninstallers.

Legal situation

A number of parties have sued Sony BMG for their actions in distributing the infected CDs.

Texas state action

On November 21, 2005, the Texas Attorney General Greg Abbott sued Sony BMG. Texas is the first state in the United States to bring legal action against Sony BMG in this matter. The suit is also the first filed under the state’s 2005 spyware law. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems. [http://news.com.com/Texas+sues+Sony+BMG+over+alleged+spyware/2100-7350_3-5964995.html?tag=nl.

On December 21, 2005 Abbott added new allegations to his lawsuit against Sony-BMG, regarding MediaMax. The new allegations claim that MediaMax violates the state's spyware and deceptive trade practices laws, because the MediaMax software is installed even if users decline the license agreement that would authorize its installation. Abbott said "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music," and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allows for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit, on December 21, 2005, carry maximum penalties of $20,000 per violation.** *

New York and California class action suits

Class action suits have been filed against Sony BMG in New York and California. *

On December 30, 2005, the New York Times reported that Sony BMG has reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who have purchased the affected recordings. According to the proposed settlement, those who purchased an XCP CD will be paid $7.50 per purchased recording and given the opportunity to download a free album, or be able to download three additional albums from a limited list of recordings if they give up their cash incentive. District Judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006. [http://sonysuit.com/classactions/michaelson/19.pdf

The settlement is designed to compensate those whose computers were infected, but not otherwise damaged. Those who have damages that are not addressed in the class action are able to opt out of the settlement and pursue their own litigation. *

A fairness hearing will be held May 22, 2006 at 9:15 am at the Daniel Patrick Moynihan United States Courthouse for the Southern District of New York at 500 Pearl Street, Room 2270, New York, NY.

Claims must be submitted by December 31, 2006. Class members who wish to be excluded from the settlement must file before May 1, 2006. Those who remain in the settlement can attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney.

Other actions

It was reported on December 24, 2005 that Florida Attorney General Charlie Crist is investigating Sony BMG spyware.*

Threats of legal action in Italy have also been reported. On November 21, EFF announced that they were also pursuing a lawsuit over both XCP and the SunnComm MediaMax DRM technology. **" target="_blank" >The MediaMax Version 5 software was loaded on 27 Sony BMG titles.[http://sonybmg.com/mediamax/titles.html All these suits are regarding security threats and other damage to customer computers, not copyright issues in the code. The EFF lawsuit also involves issues concerning the Sony BMG end user license agreement.

Despite the numerous civil lawsuits that were spawned or threatened, the US Department of Justice (DOJ) refused to make any comment on whether it would take any criminal action against Sony. This despite the fact that the company seems to have violated several sections of Federal cybersecurity law. Instead, the DOJ initiated a new bill to Congress called The Intellectual Property Protection Act of 2005 that would formally criminalize the act of file sharing, thus showing support for Sony's efforts to protect its copyrights *.

Copyright violation allegations

A Slashdot story noted that the rootkit includes code and comments (such as "copyright (c) Apple Computer, Inc. All Rights Reserved." [http://yro.slashdot.org/comments.pl?sid=168546&cid=14051648) illegally copied from sections of the program VLC written by Jon Lech Johansen and Sam Hocevar, the former best known for being prosecuted in connection with DeCSS (which circumvents the DRM mechanism used on movie DVDs).

Company & press reports

In a November 7, 2005 article, vnunet.com summarised Russinovich's finding in a less technically detailed way, and urged consumers to avoid buying Sony BMG music CDs for the time being. The following day, The Boston Globe (boston.com) [http://www.boston.com/business/technology/articles/2005/11/08/security_firm_sony_cds_secretly_install_spyware/ classified the software as spyware and confirmed that it communicates personal information from consumers' computers to Sony BMG. The methods used by the software to avoid detection were likened to those used by data thieves.

The first virus which made use of Sony BMG's stealth technology to make malicious files invisible to both the user and anti-virus programs surfaced on November 10, 2005 One day later Yahoo! News announced [http://news.yahoo.com/s/ap/20051111/ap_on_hi_te/sony_copy_protection that Sony BMG had suspended further distribution of the controversial technology.

According to ZDNet News: "The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used." *

According to BBC News on November 14, 2005 *, Microsoft has decided to classify Sony BMG's software as "spyware" and provide tools for its removal. In both this and the previous Yahoo! News announcement, Mark Russinovich is quoted as saying, "This is a step they should have taken immediately."

See also

References

External links

Digital rights management | Malware | November 2005 news | Sony | Scandals | Business ethics

Controverse du système de protection de la copie Sony | ソニーBMG製CD XCP問題

 

This article is licensed under the GNU Free Documentation License. It uses material from the "2005 Sony CD copy protection scandal".

Home Pageartsbusinesscomputersgameshealthhospitalshomekids & teensnewsphysiciansrecreationreferenceregionalscienceshoppingsocietysportsworld