Sony BMG – Shame on You!

By John Brewer   
December 2005 eMonitor,
Computer Club of Oklahoma City

Computer users may have noticed the recent brouhaha about Sony music CDs. Is there a valid issue or simply a lot of heat with no real threat?

The issue developed from the desire of Sony-BMG to copy-protect its music CDs. If the music CD is played in a personal computer, and the “accept” button is clicked, then software known as XCP is installed. XCP reportedly uses “rootkit” technology. Wikipedia states that a “rootkit is a set of software tools frequently used by a third-party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. The rootkit concept is the dominant controversial aspect of the 2005 Sony CD copy protection controversy, which has made the previously obscure concept of a rootkit much more widely known in the technology community, and to the general public.”

The technical issues seem to be rather complicated, but a survey of the articles available on the Internet is disturbing. Apparently, rootkits install a backdoor to the computer and is difficult to remove. Apparently, there is a patch available that may or may not remove the Sony software. Personally, this author thinks the only alternative is to avoid Sony CDs or to avoid playing any Sony CDs on a personal computer. The music industry is very serious about copyright violations and may think that the “end justifies the means’ in this particular matter.

The following is a portion of a Sony response dated November 18, 2005. “You may be aware of the recent attention given to the XCP content protection software included on some SONY-BMG CDs. This software was provided to us by a third-party vendor, First4Internet. Discussion has centered on security concerns raised about the use of CDs containing this software. We share the concerns of consumers regarding these discs, and we are instituting a mail-in program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection and receive MP3 files of the same title. We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory. Please click here for exchange program details.

“Our new initiatives follow the measures we have already taken, including the voluntary suspension of the manufacture of CDs with the XCP software. In addition, to address security concerns, we provided to major software and anti-virus companies a software update, which also may be downloaded athttp://cp.sonybmg.com/xcp/english/updates.html. We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.”

Sony sounds like it is trying to respond in a responsible manner. However, this type of response is also an attempt to institute damage control. Sony has been sued new security risks and possibly identityby the Electronic Frontier Foundation and the Attorney General for the State of Texas regarding this practice.

EFF filed its complaint in a California state court on November 21, 2005. The EFF Web site states that “by including a flawed and overreaching computer program in over 20 million music CDs sold to the public, Sony-BMG has created serious security, privacy and consumer-protection problems that have damaged music lovers everywhere.

“At issue are two software technologies: SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP), which Sony-BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs, but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).

“After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, Sony-BMG has taken some steps to respond to the security risks created by the XCP technology. Sony-BMG has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.”

The Attorney General of the State of Texas has also filed litigation regarding the same spyware from Sony. The Web site for the AG addresses the litigation. Today [Texas] “sued SONY-BMG Music Entertainment as the first state in the nation to bring legal action against SONY for illegal ‘spyware.’ ” The suit is also the first filed under the state’s spyware law of 2005. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.

The Attorney General’s lawsuit alleges the New York-based company violated a new Texas law protecting consumers from the hidden spyware. The company accomplished this by using new technology on certain music CDs to install files onto consumers’ computers that hide other files installed by SONY. This secret “cloaking” component is installed without the knowledge of consumers and can cause their computers to become vulnerable to computer viruses and other forms of attack.

“SONY has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Attorney General Abbott. “Consumers who purchased a SONY CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime.”

SONY insists on its Web site that it has recalled all affected CDs. However, Attorney General’s investigators were able to purchase numerous titles at Austin retail stores as recently as Sunday evening.

According to SONY’s Web site, the company recently distributed millions of CDs across the nation on 52 CDs by various artists. These CDs contained embedded files used for copy protection – or XCP technology. The files prompt consumers to enter into a user agreement to install SONY’s audio player. By opting into the agreement, which Sony represents is the only way a consumer can listen to these CDs on a computer, the consumer is unaware that SONY secretly installs files into the computer’s Microsoft Windows folders. Consumers are unable to detect and remove these files.

SONY-BMG claims on its Web site that this XCP technology merely prevents unlimited copying, is otherwise passive and does not gather personal information about a computer user. However, the Attorney General’s investigation into this technology revealed that it remains hidden and active at all times after installation, even when SONY’s media player is inactive, prompting concerns about its true purpose.

The Attorney General’s lawsuit also alleges that a phantom file is installed to conceal the XCP files from the user, thus making it difficult for the user to remove the files from his or her computer. Moreover, recent news accounts allege that newly created viruses that exploit this phantom file have been spreading. A user unfamiliar with installation – and removal – of this technology may be vulnerable to  theft.

Because of alleged violations of the Consumer Protection Against Computer Spyware Act of 2005, the Attorney General is seeking civil penalties of $100,000 for each violation of the law, attorneys’ fees and investigative costs.”

Sony-BMG – shame on you!

John Brewer practices law in Oklahoma City, is a member of the Governor’s and Legislative Task Force for E-Commerce, and enjoys issues relating to eBusiness and cyberspace. Comments and questions are welcome and can be emailed tojohnb@jnbrewer.com.

The Editorial Committee of the Association of Personal Computer User Groups (APCUG), an international organization of which CFCS is a member, brings this article to you.

Author: John Brewer
Date: 02/02/2006
Central Florida Computer Society Newsletter

...return to top