A diary of the Sony-BMG ‘rootkit’ fiasco – how not to introduce Digital Rights Management

December 2005

Record labels, internet, technology

In early November it became apparent that SonyBMG had launched a new form of copy restriction software embedded into CDs which restricted the purchaser’s end use of the tracks – in effect an anti-piracy measure – or digital rights management system (DRM). So far so good. Except the software sparked of huge protests and it all went horribly wrong for SonyBMG. After the software was discovered the Electronic Frontiers Foundation suggested that the software XCP2 was created ‘drawing from the playbook of spyware companies and virus-writers’. The EFF went on to say that by using a programme called a rootkit a Sony BMG music CD will now “infect [the] user’s computer with a new programme which will be buried within the operating system”. The program will monitor user’s computer activity to prevent piracy by users – for example by making extra copies of their music CDs. There is no “uninstall” feature on this programme (EFF EFFector Vol 18 No 38 4 th November 2005). A couple of days later the EFF said that ‘outrage from computer users and music fans’ has sparked Sony BMG into offering a new programme on its website that will show users if they have been infected with the rootkit. However, while users can see the programme running they cannot delete the programme. The Electronic Frontier Foundation has confirmed that the stealth program was deployed on at least 19 CDs in a variety of genres. The softare – called XCP2 – was created by a UK company called First 4 Internet and ostensibly “protects” the music from illegal copying. But the EFF says that it also blocks a number of legal uses like listening to songs on your iPod. The software also reportedly slows down the users computer and makes it more susceptible to crashes and third-party attacks. 18 files are installed and the software uses 15MB of memory on the user’s hard drive. And since the program is designed to hide itself, users may have trouble diagnosing the problem. Consumers can spot CDs with XCP by inspecting a CD closely, checking the left transparent spine on the front of the case for a label that says “content protected.” The back of these CDs also mention XCP2 in fine print. As the news came out SonyBMG’s actions in using the software looked more and more unwise.

In the US (and indeed in many other territories) the law is still unclear on the legality of this sort of action (of inserting software onto another person’s computer) and indeed on the legality of compulsory End User Licence Agreements (EULAs) which might result in the user ‘agreeing’ to accept such software. In this case the user wouldn’t even have seen the EULA as they wouldn’t have known about the rootkit!!! In France the appeal courts have held that AOL’s online terms and conditions were unfair and illegal. EMI have said that that it does not use rootkits on its CDs. More on the legality issue later.

By the 10 th of November Live Eight magazine reported that a class action had been filed in California against the company and another could be filed in New York. The EFF publicly called for more consumers to join the class action. At the same time Sony-BMG said that they would suspend production of all CDs containing the rootkit after technology experts pointed out that the XCP stealth capacity could be used to mask malicious computer viruses. Sony BMG then posted a (very complex) uninstall procedure on its website. But to add to Sony-BMG’s woes, Microsoft then said that it considered the software ‘spyware’ and added XCP to detection and removal tools to its weekly spyware software update. By the 16 th November it was reported that SonyBMG were recalling millions of CDs including albums from Celine Dion, The Coral and Natasha Bedingfield because of the inclusion of the rootkit software on the CDs. And in a bizarre turnaround, on the 22 nd November it was reported that SonyBMG were now themselves being sued over the software – with an action brought by the Attorney General on behalf of the State of Texas. Attorney General Greg Abbot accused Sony BMG of “ surreptitiously installing “spyware” in the form of files that mask other files Sony installed as part of XCP. This “cloaking” component can leave computers vulnerable to viruses and other security problem” said Abbot adding that “Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computer.”

Finally SonyBMG is exchanging all the CDs with XCP software for CDs without the software and

Sony has issued an apology letter to its customers. After this fiasco the question must be – where does digital rights management go now in light of the real issues of consumer security, privacy, user consent and user rights? 

More on the Sony rootkit:


EMI’s position http://news.com.com/EMI+We+dont+use+rootkits/2100-1029_3-5937108.html?part=rss&tag=5937108&subj=news

More on the Sony response:

See Professor Ed Felten’s suggestions for preventing the operation of this type of software

See the RIAA’s Cary Sherman’s comments athttp://www.cpwire.com/artman/publish/article_1212.asp

Sony suspend production of rootkit CDs http://news.bbc.co.uk/1/hi/technology/4430608.stm and theGhost in theCD http://www.nytimes.com/2005/11/14/business/14rights.html

State of Texas sues Sony BMG


Robert Hull and others v Sony BMG http://www.clintons.co.uk/html/forum_details.php?id=73

See Law Updates November 2005: The first five article are all on issues related to DRM; also see ‘Abusive contract terms struck down by French court in AOL Standard Form Contract’ / Also seeThe right way to fight spywareby Wendy Seltzer Law Updates June 2005 and at http://www.eff.org/deeplinks/archives/003536.php

No Comments

Comments are closed.