Music Companies Get Mean

When Sony BMG admitted in early November that it had shipped a couple million CDs containing a hidden software program called XCP that secretly installs itself on computers, the public was weirded out.

Why the hell was a music company sneaking unidentified software onto people's computers without telling them? Sony's answer -- that it was digital rights management software to prevent music piracy -- seemed inadequate. After all, DRM has been around for a while, but it's never come in the form of secretly installed programs. What were those programs doing, anyway?

Computer security geeks wanted to find out too. Turns out XCP is based on a tool called a "rootkit," which bad guys have traditionally used to take control of their victims' computers. Anyone who plays the new Celine Dion CD on his or her computer is making him- or herself vulnerable to viruses and other digital nasties. The danger is so great that the US Computer Emergency Response Team actually issued a special alert Nov. 15 warning people not to play Sony CDs with XCP on them.

Note to entertainment companies: You know you've gone too far with your copy protection technology when the copyright-expansionist US government steps on your head.

So Sony agreed to fix the problem -- sort of. The company issued a deinstaller for XCP that was supposed to get rid of the nastiness. And that's when things got really interesting. According to Ed Felten, a computer security professor at Princeton, the deinstaller is even worse than the original XCP rootkit. After examining the deinstaller, Felten wrote on his blog, Freedom to Tinker, that it actually installs new versions of all the old files from the rootkit, and adds some new ones. "No doubt they'll ask us to trust them," Felten wrote. "I wouldn't."

Not surprisingly, the creepy discoveries continued. Researchers found that Sony's sneaky program also sends an electronic message over the Internet that potentially allows the company to track who's playing its CDs and where. Microsoft issued a statement saying that its antivirus software protects against the Sony rootkit. (Microsoft might have a few less-than-benevolent reasons for helping hapless consumers -- the company is in litigation with Sony.) Sony responded by saying that it will replace XCP-infected CDs with uninfected ones for free.

Meanwhile, the company got sued in Texas, California, and Italy under anti-spyware and consumer-protection laws. Thomas Hesse, president of Sony BMG, initially downplayed the rootkit problems in a Nov. 4 interview on NPR. Days later, he was eating his words: "We're very, very sorry for the disruption and inconvenience that this has caused to music consumers," he told Business Week.

But this DRM meltdown is far from over. It turns out XCP isn't the only piece of secretly installed and potentially malicious software Sony is distributing with its holiday CD releases. People who use Windows machines to play CDs with something called MediaMax on them will find that new files and programs suddenly show up, uninvited, in their Common Files directory in a folder called SunnComm Shared (SunnComm is the company that makes MediaMax). Recently Sony sent out a press release admitting that MediaMax contains a security flaw that, if untreated, could leave up to 20 million computers vulnerable.

What does all this bad craziness mean? In the short term, it means don't buy any new CDs from Sony BMG. The long term is a little more hazy. Remember, all this stupidity started with an entertainment corporation wanting to protect its intellectual property -- and so hell-bent on it that it was willing to sacrifice your computer. The scandal over DRM software has been an object lesson on the values of the music industry.

While I'd love to believe that the egg on Sony's face will force other entertainment companies to shy away from trying to protect their copyrights using DRM, I think the XCP and MediaMax debacles are, ironically, going to usher in an era of widespread acceptance of DRM. By making DRM that is so egregiously horrible, Sony has set the floor for what the public will accept. So long as the next generation of DRM doesn't leave computers vulnerable to viruses the way the XCP rootkit does, the media and the public won't kick up a fuss.