Betrayed by music

When Sony BMG admitted in early November that it had shipped a couple million CDs containing a hidden software program called XCP that secretly installs itself on computers, the public was weirded out.

Why the hell was a music company sneaking unidentified software onto people’s computers without telling them? Sony’s answer - that it was digital rights management software to prevent music piracy - seemed inadequate.

After all, DRM has been around for a while, but it’s never come in the form of secretly installed programs. What were those programs doing, anyway?

Computer security geeks wanted to find out too. Turns out XCP is based on a tool called a “rootkit,” which bad guys have traditionally used to take control of their victims’ computers. Anyone who plays the new Celine Dion CD on his or her computer is making him- or herself vulnerable to viruses and other digital nasties.

The danger is so great that the US Computer Emergency Response Team actually issued a special alert Nov. 15 warning people not to play Sony CDs with XCP on them.

Note to entertainment companies: You know you’ve gone too far with your copy protection technology when the copyright-expansionist US government steps on your head.

So Sony agreed to fix the problem - sort of. The company issued a deinstaller for XCP that was supposed to get rid of the nastiness. And that’s when things got really interesting.

According to Ed Felten, a computer security professor at Princeton, the deinstaller is even worse than the original XCP rootkit. After examining the deinstaller, Felten wrote on his blog, Freedom to Tinker, that it actually installs new versions of all the old files from the rootkit, and adds some new ones.

“No doubt they’ll ask us to trust them,” Felten wrote. “I wouldn’t.”

Not surprisingly, the creepy discoveries continued. Researchers found that Sony’s sneaky program also sends an electronic message over the Internet that potentially allows the company to track who’s playing its CDs and where.

Microsoft issued a statement saying that its antivirus software protects against the Sony rootkit. (Microsoft might have a few less-than-benevolent reasons for helping hapless consumers - the company is in litigation with Sony.) Sony responded by saying that it will replace XCP-infected CDs with uninfected ones for free.

Meanwhile, the company got sued in Texas, California, and Italy under anti-spyware and consumer-protection laws. Thomas Hesse, president of Sony BMG, initially downplayed the rootkit problems in a Nov. 4 interview on NPR.

Days later, he was eating his words: “We’re very, very sorry for the disruption and inconvenience that this has caused to music consumers,” he told Business Week.

But it turns out XCP isn’t the only piece of secretly installed and potentially malicious software Sony is distributing with its holiday CD releases. People who use Windows machines to play CDs with something called MediaMax on them will find that new files and programs suddenly show up, uninvited, in their Common Files directory in a folder called SunnComm Shared (SunnComm is the company that makes MediaMax). Recently Sony sent out a press release admitting that MediaMax contains a security flaw that could leave up to 20 million computers vulnerable.

While I’d love to believe that the egg on Sony’s face will force other companies to shy away from trying to protect their copyrights using DRM, I think the XCP and MediaMax debacles are, ironically, going to usher in an era of widespread acceptance of DRM.

By making DRM that is so egregiously horrible, Sony has set the floor for what the public will accept. So long as the next generation of DRM doesn’t leave computers vulnerable to viruses the way the XCP rootkit does, the media and the public won’t kick up a fuss.

It won’t even that future DRM may install all kinds of programs on people’s computers to monitor and control their media consumption - as long as those programs are secure and are installed with “permission” (i.e., after you ignore a bunch of legalese and click an “I Agree” box at the bottom).

Installing alien software to listen to the latest Sarah McLaughlin CD will just seem normal. After all, none of that software is as bad as the Sony rootkit, right? Yeah, right.



Annalee Newitz is a contributing editor at Wired magazine.