display | more...

Sony and Copy Control Technology

Or, "Just try to get in my way, just try. I'll get you, my little pretty. And your little dog, too!"1

Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source — we will block it at your cable company, we will block it at your phone company, we will block it at your ISP. We will firewall it at your PC.2

Imagine sitting in a room crowded with members of academe, silicon valley types, and others interested in furthering the sharing of information via computers, and hearing this coming from a representative of arguably the largest company in the entertainment and technology business. I wasn't there, but in retrospect it sounded to me as if Sony was going to send its minions out, armed with various tools of electronic destruction and *snip* first at Napster, then the TV company, then the phone company, then at our internet wires, and then come barging into our houses and *snip!* and the "Sony" wire on our computers is cut off now and for evermore. Big Brother-style control over what we can listen to. Only the Good Lord knows what the rest of the people in the room thought. I'd hazard a guess that a hushed buzz of angry voices filled the room.

The man from Sony was talking about "Copy Control Technology." Basically, it meant that it had come to Sony's attention that there were thankless whelps out there who were totally ignoring the big, official-looking Federal shield on the back of CDs, as well as the accompanying language warning dire punishment for all who'd make a copy of all or any part thereof. So a big huge corporation like Sony's not gonna take this lying down. They're gonna fight back.
 

What Happened

A few years back, Sony basically went and paid two software companies a princely sum of money in order to develop a program which would insinuate itself into any computer into which a Sony BMG (Sony's music group) CD was inserted. The software, ideally, would essentially block programs like iTunes and Windows Media Player from being able to "rip" or copy the music from the CD. So therefore the only way to make copies of the CD would be to play the CD, preferably through digital output, into an audio recording program; then burn it back onto CDs. Big hassle. Not many people can do. Equals less music "piracy." Therefore Sony's bottom line stays stable and doesn't go plummeting downward. Supposedly.

Let's stop for a minute for a little disclaimer. The ever-controversial Recording Industry Association of America ("RIAA") reports the recorded music industry loses approximately $4.2 billion annually to unlawful copying (piracy), file-sharing, and bootleggers*. Sadly, the way it works, it ain't the record labels who're taking the heat. It's the musicians, mostly. So have a heart, unless you're really poor, go out and buy or pay for a download of your favorite music. It's easy to rationalize that high-profile musicians are usually multi-millionaires — so who're you really hurting? But believe me, there are musicians out there who're making little enough on royalties paid by ASCAP, BMI and SESAC. And they really get hurt because of the inherent unfairness built into the royalty-paying system.

So back to the issue of Sony and their software. Sony's rationale for what came to be called "copy control technology" verged on the ridiculous. One Sony press release actually hinted that copy control technology would save would-be lawbreakers from themselves and therefore make the world a happier place to live in. Well, it backfired.
 

Darn, It Didn't Work Like They Said It Would!

Copy control technology, in the case of Sony BMG, is called "Digital Rights Management Software." Two companies, SunnComm and First4Internet, were hired by Sony to create the software, which would ideally limit the number of times one could "rip" protected music CDs, (and, while they were at it, report computer music playback software usage back to Sony). Yes, you heard me right, it'd collect data about your listening habits using the same feature of, let's say, Windows Media Player that detects the track names on the CD and provides one with the cute little picture of the album art during playback.)

In layman's terms, what the software did was to run itself as soon as the computer read the disk. Now, the two types of software, installed on just over 100 CD titles, basically altered the structure of the file system of computers so as to hide certain files, and alter others. It'd also "phone home" via the internet and report your music player use to Sony BMG. The software basically opened up a huge hole that would-be hackers could use to gain control over computers with; with disastrous results. That wasn't the worst part of it. Some people discovered the software languishing on their hard drives, and without proper knowledge nor instruction, attempted to uninstall it. This produced even more disastrous results, causing system instability and computer crashes at best, and physically harming the CD-ROM drive at worst.

Sony BMG must've known something was up when everyone from PC owners to PC service centers discovered that Sony BMG's disks were wreaking havoc with what is called in more complex terminology, the computer's rootkit. Would that the folks at the entertainment giant had been smarter and listened to their customers, instead of vigorously protecting their right to sell compromised goods, all would've been hunky dory. But that ain't how it worked.

Sony BMG Music Entertainment has agreed to settle Federal Trade Commission charges that it violated federal law when it sold CDs without telling consumers that they contained software that limited the devices on which the music could be played, restricted the number of copies that could be made, and contained technology that monitored their listening habits to send them marketing messages.3

A class action suit was filed in New York and another one in California. The Texas Attorney General filed suit. Governmental agencies in Italy and Canada sued Sony BMG. Finally, after duly noting that Sony BMG was failing to admit liability and fighting tooth and nail to offer purchasers of the software-attached discs token, minuscule settlements, the United States Federal Trade Commission came in and filed charges.
 

Settlement

Had Sony BMG settled the class-action cases to the satisfaction of those involved, perhaps the federal government wouldn't have gotten involved. But that's mere speculation.

As soon as hackers discovered (via newspapers and the Internet) the security hole in "infected" computers, viruses began to flood the Internet, seeking out and damaging computers "infected" with Sony's software. Sony's original offer, before the extent of the damaged population was realized, was to offer anyone a download, from their website, of a "patch" which would effectively and safely remove the offending software. This, basically, added insult to injury because as soon as the patch was released, scientists at Princeton University discovered that whole new avenues of invasion were made available to hackers by the patch software. Sony was not, under any circumstances, going to go farther than that to satisfy its customers and distributors.

Then, after New York State's Attorney General prevailed in a suit against it, Sony BMG recalled over 5 million discs, exchanging them for discs not equipped with Digital Rights Management Software. As a result of further suits, Sony added to the exchange program a "sweetener," allowing damaged CD purchasers up to three free downloads from its music download site. Sony intended to do nothing whatsoever to compensate damaged parties for the time, effort and expense of restoring their computers to useable condition.

Now, probably anyone reading this has experienced what's called an End-User License Agreement ("EULA"). It's the huge file of text one ostensibly need read before checking a box which will allow you to download software, media, games etc. A EULA basically says that the user utilizes the software at his/her own risk, and that the manufacturer of the software, media, etc. is not responsible for damage done to any computer upon which it is loaded, and further that the manufacturer will not reimburse any person or business for losses incurred (of time or money or data) related to use of the software. Well, this is what tripped Sony BMG up. If one did not agree to the legalese of the EULA, one's disk was essentially unplayable. Sony made no indication on the packaging of the disks that there was any software, nor that there was any contractual obligation of the user, to play the music contained therein.

Sony ended up having to pay up to $150 per user of the "infected" CDs "to repair damage that resulted directly from consumers’ attempts to remove the software installed without their consent. Sony BMG is required to publish notices on its Web site describing the exchange and repair reimbursement programs."4

Do the math. Millions of CDs. Millions more in return. Up to $150 per CD in damages. Thus the cost of launching what was initially heralded by the RIAA (Recording Industry Association of America) as one of the most innovative and aggressive methods of preventing music piracy in the history of the industry.

UPDATE 3/22/07: Cincinnatus checked my work and found errors. Thank goodness he knows more about the software end of it than did I. I was mislead by one of my sources into believing that the first-generation of the CDs did not contain a EULA, but in fact they did. My apologies to all whom I misled. Cincinnatus's eloquent correction follows: "I checked all the links you provided in your w/u, but didn't find any notes of version without EULAs. I did find notice of sofware install when the EULA was denied, and activities that EULA said would not, but did. That's just as bad, IMHO."

FOOTNOTES:

  1. Quote from the film The Wizard of Oz (MGM - 1939) more particularly the Wicked Witch of the West (played by Margaret Hamilton) threatening Dorothy (played by Judy Garland).
  2. Quote from Steve Heckler, senior vice president of Sony Pictures Entertainment Inc., who spoke to more than 1,200 educators, researchers and other computing experts at a conference hosted by California State University (Long Beach) in August, 2000
  3. Lede from the website of The United States Federal Trade Commission (FTC), explaining the suit in detail.
  4. Wording taken from the FTC website.

SOURCES:

  • "Sony BMG Settles FTC Charges" Website of the United States Federal Trade Commission http://www.ftc.gov/opa/2007/01/sony.htm (Accessed 3/19/07)
  • "Sony's Fix for CDs Has Security Problems of Its Own" By Brian Krebs The Washington Post Thursday, November 17, 2005; Page D01 http://www.washingtonpost.com/wp-dyn/content/article/2005/11/16/AR2005111602242.html (Accessed 3/19/07)
  • Electronic Frontier Foundation: "Sony BMG Settlement FAQs" http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq.php (Accessed 3/19/07)
  • "Sony Exec: 'We Will Beat Napster'" by M.A. Anastasi, The Daily Forty-Niner, August 17, 2000 on the website of New Yorkers for Fair Use http://www.nyfairuse.org/sony.xhtml (Accessed 3/19/07)
  • Website of Girard Gibbs, LLP http://www.girardgibbs.com/ (various) (Accessed 3/19/07)
  • Sony BMG class-action settlement website: http://www.sonybmgcdtechsettlement.com/ (Accessed 3/19/07)
  • Website dedicated to the lawsuit: http://www.sonysuit.com/ (Accessed 3/20/07)
  • Groklaw legal website: http://www.groklaw.net/staticpages/index.php?page=20051122010323323 (Accessed 3/20/07)
  • *Website of the Recording Industry Association of America: http://www.riaa.com/issues/piracy/default.asp (Accessed 3/21/07)

 

 

The writeup by shaogo is an excellent discussion of the litigation part, but I feel the need to explain some of the technical aspects of the whole snafu, mainly what actually happens to your computer when stick one of these evil things in it.

In 2005, Sony BMG purchased a software package called XCP-Aurora from a company called, at the time, First 4 Internet. XCP is a Digital Rights Management scheme for compact disks; Sony included it on some Sony/BMG albums. When a someone inserts a CD with XCP into a Windows computer, the following things happen:

  • The User is asked to accept an EULA. By the time he/she answers, some of the software has already been installed on their machine.
  • A filter is installed on the drivers for the CD-ROM drive, that hijacks all access to XCP enabled disks.
  • The XCP player is installed. This is the only player that can be used with XCP enabled disks.
  • A Patch is applied to Windows file system driver that filters out all files and folder beginning with $sys$ from process, directory, or registry listings. This is the rootkit part, as its sole purpose is to hide things from the user.
  • The Plug and Play Device Manager is installed, which constantly monitors the executable files of all processes running on the computer.

Related to this, some disks also included MediaMax from SunnComm. MediaMax tries to install a kernel extension to Mac OS X. But since few Mac OS X have their permissions set to allow this, very few Mac users were affected. This also means, users of operating systems other than Windows (Linux, BSD Solaris, Macs, etc) are effectively immune, and the CDs operate normally.

At this point, the only way to access an XCP enabled disk is through the included player. The user is limited to how many times they can rip the music, or burn it to another CD. The music can only be copied to the small, select list of portable music players. The iPod is not on that list. Any other program that attempts to access the CD is greeted with a barrage of white noise, rendering the music unusable.


More than one aspect of this software can be considered a Bad ThingTM.

  • It installs itself automatically, and does not give the user a chance to say no, despite the EULA dialog box.
  • It tampers with the inner workings of the operating system, interposing itself between the OS and hardware devices.
  • It takes active measures to hide itself from the user, at the file system level; and the hiding aspect can be (and was) easily exploited by other malicious software.
  • Part of the software regularly phones home to a Sony server, without informing the user that it is accessing the Internet, or what kind of information is being conveyed.
  • It does not provide an easy and straight forward way to completely remove itself, and if you simply delete the files, you'll render parts of your computer unusable.
  • The Plug and Play Device Manager, in addition to having a misleading name, causes near constant access of the computer's hard drive. This can shorten the drive's life, and places unnecessary load on the system.

These are all considered be very bad practices by computer programmers and security specialists. The software was flagged as both a Trojan Horse and a rootkit by multiple anit-spyware setups, including the Windows Malicious Software Removal Tool from Microsoft.

Now we come to the real fun part. Once the Shit started to really hit the fan, First 4 Internet made an uninstaller available on the Internet so people could remove this wonderful piece of software from their machines. The uninstaller is actually an ActiveX control installed by the First 4 Internet website. Once it is done, it remains on the computer indefinitely. And it allows any website to run software on the infected computer without restriction.

Let me repeat:

Once you remove XCP from your computer using the web-based uninstaller from First 4 Internet, ANY website you visit can run any software it wants on your computer, WITHOUT RESTRICTION!

And then there's the fact that XCP infringes on the copyright of LAME, mpglib, FAAC, id3lib, mpg123, and VLC. Some of these are licensed under the GPL or LGPL.

Ironic that software designed to keep you from violating copyright law is itself violating copyright law.

Log in or register to write something here or to contact authors.