Select Sony/BMG Music CDs Include Invasive Digital Rights Management Software
Posted by Brian Wong
The term "rootkit" entered a broader public consciousness after researchers discovered that Sony BMG Music Entertainment (Sony) has included digital rights management (DRM) software on 19 music CDs that must be installed in order for a PC to play the CD. The software installs itself deep within the Windows operating system and hides itself from view using rootkit technology. It runs even when the CD is not being played, consuming system resources. The software is difficult to remove and the removal process can crash the computer and/or disable the computer's CD drive.
The DRM software, created by British company First 4 Internet, was first released on a commercial disc in the United States nearly eight months ago. The software restricts copying of the protected CDs, and makes them unusable on an iPod. The affected CDs include an end-user license agreement (EULA) that users must agree to in order to play the CDs on a PC.
Mark Russinovich, the chief technology officer for Wininternals and one of the first researchers to publicize Sony's use of a rootkit to hide its copy-protection software, called the software invasive, and noted it exposes users to threats from hackers and viruses. The rootkit technique could be used by virus writers to hide their own malicious software, and the First 4 Internet software is unlikely to be updated to correct security flaws. Since users may not be aware of its presence, they would not know of the possible security issue; even if users know the software is installed, they may be unable to remove it due to the difficulty of that process. The EULA
Sony has defended the technology: "This [rootkit] component is not malicious and does not compromise security. However, to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released." Mathew Giliat-Smith, the CEO of First 4 Internet, called the issue "a tempest in a teapot . . . It's benign content protection. It's not malware, it's not spyware—it's innocent." He also called the furor "slightly old news . . . For the eight months that these CDs have been out, we haven't had any comments about malware (malicious software) at all."
Some security software manufacturers have characterized the DRM software as spyware, and some have developed tools to remove it. Computer Associates and Symantec have issued warnings. A first wave of malicious software written to piggyback on Sony BMG Music Entertainment CD copy protection tools has been identified online. Russinovich has criticized First 4 Internet's contentions about the nature of the software and the efficacy of the patch.
The Sony and First 4 Internet update is a patch (revised once since the initial release) that uncloaks the copy protection software but does not remove it. CD purchasers must e-mail the company's customer service department to get instructions for uninstalling the software. Russinovich analyzed the patch, finding that it caused a "Blue Screen of Death" crash which demonstrates that rootkits create reliability risks in addition to security risks.
Sony has abandoned the rootkit protection method, but still intends to install copy-protection software on every audio CD. Noting that a "computer virus is circulating that may affect computers with XCP content protection software," on November 11, 2005, Sony stated it will temporarily suspend the manufacture of copy-protected CDs and re-examine its digital-rights management strategy.
Citing Variety, Engadget noted that, by making protected CDs unusable on an iPod, the DRM is designed to pressure Apple to open the iPod to music services other than the iTunes Music Store. But the outcry has forced Sony to make available a workaround via e-mailed instructions for anyone who complains about the problem. The Bad Plus, a band whose CD contains the software, has posted the instructions on its website at Sony's request. Some artists and labels have stated the DRM was included on their CDs without their knowledge or permission.
Stewart Baker, the Department of Homeland Security's assistant secretary for policy, addressed the Sony DRM software at an event on combating intellectual-property theft: "It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."
Analysts at Gartner have issued a warning to clients of a consumer backlash against invasive practices of this type: "The use of spyware techniques, however benign in purpose, constitutes bad business practice and should be discouraged. Any attempt to sneak software onto a customer's computer or gather any information without consent is unacceptable."
The Electronic Frontier Foundation has posted an analysis of the 3,000 word EULA that applies to any digital copies made of the music on the Sony CDs. One class-action lawsuit against Sony BMG Music Entertainment has been filed in California, and more are expected.