Digital rights body calls for Sony to recall XCP CDs

By Matt Whipp

Posted on 15 Nov 2005 at 11:31

The Electronic Frontier Foundation (EFF) has published an open letter, urging Sony to consider a product recall of CDs shipped with the controversial XCP copyright protection software which secretly installs a cloaking utility on computers.

Since the revelation that any file using a filename including '$sys$' would be hidden from view both from within Windows and from programs using Windows - including security software - a string of Trojan viruses have been launched across the Net with the goal of infecting computers with the Sony software installed.

Sony has since stalled production of CDS using the softwarwe, but stands by its right to use Digital Rights Management (DRM) software to protect its property.

Although the CDs using the software are few - around 20 titles - the EFF says that 2.1m of them have already been sold and that 2.6m remain in the inventory of retailers.

It says a temporary halt in production is not enough, and wants a recall of all XCP and SunnComm MediaMax-infected CDs, from both consumers and store shelves; a guarantee to repair, replace, or refund the purchase price of the CDs to anyone who bought the merchandise; and a major publicity campaign warning about the security risks of XCP and SunnComm MediaMax. It also wants Sony to reimburse consumers for the money and time spent on verifying the presence of the technology and any problems caused by it.

'Sony BMG must have spent a great deal of money advertising these infected CDs to an unsuspecting public,' said EFF Staff Attorney Jason Schultz. 'We think that it's only fair that an equal amount of money is spent educating the public on the damage that the product could cause to consumers around the world.'

Sony is unlikely to meet many of these demands - its decision to halt production marks the only capitulation of the company to massive pressure from consumers, the media and the security industry. Even Microsoft has said it categorises the software and spyware.

EFF Staff Attorney Corynne McSherry, said: 'Halting production is not enough. Sony needs to take steps to fix that damage it has already caused and ensure that nothing like this happens again in the future.'

Damage from the viruses being spammed out hoping to take advantage of the issue is as yet unclear. Finnish security experts F-Secure, one of two to discover the issue, has since run analysis on the virus variants they have found and discovered that the patch issued to update the XCP software is the only version that successfully hides these viruses.

Researchers wrote in the company blog: 'One of the variants we have so far analyzed are successful in installing on a machine that has an unpatched Sony DRM running... at the moment the malware is not really successful in exploiting the presence of the Sony DRM. Obviously this situation might change very soon.'

The aspect to the potential damage of this DRM episode is to the artists themselves. User reviews of CDs using the software are tainting the rating of the music itself with the negative reaction to the DRM protection. Van Zant's 'Get Right with the Man' had a one and a half star rating because of the reaction to the copy-protection technology. We have yet to see the reaction of the artists themselves, and whether they will add to the pressure on Sony to act.