Analysis: Sony's DRM song and dance

By Stewart Mitchell

Posted on 22 Dec 2005 at 14:39

Faced with crippling piracy, Sony recently took heavy-handed anti-copying measures to new levels by sneaking software onto customers' computers when they played CDs from artists as diverse as Neil Diamond and Ricky Martin, outraging consumer groups.

'Music fans shouldn't have to install potentially dangerous, privacy-intrusive software on their computers just to listen to the music they've legitimately purchased,' said Electronic Frontier Foundation legal director Cindy Cohn. 'Regular CDs have a proven track record and no-one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?'

But user restrictions are only the tip of the iceberg for Sony. The technology was intended to limit the number of copies music fans could make of CDs, but in a PR gaffe it instead instigated a string of security flaws. The Sony discs using First4Internet's copy-protection package XCP created a hidden directory, then installed proprietary device drivers and software that rerouted Windows commands and intercepted kernel-level APIs.

The carefully concealed commands were discovered by Windows computer engineer Mark Russinovich, who came across what he described as a rootkit (usually used by hackers for easy access after cracking a computer) while running a security scan. The issue snowballed because, according to Russinovich: 'Users who stumble across the cloaked files with a scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.'

Although Sony reluctantly suspended the use of this Digital Rights Management (DRM) software and recalled impregnated CDs, the repercussions rumble on, with Sony BMG passing the buck. 'This software was provided to us by a third-party vendor, First4Internet. Discussion has centred on security concerns raised about the use of CDs containing this software.'

Not the discussion on blogs and user groups, which point the finger firmly at Sony BMG.
Surely anyone infected would have legal recourse? Sadly not: a licence agreement gets Sony BMG off the hook, although several US campaigners are attempting legal action in the US.

'Because you click on an agreement before you install the CD, Sony almost certainly isn't breaching UK laws such as the Computer Misuse Act,' said Struan Robertson, senior partner at Pinsent Masons lawyers. 'It would need to be proved beyond any reasonable doubt that access to the computer was unauthorised and that the provider knew that such access was unauthorised.

'If there were complaints that licence terms were very unfair to consumers, the Office of Fair Trading could get involved and perhaps try to have them changed, although that seems unlikely,' he said.
For the computing professional, the biggest issues aren't the restrictive practices, but the wider security issues that give access to a computer.

Even Microsoft, always keen to protect copyright despite its poor track record on security, has raised fears over vulnerabilities. In a thinly veiled criticism, the company said it would be releasing a tool to help Windows users remove the rootkit.

'We use a set of objective criteria for both Windows Defender (formerly Windows AntiSpyware) and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology,' said Microsoft anti-malware technology team architect and product manager Jason Garms. 'We have analysed this software, and determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta.'