Sony BMG Highjacks Consumers' Computers, "Apologizes" With Shoddy Fix

On November 1, Window OS expert Mark Russinovich revealed that his root kit detection utility had uncovered the presence of some well-hidden, poorly written code that was clogging computer resources and could potentially crash his computer or, if removed, disable his CD drive.

This is quite common in the world of malware (viruses, worms, Trojans, spyware, etc), but in Russinovich's case, there was a really interesting angle: The hidden software was not the product of some antisocial hacker, but rather came from a CD he had legitimately purchased from Sony BMG (Van Zandt's Get Right With the Man). And to make matters even more shameful, not only was the limiting software intentionally designed to hide itself from the user's scrutiny, the End User Licensing Agreement (EULA) was deliberately vague about how user agreement might compromise the computer itself—and was misleading about the possibility of removing the "small, proprietary software" that was installed. In other words, after promising it could be removed, there were no provisions for doing so.

You may be asking yourself why this digital rights management (DRM) scheme is a big deal. To begin with, the DRM scheme was deliberately designed to hide as a legitimate Windows function. Russinovich, an acknowledged Windows expert, was only made aware of the existence of the software when he had tested a program he designed to ferret out hidden invaders. Russinovich was, as he put it, "not happy having underhanded and sloppily written software on my system" and was angered that the EULA did not mention a requirement that he install software he could not remove. When he deleted the DRM's driver files and registry keys, he was stunned to discover that deleting those files had disabled his CD drive.

Russinovich told the AP, "If you've got software on your computer that you can't see, there's no way for you to manage it from a security point of view." He added, "The code of the application is not exactly well done. I would tend to believe there are people already working on finding exploits."

Russinovich's investigation revealed that the program was a product of First4Internet, Ltd. (F4i).

Russinovich's post created a flashfire of commentary on the Internet and in the mainstream media, such as the BBC, NPR, and USA Today. Sony BMG responded promptly with—you're probably expecting us to say "an apology" and "a solution," but, although that's the way they would like us to spin it, it just ain't so. To start with, you can search Sony's DRM FAQ long and hard, but you won't find anything like a mea culpa. In fact, you'll see stuff like:

"I have heard that the protection software is really malware/spyware. Could this be true?"
"Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive."

There's also some posturing about how Apple's "proprietary" iTunes software is incompatible with "secure music formats other than their own" and tough luck if you want to buy the CD and listen to it on your iPod. Write to Apple, Sony (manufacturer of its own proprietary music players) says—or surrender your privacy and write to Sony (after filling out its survey questions) and they'll send you a "work around." Maybe—that may be an empty promise similar to the company's "solution" to the DRM issue.

Solution? Well, that's the way Sony is pitching it. Others sources are less than convinced. The Washington Post quotes Mikko Hypponen of the Finnish anti-virus company F-Secure as saying the only secure way to remove Sony BMG's DRM is to contact the company's website, which will generate a phone call that, after extracting "all kinds of information about your system, and your reason for wanting to remove the software," directs you to a website that downloads a Microsoft ActiveX program that discovers which version of the DRM program you have and reports that to F4i. Then you will receive an email containing a link that will direct you to a site where you can download an "uninstaller."

The thing is, it doesn't uninstall the software; all the "uninstaller" does is remove the program's ability to hide itself among the Windows files. Russinovich, who definitely deserves a "Paul Revere" award for his work on this issue, weighed in again with a thorough analysis of the "patch" and concluded that, although he conceded that the risk was small, "Sony’s uncloaking patch puts users' systems at risk of a blue-screen crash and the associated chance of data loss."

He also discovered that, while this is never mentioned in the EULA, the software communicates with Sony's website—sending an ID back to the mother ship, an allegation Sony BMG denies. Conceivably, this could be a feature, not a bug, since it could be a way to check for updates on the album art, lyrics, or other recording information. More soberingly, it could also be a way of establishing the computer address of a DRMed disc every time it was played. Either way, end-users ought to be notified that they are agreeing to this before signing off on their licensing agreements.

According to The Washington Post, Sony spokesman John McKay revealed that there are currently 20 Sony BMG titles using the F4i DRM, but he says the company intends to use it on additional titles in the near future. Universal also employs the F4i technology.

The real irony is that Van Zandt's Get Right With the Man appears to be readily available for illegal download on the Internet. Downloading it without paying the artists for their work would be theft, of course, but you'd avoid exposing your computer to being highjacked, which is more than you can say about legitimately purchasing the Sony disc. (Of course, you could always purchase a compressed DRM version of the recording from iTunes.) We think Lewis Carroll might be grimly amused by this logic, but we aren't.

If you never play CDs in your computer, you don't appear to have anything to worry about. Yet. We still urge you to follow this story and similar cases carefully, because fair use as we currently understand it is obviously under attack. We'll continue to report on this vital issue, of course, but we recommend you peruse the Electronic Freedom Foundation's (EFF) excellent website regularly. Another essential piece of background reading is EFF employee Cory Doctorow's superb speech to Microsoft, in which he defended the position that DRM doesn't work and is bad for society, bad for business, and bad for artists.