This Week's Sony DRM News

It has now been over a month since Mark Russinovich broke the story about Sony BMG's DRM software that installed root kit code onto consumers' hard drives—exposing infected computers to malware intrusions and reporting back to Sony's servers via spyware installed without consumers' knowledge or consent. Rather than growing stale, however, the story just keeps going and going as new details come to light almost every day.

This week brought news that New York State Attorney General Elliot Spitzer, like Texas AG Greg Abbott, is unhappy about the company's XCP "copy protection." Abbott has charged the company with violating the state's anti-spyware laws, whereas Spitzer is incensed over the fact that his investigators found the infected discs still on sale over three weeks after the vulnerabilities were revealed—and over a week after Sony claimed to have recalled them.

"It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," Spitzer's written statement charged. "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."

Does the aggressive NY AG intend to sue? His office says only that he "is looking into the matter," but Spitzer's office sued Intermix Media last April, charging that it had installed advertising software on home computers without adequately notifying consumers it was doing so. Intermix settled out of court for $7.5 million.

That wasn't the week's only news flash. It was also revealed that Sony's other DRM system, the SunnCom-sourced MediaMax, installed spyware on consumers' computers even if they declined the End User License Agreement (EULA). The Electronic Freedom Foundation (EFF) calls this patently illegal and is suing Sony over it.

Most damning, perhaps, was BusinessWeek's revelation that Sony had been notified of the root kit vulnerabilities on October 4 by Finnish anti-virus company F-Secure. F-Secure claims that Sony did not comprehend the seriousness of the problem and wasted time insisting that there was, in essence, no problem. Sony says it acted as quickly as it could and had hoped to go public after it had developed a fix—something it has yet to accomplish. Mark Russinovich went public first, and Sony's inability to issue a working un-installer, and its obdurate refusal to take responsibility for creating such a bolixed plan, have brought it more than a month of intensely poor publicity.

Internet security expert Bruce Schneier, chief technology officer of Counterpane Internet Security, claims that Sony's problem was relying on DRM in the first place. "Making digital files not copyable is like making water not wet," he told BusinessWeek. "You can't do it. DRM is a desperate attempt to cling to their old business model. They have to figure out how to make money in the new world."