Copy Protection scheme blows up in Sony BMG’s face
by  Alan Zisman (c) 2005 First published in Columbia Journal December 2005 CJ-Tech column

For the past year, Sony BMG and other large music companies have been experimenting with variety of different copy-protection schemes on some of their more popular CD releases, in an effort to prevent users from ‘ripping’ the songs onto their computers and ‘sharing’ them online. Users discovered that some of the early copy-protection schemes could be outwitted as simply as drawing a thin felt-pen line around the outside of the CD; as a result, copy-protection schemes (referred to in the industry as Digital Rights Management- DRM) have grown increasingly draconian.

Sony BMG CDs from artists including Van Zandt, Rosanne Cash, Celine Dion, and Neil Diamond included XCP copy-protection software licensed from First4Internet. On a Windows system, playing these CDs automatically installed software (known as a ‘root kit’) that ran invisibly to limit the ways in which the songs could be played and copied (making it impossible to add these songs to an iPod, for example) and to communicate to Sony about music played on that computer. Attempts to disable the software could make the computer’s CD drive stop working. Moreover, the root kit (a technique increasingly used by spyware and virus creators) left the computer open to attacks. The XCP software was installed whether or not consumers agreed to the license agreement that popped up when the disc was first installed.

Sony has been using the XCP copy-protection technology for most of 2005; the company ignored problems pointed out by anti-virus vendor FSecure. On Halloween, security researcher Mark Russinovich took the issue public. Within a week, at least two viruses appeared that took advantage of the security hole opened by the XCP root kit.

At first the company tried to tough it out: president Thomas Hesse claimed "Most people don't even know what a root kit is, so why should they care about it?” A company-released patch simply increased the security risks. After news of the viruses, (and the filing of several class action lawsuits—including Texas’s attorney general asking for $100,000 for each violation of the state’s Consumer Protection Against Computer Spyware Act) on November 14, Sony agreed to pull all affected CDs from stores (some 4.7 million) and replace the 2.1 million copies already purchased. By mid-month, security software from Norton, McAfee, and Microsoft identified the XCP software as a hazard (though some wonder why this problematic software wasn’t identified prior to the public outcry).

Check the back of recent Sony CDs for a box reading “Compatible With” including the URL: http://cp.sonybmg.com/xcp. At least 120,000 such CDs were sold in Canada.

Despite the recall, Sony and other music companies continue to use other DRM software; SunComm’s MediaMax software (also identified on CD labels) for example, also reports on what CDs and music files are played on the computer. As if this weren’t bad enough, installation of multiple types of DRM could make your computer more unstable and crash-prone.

Simply turning off the Windows autoplay feature prevents the installation of many of these copy protection schemes. (See: http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76351 for instructions). And once again, Mac and Linux users get to sit back and chuckle: these nasties (like most viruses and spyware) are Windows-only; Mac and Linux users can freely play the affected CDs, and even produce versions free of the copy protection.

Ironically, in attempting to protect its ‘intellectual property’, Sony’s software seems to have infringed on the license of the open source LAME encoder, used in the XCP software. With Sony’s virus-like software found on computers owned by the US Department of Defense, presumably Sony could be prosecuted under US criminal law. (Don’t hold your breath; while Stewart Baker of the Department of Homeland Security warned the company: “…it's your intellectual property -- it's not your computer” Utah Senator Orin Hatch noted that damaging someone’s computer "may be the only way you can teach somebody about copyrights.")

Some media reports initially suggested that sales of the CDs involved were not affected. But Business Week noted that on November 2nd, Van Zant’s ‘Get Right with the Man’ CD ranked a respectable #887 on Amazon.com’s list of top-sellers—not bad for a 6 month-old release. By November 22, the copy protected title plummeted to #25,802. (With Sony’s recall, the CD is now listed as ‘unavailable’). Terry McBride, president of Vancouver-based Nettwerk notes: "The average consumer who's not tech-savvy is going to buy the CD, thinking that they can load it onto their iPod ... They're going to be royally pissed off… Why do you want to piss off the people who buy?"

Damian Kulash, singer for the band OK Go wrote an op-ed piece for the NY Times stating: “I certainly don't encourage people to pirate our music…. But before a million people can buy our record, a million people have to hear our music and like it enough to go looking for it. That won't happen without a lot of people playing us for their friends, which, in turn, won't happen without a fair amount of file sharing. As it happened, for a variety of reasons, our label didn't put copy-protection software on our album. What a shame, though, that so many bands aren't as fortunate.”

The story isn’t over; Sony hasn’t taken any action concerning the 20+ million CDs released with the (still spyware but non-root kit) MediaMax copy protection software, and other labels releasing protected CDs seem to be getting away with the practice, at least for now.