- Sony BMG CD copy prevention scandal
The Sony BMG CD copy prevention scandal concerns the
copy preventionmeasures included by Sony BMGon compact discs in 2005. Sony BMG included the Extended Copy Protection(XCP) and MediaMax CD-3software on music CDs. XCP was put on 52 titles [ [http://cp.sonybmg.com/xcp/english/titles.html "CD’s Containing XCP Content Protection Technology"] , Sony/BMG web site, retrieved November 22, 2006.] and MediaMax was put on 50 titles. [http://news.bbc.co.uk/1/hi/technology/4511042.stm "Anti-Piracy CD Problems Vex Sony"] , BBC News, retrieved November 22, 2006. This software was automatically installed on Windows desktop computers when customers tried to play the CDs. The software interferes with the normal way in which the Microsoft Windows operating systemplays CDs, opening security holes that allow viruses to break in, and causing other problems. It is widely described as malware.
As a result, a number of parties have filed lawsuits against Sony BMG; the company ended up recalling all the affected CDs; and greater public attention was drawn to the issue of commercially-backed
History & technical information
In August 2000, statements by
Sony Pictures EntertainmentUS senior VP Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems "The industry will take whatever steps it needs to protect itself and protect its revenue streams...It will not lose that revenue stream, no matter what...Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source - we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC...These strategies are being aggressively pursued because there is simply too much at stake." [Anastasi, M. A. [http://www.nyfairuse.org/sony.xhtml "Sony Exec: We Will Beat Napster,"] "New Yorkers For Fair Use" web site, August 17, 2000, retrieved November 13, 2006.] BMG in Europe experienced a similar scandal in 2002 when CDs were sold with copy protection measures, but without any warning labels. They were eventually replaced by BMG, [Smith, Tony. [http://www.theregister.co.uk/2001/11/19/bmg_to_replace_antirip_natalie/ "BMG to replace anti-rip Natalie Imbruglia CDs,"] "The Register, " November 19, 2001, retrieved November 13, 2006.] but the company made clear intentions to continue copy-protection innovations. [Lettice, John. [http://www.theregister.co.uk/2002/11/06/no_more_music_cds_without/ "'No more music CDs without copy protection,' claims BMG unit,"] "The Register," November 6, 2002, retrieved November 13, 2006.] [Lettice, John. [http://www.theregister.co.uk/2002/11/21/all_cds_will_be_protected/ "All CDs will be protected and you are a filthy pirate,"] "The Register," November 21, 2002, retrieved November 13, 2006.]
Sony BMG software issues
October 31 2005, Mark Russinovichposted to his bloga detailed description and technical analysis of the characteristics of the software contained on Sony BMG music CDs. Called "Sony, Rootkits and Digital Rights Management Gone Too Far", the article asserts vocally that the software is illegitimate and that digital rights managementhad "gone too far."Russinovich, Mark. [http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx "Sony, Rootkits and Digital Rights Management Gone Too Far,"] , "Mark's Blog," October 31, 2005, retrieved November 22, 2006.
Russinovich stated that there were shortcomings in the software design that manifest themselves as security holes that can be exploited by malicious software such as worms or viruses. He also mentioned that the XCP software installed silently before the
EULAappeared, that the EULA does not mention the XCP software, and that there was no uninstaller, all of which are illegal in various ways in various jurisdictions.
Ed Felten's "Freedom to tinker" blog featured an article by J. Alex Halderman discussing the SunnComm DRM also found on some Sony BMG CDs, which is very similar to the F4I software in that it installs without authorization or notification, and does not have an uninstaller.Halderman, J. Alex. [http://www.freedom-to-tinker.com/?p=925 "Sony Shipping Spyware from SunnComm, Too"] , "Freedom To Tinker,"
November 12, 2005, retrieved November 22, 2006.
The article also asserts that the software runs in the background and consumes system resources, slowing down the user's computer, regardless of whether there is a protected CD playing.
Russinovich presented evidence that the software employs unsafe procedures to start/stop the
rootkit, which could lead to system crashes (leading to the Blue Screen of Death) and that inexpert attempts to uninstall the software can lead to the Windows operating system failing to recognize existing drive(s). The Sony rootkit is designed to hide any files, registry keys and processes starting with the string $sys$, making it very easy for writers of worms and other malware to also hide their files by simply using the same name. Within weeks there were several trojans and worms taking advantage of this functionality in machines already compromised by the Sony rootkit.
F-Secureasserted, "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. ... Thus it is very inappropriate for commercial software to use these techniques."Larvala, Samuli. [http://www.f-secure.com/v-descs/xcp_drm.shtml "F-Secure Rootkit Information : XCP DRM Software"] , "F-secure Computer Rootkit Information Pages," November 29, 2005, retrieved November 1, 2006. After public pressure, Symantec[http://www.symantec.com/security_response/writeup.jsp?docid=2005-110615-2710-99 "SecurityRisk.First4DRM"] , "Symantec Security Response," November 2005, retrieved November 22, 2006. and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced it would include detection and removal capabilities in their security patches. [http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html "Sony's DRM Rootkit: The Real Story"] , "Shneier On Security," November 17, 2005, retrieved November 22, 2006.
Rootkit removal program
Sony BMG [http://cp.sonybmg.com/xcp/english/updates.html released a software utility] to remove the rootkit component of XCP from affected Microsoft Windows computers, but this removal utility was soon analyzed by Russinovich again in his blog and revealed as only exacerbating the privacy and security concerns. [http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"] , "Mark's Blog,"
November 4, 2005, retrieved November 22, 2006.
December 6, 2005, retrieved November 22, 2006.
November 18 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers.
Opponents of Sony BMG's actions, including Slashdot and
Diggcontributors, later accused Sony BMG of violating the privacy of its customers to create a backdoor onto their machine using code that itself violates an open-source license. They claimed that this DRM program, designed to give Sony BMG control over the customer's machine in the name of copyright protection, is itself infringing copyright by including code from the LAMEMP3 library.CMDR Taco [http://yro.slashdot.org/yro/05/11/15/1250229.shtml?tid=117&tid=188&tid=17 "Sony Rootkit Allegedly Contains LGPL Software"] , "Slashdot," November 15, 2005, retrieved November 22, 2006..
Legal and financial problems
November 15, 2005 vnunet.comannounced [cite web
title=Sony backs out of rootkit anti-piracy scheme
date=2005-11-15] that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. The
Electronic Frontier Foundationcompiled [http://www.eff.org/deeplinks/archives/004144.php a partial list of CDs with XCP] . Sony BMG was quoted as maintaining that "there were no security risks associated with the anti-piracy technology", despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony BMG introduces further vulnerabilities to a system. US-CERT advised, "Do not install software from sources that you do not expect to contain software, such as an audio CD." [http://www.us-cert.gov/current/archive/2005/11/17/archive.html#xcpdrm "First 4 Internet XCP DRM Vulnerabilities"] , "US-CERT Activity Archive," November 15, 2005, retrieved November 22, 2006.
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.Taylor, Paul. [http://news.ft.com/cms/s/e9e41f72-56f4-11da-b98c-00000e25118c.html "Sony BMG bows to pressure"] , "Financial Times,"
November 17, 2005, retrieved November 22, 2006.It was estimated by internet expert Dan Kaminskythat XCP was in use on more than 500,000 networks. [http://news.bbc.co.uk/2/hi/technology/4445550.stm "More pain for Sony over CD code"] , "BBC News," November 17, 2005, retrieved November 22, 2006.
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD.
November 18, 2005 Reutersreported that Sony BMG would exchange affected insecure CDs for new unprotected disks as well as unprotected MP3 files. [http://today.reuters.com/investing/financeArticle.aspx?type=governmentFilingsNews&storyID=URI:urn:newsml:reuters.com:20051118:MTFH53938_2005-11-18_20-35-33_L18167933:1]
Information about the swap can be found at [http://cp.sonybmg.com/xcp/ the Sony BMG swap program website] . As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and would be sent an unprotected disc via return mail. On
November 29then-New York Attorney General Eliot Spitzerfound through his investigators that despite the recall of November 15Sony BMG CDs with XCP were still for sale in New York City music retail outlets. Spitzer said "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, [and] I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."Hesseldahl, Arik. [http://businessweek.com/technology/content/nov2005/tc20051128_573560.htm " Spitzer Gets on Sony BMG's Case "] , "BusinessWeek Online," November 29, 2005, retrieved November 22, 2006.
The next day, Massachusetts Attorney General
Tom Reillyissued a statement saying that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15. [http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1540] Attorney General Reilly advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.
April 2, 2008Sony BMG's website finally offered consumers their explanation and list of affected CDs. [http://cp.sonybmg.com/xcp/english/titles.html]
May 11, 2006 [http://www.sonybmg.com/ Sony BMG's website] offered consumers a link to [http://web.archive.org/web/20061221221411/http://www.sonybmgcdtechsettlement.com/ "Class Action Settlement Information Regarding XCP And Mediamax Content Protection."] It has online claim filing and links to software updates/uninstallers. The deadline for submitting a claim was June 30, 2007.
Texas state action
November 21, 2005, Texas Attorney General Greg Abbottsued Sony BMG. [http://www.oag.state.tx.us/oagnews/release.php?id=1266] Texas is the first state in the United States to bring legal action against Sony BMG in this matter. The suit is also the first filed under the state’s 2005 spyware law. It alleges the company surreptitiously installed the spyware on millions of compact music discs (CDs) that consumers inserted into their computers when they play the CDs, which can compromise the systems.
December 21, 2005, Abbott added new allegations to his lawsuit against Sony-BMG, regarding MediaMax. [http://www.oag.state.tx.us/oagnews/release.php?id=1370] The new allegations claim that MediaMax violates the state's spyware and deceptive trade practices laws, because the MediaMax software is installed even if users decline the license agreement that would authorize its installation. Abbott said "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music", and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allows for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit (on December 21, 2005) carry maximum penalties of $20,000 per violation.Fact|date=September 2008
New York and California class action suits
Class action suits have been filed against Sony BMG in New York and California. [http://news.bbc.co.uk/1/hi/technology/4424254.stm "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software"] , "BBC News," November 10, 2005, retrieved November 22, 2006.
December 30, 2005, the New York Timesreported that Sony BMGhas reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who have purchased the affected recordings. [http://www.nytimes.com/2005/12/30/technology/30soft.html "Sony BMG Tentatively Settles Suits on Spyware"] , Associated Press report in "The New York Times," December 30, 2005, retrieved November 22, 2006. (Free web registration required to view content.) According to the proposed settlement, those who purchased an XCP CD will be paid $7.50 per purchased recording and given the opportunity to download a free album, or be able to download three additional albums from a limited list of recordings if they give up their cash incentive. District Judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006.
The settlement is designed to compensate those whose computers were infected, but not otherwise damaged. Those who have damages that are not addressed in the class action are able to opt out of the settlement and pursue their own litigation.
A fairness hearing was held on
May 22, 2006 at 9:15 am at the Daniel Patrick MoynihanUnited States Courthouse for the Southern District of New York.
Claims had to be submitted by
December 31, 2006. Class members who wished to be excluded from the settlement must have filed before May 1, 2006. Those who remained in the settlement could attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney.
It was reported on
December 24, 2005 that then-Florida Attorney General Charlie Cristwas investigating Sony BMG spyware. [http://www.sptimes.com/2005/12/24/State/Crist_s_office_joins_.shtml "Crist's office joins Sony BMG spyware probe"] , "St. Petersburg Times Online," December 24, 2005, retrieved November 22, 2006.
In Italy, ALCEI (an association similar to EFF) also reported the rootkit to the Financial Police, asking for an investigation under various computer crime allegations, along with a technical analysis of the rootkit. [http://www.theinquirer.net/?article=27508 "Crist's office joins Sony BMG spyware probe"] , "The Inquirer,"
November 7, 2005, retrieved November 22, 2006. On November 21, EFF announced that they were also pursuing a lawsuit over both XCPand the SunnComm MediaMaxDRM technology. On December 6, 2005 Sony-BMG said that 5.7 million of its CDs were shipped with SunnComm MediaMax that requires a new software patch to prevent a potential security breach in consumers' computers. The security vulnerability was discovered by EFF and brought to the attention of Sony BMG. The MediaMax Version 5 software was loaded on 27 Sony BMG titles. All these suits are regarding security threats and other damage to customer computers, not copyright issues in the code. The EFF lawsuit also involves issues concerning the Sony BMG end user license agreement.The US Department of Justice (DOJ) made no comment on whether it would take any criminal action against Sony. However Sony did receive a public admonishment from Stewart Baker of the Department of Homeland Security, who in a speech at a Chamber of Commerce event made the statement, "it's your intellectual property — it's not your computer". [Richard Menta. Bush Administration to Sony: It's your intellectual property -- it's not your computer. November 12, 2005. http://www.mp3newswire.net/stories/5002/admonish.html]
January 30, 2007, the U.S. Federal Trade Commission(FTC) announced a settlement with Sony BMG on charges that their CD copy protection had violated Federal Law. The settlement requires Sony BMG to reimburse consumers up to $150 to repair damage that resulted directly from their attempts to remove the software installed without their consent. The settlement also requires them to provide clear and prominent disclosure on the packaging of future CDs of any limits on copying or restrictions on the use of playback devices, and bars the company from installing content protection software without obtaining consumers’ authorization. [cite web
January 30 2007
title=Sony BMG Settles FTC Charges
publisher= [http://www.ftc.gov/ Federal Trade Commission]
accessdate=2007-06-20] FTC chairwoman
Deborah Platt Majorasadded that, "Installations of secret software that create security risks are intrusive and unlawful. Consumers' computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content." [cite web
January 31 2007
title=Sony BMG Settles FTC "Rootkit" Charges
publisher= [http://www.consumeraffairs.com/ ConsumerAffairs.Com]
Company & press reports
National Public Radiowas one of the first to report on the scandal on November 4, 2005. [ [http://www.npr.org/templates/story/story.php?storyId=4989260 Sony Music CDs Under Fire from Privacy Advocates : NPR ] ] Thomas Hesse, Sony BMG's Global Digital Business President, told reporter Neda Ulaby, "Most people, I think, don't even know what a rootkitis, so why should they care about it?"
November 7, 2005 article, vnunet.com summarised Russinovich's findings, [ [http://www.vnunet.com/vnunet/news/2145617/sony-cd-rootkit-spell-doom vnunet.com analysis: Sony CD rootkit could spell doom - vnunet.com ] ] and urged consumers to avoid buying Sony BMG music CDs for the time being. The following day, " The Boston Globe" classified the software as spywareand Computer Associates' eTrust Security Management unit VP Steve Curryconfirmed that it communicates personal information from consumers' computers to Sony BMG (namely the CD being played and the user's IP address). [Bray, Hiawatha. [http://www.boston.com/business/technology/articles/2005/11/08/security_firm_sony_cds_secretly_install_spyware/ "Security firm: Sony CDs secretly install spyware"] , "The Boston Globe," November 8, 2005, retrieved November 22, 2006. The methods used by the software to avoid detection were likened to those used by data thieves.
The first virus which made use of Sony BMG's stealth technology to make malicious files invisible to both the user and anti-virus programs surfaced on
November 10.Sanders, Tom, and Thompson, Iain. [http://www.vnunet.com/vnunet/news/2145874/virus-writers-exploit-sony-drm "Virus writers exploit Sony DRM; Sony doomsday scenario becomes reality"] , "vnunet.com," 2005-11-10, retrieved 2006-11-22. One day later " Yahoo! News" announced that Sony BMG had suspended further distribution of the controversial technology.
According to ZDNet News:"The latest risk is from an uninstaller program distributed by
SunnCommTechnologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used."Halderman, J. Alex [http://www.freedom-to-tinker.com/?p=931 "Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole"] , "Freedom to Tinker," November 17, 2005, retrieved November 22, 2006.
BBC Newson November 14, 2005, Microsoft decided to classify Sony BMG's software as " spyware" and provide tools for its removal. Speaking about Sony BMG suspending the use of XCP, Microsoft employee Mark Russinovichsaid, "This is a step they should have taken immediately." [http://news.bbc.co.uk/1/hi/technology/4434852.stm "Microsoft to remove Sony CD code; Sony's controversial anti-piracy CD software has been labelled as spyware by Microsoft."] , "BBC News," November 14, 2005, retrieved November 22, 2006.
Sony BMG in Australia released a press release indicating that no Sony BMG titles manufactured in Australia have copy protection. [http://www.sonybmg.com.au/news/details.do?newsId=20030829002668 "No Copy Protection on Australian Sony BMG CDs"] , retrieved
18 January, 2007
Extended Copy Protection
Digital rights management
OpenMG, DRM used by Sony BMG's SonicStagesoftware for Sony Connecton-line music store
File sharing and the law
# [http://www.npr.org/templates/story/story.php?storyId=4989260 "Sony Music CDs Under Fire from Privacy Advocates"] ,
National Public Radio, 2005-11-04
# Bergstein, Brian (
2005-11-18). [http://seattlepi.nwsource.com/business/1310AP_Music_Copy_Protection.html "Copy protection an experiment in progress"] . "Seattlepi.com".
# Halderman, J. Alex, and Felten, Edward. [http://itpolicy.princeton.edu/pub/sonydrm-ext.pdf "Lessons from the Sony CD DRM Episode"] (PDF format), "Center for Information Technology Policy," Department of Computer Science, Princeton University,
# Gartner: [http://www.gartner.com/DisplayDocument?doc_cd=136331 Sony BMG DRM a Public-Relations and Technology Failure]
# [http://www.mp3newswire.net/stories/5002/admonish.html Bush Administration to Sony: It's your intellectual property -- it's not your computer] -
2005-11-12 MP3 Newswirearticle
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1072229 Academic article examining the market, legal, and technological factors that motivated Sony BMG's DRM strategy]
* [http://www.ivirtuaforums.com/sony-confirms-rootkit-problem-t10834.html Article on the recent Sony USB Controversies]
* [http://www.sonybmg.com/mediamax/titles.html List of titles affected by MediaMax]
* [http://cp.sonybmg.com/xcp/english/titles.html List of titles affected by XCP]
* [http://web.archive.org/web/20061212230348/www.sonybmgcdtechsettlement.com/CDList.htm List of titles included in settlement]
* [http://www.sonysuit.com/ SonySuit.Com - Tracking The Sony BMG XCP and SunComm Lawsuits]
* [http://www.boingboing.net/2005/11/14/sony_anticustomer_te.html "Sony anti-customer technology roundup and time-line"] , "Boing Boing."
* [http://cp.sonybmg.com/xcp/ Sony's Legal and Software Update Notice for XCP Music CDs]
* [http://www.sonybmgcdtechsettlement.com/ Information Web Site for the Sony BMG CD Technologies Settlement]
* [http://www.sonybmg.com/labels.html Sony BMG: List of record labels in the Sony BMG family]
* [http://www.groklaw.net/staticpages/index.php?page=20051122010323323 In depth analysis and references] ,
Wikimedia Foundation. 2010.
Look at other dictionaries:
Sony BMG — Music Entertainment Former type Joint venture Industry Music Entertainment Fate Sony buys … Wikipedia
Copy protection — Copy protection, also known as content protection, copy obstruction, copy prevention and copy restriction, refer to techniques used for preventing the reproduction of software, films, music, and other media, usually for copyright reasons.… … Wikipedia
Extended Copy Protection — XCP redirects here. For other uses, see XCP (disambiguation). Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet, (which on 20 November 2006, changed its name to Fortium Technologies Ltd see… … Wikipedia
List of incidents famously considered great blunders — A blunder is a spectacularly bad or embarrassing mistake a bad decision with a disastrous result. This is a list of what are widely considered to be major, historically significant blunders.To be included in this list an incident must meet two… … Wikipedia
Nothing Is Sound — Studio album by Switchfoot Released September 13, 2005 … Wikipedia
SecuROM — is a CD/DVD copy protection product, most often used for computer games running under Microsoft Windows, developed by Sony DADC. SecuROM aims to resist home media duplication devices, professional duplicators, and reverse engineering attempts.… … Wikipedia
List of software bugs — Many software bugs are merely annoying or inconvenient but some can have extremely serious consequences either financially or as a threat to human well being. This is a list of the software bugs with the most notable consequences: Space… … Wikipedia
Electronic Frontier Foundation — Infobox Company name = Electronic Frontier Foundation type = non profit organization foundation = 1990, U.S. location = San Francisco, California key people = industry = Law num employees = products = revenue = net income = homepage = [http://www … Wikipedia
MediaMax CD-3 — For the defunct file sharing social network, see The Linkup. MediaMax Technology MediaMax CD 3 is a software package created by SunnComm and was sold as a form of copy protection for compact discs. It was used by the record label RCA Records/BMG … Wikipedia
CD-ROM — Media type Optical disc Capacity 194 MiB (8 cm) 650–900 MiB (12 cm) Read mechanism 150 KiB/s (1×) 10,800 KiB/s (72×) Write mechanism 150 KiB/s (1×) 8,400 KiB/s (56×) Standard … Wikipedia