November 20, 2005

Sony Music’s spyware

By: Tim Lee

Music publisher Sony BMG isn’t having a good month. Security researchers recently discovered that digital rights management (DRM) software bundled with some of its CDs has the potential to compromise the security, stability, and privacy of its customers’ computers. After initially downplaying the problems with the software, Sony finally acknowledged its mistake and recalled the offending CDs last week.

So far, most press coverage has focused on the design flaws and bugs in the software. But what should really make consumers mad is what the presence of the software reveals about Sony’s attitude towards its customers. Both Sony’s initial decision to bundle the software, and its behavior since flaws in the software were discovered, are revealing. Sony, it seems, trusts its customers (people who eschewed piracy and paid for Sony’s product) so little that they felt the need to seize control of their computers and dictate how they could be used. If I were a Sony BMG customer, I would be insulted.

The existence of the software, called XCP, was first reported on Halloween by security researcher Mark Russinovich. He discovered that once installed, the software ran continuously on the user’s computer, slowing it down even when the user wasn’t listening to a protected CD. When a user inserted a Sony CD, the software sent information about the user’s listening habits back to remote servers. Neither of these “features” were clearly disclosed in the license agreement accompanying the CD.

Nor did the software come with an un-install option. If a user discovered the files and simply deleted them, Russinovich found, that was likely to break the user’s CD drive. Moreover, the software hid its presence from the user by making the program’s files invisible to standard system administration tools. What do you call software that hides its existence, resists removal, and reports on users’ activities without their permission? Most people would call it spyware.

Even worse, this “cloaking” feature that made the program’s files invisible actually cloaked any program whose name started with the string “$sys$.” Security experts soon discovered a “trojan horse” being distributed on the Internet that used this “feature” to hide itself from the user. Not only does Sony’s software resemble spyware, but it makes the job of other spyware developers easier as well.

In light of these revelations, you might have expected Sony to promptly release a utility to remove the software, and publicize its availability widely among its customers. That’s not quite what they did. Instead they implemented a <a href=”ludicrously complex process that involved filling out multiple web forms, installing even more unnecessary software on your computer, explaining why you want to uninstall, and then waiting up to one business day for a tech support person to email un-installation instructions.

As if that weren’t enough to antagonize their customers, security researchers soon discovered that the removal process opens up an even more serious security hole–one that could potentially allow malicious web sites to execute arbitrary code on any computer that visited them.

Sony’s decision to install spyware on its customers’ computers was a major blunder. The obvious question is: why did Sony do it in the first place? After all, the music industry has been selling traditional CDs for more than two decades, and they play just fine on today’s computers.

Sony calls its software a “digital rights management” system. It is designed to prevent piracy by making it difficult to make unauthorized copies. To do that, the software seizes control of the user’s computer and tries to restrict how it is used. Such an effort inevitably puts Sony in an adversarial position with its customers. The fundamental premise of Sony’s software–like all DRM software–is that a user cannot be trusted with control of his own computer. The company’s less-than-helpful un-installation procedure is perfectly consistent with that attitude: they seemed determined to make the process as cumbersome as possible so that most of their customers would give up and leave the software on their systems.

This is simply not a good business strategy. Smart businesses treat their customers as cherished assets. They go out of their way to meet their needs and improve their experiences. Digital rights management software like XCP turns this philosophy on its head, prohibiting the user from doing anything with a song that hasn’t been specifically approved by the company. iPods, for example, aren’t compatible with Sony’s DRM scheme, so the software restricts consumers ability to listen to the songs on an iPod.

Sony seems to have forgotten that, by definition, music pirates don’t buy CDs. They download illegal MP3 files from peer-to-peer file-sharing networks. Yet Sony’s DRM system is only installed on the computers of their paying customers. People who download the songs from the Internet aren’t going to be affected at all.

But wasn’t Sony’s software at least helping to reduce the spread of illegal music on the Internet? It’s not likely. After all, it just takes one person to unscramble a song and upload it to the Internet. No one has ever invented an uncrackable DRM scheme, and this one is no exception. And once a single unprotected copy of a song has been uploaded to the Internet, DRM does absolutely nothing to stop its spread. As any college kid knows, virtually every song ever made is available for download from peer-to-peer networks.

Sony BMG seems determined to turn the screws ever tighter on the people who are playing by the rules and paying for their music. Of course, the rest of the music industry is rushing in the same direction. By adopting restrictive DRM schemes, the music industry is sending a clear message to consumers: “if you buy songs from us rather than downloading them from a peer-to-peer site, we’ll make sure you regret it.”

Tim Lee is the science and technology editor of Brainwash and the editor at the Show-Me Institute, a Missouri think tank. His website is