Cites & Insights: Crawford at Large
ISSN 1534-0937
Libraries · Policy · Technology · Media

Selection from Cites & Insights 5, Number 14: December 2005

©3 Perspective: Balancing Rights

Sony BMG: DRM Gone Bad

We’ve seen it in Europe: What would be called fair-use rights in the U.S. being chipped away as record companies introduce copy-protected pseudo-CDs, a few here, a few there, and get away with it. Maybe ripping isn’t as big a deal overseas. Maybe something else is going on. When companies tried pseudo-CDs in the U.S., they generally got burned—bad publicity for playing failures followed by withdrawal from the market. But they keep on trying.

This is the sad story of a formerly first-rate company gone bad, at least in part. Sony, a premier home electronics and personal computing company (and the victorious defendant in the Betamax case!) that should be in the forefront of protecting consumer entertainment interests, is also the cocreator of the Compact Disc. By definition (the “Red Book,” the licensed technical specification for pressed CD Audio Discs), a CD does not include copy protection. But Sony has also become part of Big Media, thanks to its purchase of Columbia Records, Columbia TriStar studios, MGM, and other movie and sound recording publishers—and with the merger of Sony’s sound recording division with BMG’s sound recording division to form Sony BMG, second biggest record publisher in the world.

The Big Media side of Sony seems to be in the ascendant these days. The result: Sony BMG started releasing music discs that aren’t CDs: PseudoCDs that “protect” music from “excessive” copying. There are several ways to do that, all of them problematic. Sony managed to come up with a way that’s truly unfortunate: Auto-installing software that bears more than a passing resemblance to spyware and that has already been used by crackers to sneak other malware onto personal computers.

This piece is a once-over-lightly noting some of the low points in this unfortunate story. Edward Felten’s Freedom to tinker blog ( may be your best source for detailed information on the story as it’s progressed to date (and as it develops from here). Here’s my quick advice for librarians and anyone else reading this:

Ø    Don’t buy any Sony BMG disc that says anything about copy protection or that doesn’t have the Compact Disc Digital Audio logo.

Ø    The same advice goes for other publishers: If a “CD” is copy protected, don’t buy it.

Ø    You could consider whether you want to buy any Sony BMG discs at this point. I won’t suggest boycotting all Sony products and entertainment; that’s hard to do and may be pointless.

Ø    If you must buy such discs for your library, it wouldn’t hurt to add a note to the cataloging record (and maybe a sticker on the case) noting that the disc may not play on all devices and could pose a security threat if used on personal computers.

Ø    If you must use such discs on a PC (of any sort), first turn off autoplay/autorun. Holding down the shift key as you insert the CD should do the trick. You can install the TweakUI portion of Windows PowerToys on the XP install CD; start TweakUI; expand MyComputer; expand AutoPlay; select Drives; then turn off the checkbox next to each drive that you don’t want to use AutoPlay/AutoRun.

Ø    Keep your antivirus and spyware programs up to date. The big commercial vendors dropped the ball on the Sony BMG situation, apparently because when a big company produces malware it isn’t really malware—but that’s likely to change.

Ø    Consider whether your library should be part of the class action suits against Sony BMG.

Early Pieces

As usual, this is chronological. Freedom to tinker appears so often that I’ll just note “FTT” and a date. The situation isn’t that recent, as noted at FTT June 15, “DRM and ‘casual piracy.’” Ed Felten cites a May 31 Reuters story discussing the new “technology solutions” Sony BMG was testing “that bar consumers from making additional copies of burned CD-R discs.” Thomas Hesse of Sony BMG used the term “casual piracy, the schoolyard piracy” and said two-thirds of all “piracy” comes from ripping and burning CDs. Even that early, there were known problems: “Secure burning” meant you couldn’t put Sony BMG tracks on an iPod.

Felten also noted a San Jose Mercury News story about “casual piracy,” referring to “those who copy music CDs for their friends,” and expressed his surprise that the Mercury News “has accepted the record labels’ terminology in this matter.” Here’s Felten’s take, with which I mostly agree:

Piracy refers to making unauthorized reproductions of digital media for financial gain—or, stretching the term, for indiscriminate distribution. It is not piracy—“casual” or otherwise—when you buy music and make a few copies for close friends.

It may or may not be right—but it’s not piracy. As Jessica Litman points out (cited by Felten), Section 1008 of the copyright statute provides that consumers may make non-commercial copies of recorded music without liability. When you make a copy to give to a friend, that’s a non-commercial copy. If it’s not illegal, how can it be piracy?

Section 1008 is part of the Audio Home Recording Act—the agreement that adds royalties to the cost of audio-rated digital recording blanks and all digital audio recording devices, in return for explicitly legalizing home recording. Here’s the text:

No action may be brought under this title alleging infringement of copyright based on the manufacture, importation, or distribution of a digital audio recording device, a digital audio recording medium, an analog recording device, or an analog recording medium, or based on the noncommercial use by a consumer of such a device or medium for making digital musical recordings or analog musical recordings.

You didn’t know about AHRA? It was one of the rare attempts to explicitly balance the rights of creators and users. AHRA adds a 2% royalty to the price of a digital audio recording device and a 3% royalty to the price of digital audio recording media for home use. AHRA also requires the Serial Content Management System, which in theory means you can’t make an audio CD-R from an audio CD-R. The consumer side of this is simple: It’s not infringement to make non-commercial copies of owned audio CDs.

While not directly related to Sony BMG, an October 20 FTT post was also interesting—Felten cited Walt Mossberg of the Wall Street Journal, whose column that day called for a boycott of “products like copy-protected CDs that overly limit usage and treat everyone like a criminal.” That’s right: Mossberg, nobody’s radical, appearing in the Wall Street Journal, recommended a boycott. Mossberg distinguished between “copying a song to give to [your] brother” and “serious pirates—people who upload massive quantities of music and videos to so-called file-sharing sites, or factories in China that churn out millions of pirate CDs and DVDs.” Mossberg also missed a beat:

I believe Congress should rewrite the copyright laws to carve out a broad exemption for personal, noncommercial use by consumers, including sharing small numbers of copies among families.

For audio, at least, just such an exemption exists: Section 1008, cited above.

In the Heat of November*

November 1, 2005, Freedom to tinker: “CD DRM makes computers less secure.” This post lays out the story, as researched by Mark Russinovich of Sysinternal. Sony BMG has been using XCP2, a copy protection system from First4Internet. The first time an XCP-protected CD is inserted in a Windows system, Windows Autorun launches an installer which copies a chunk of software onto the computer. “From then on, if the user attempts to copy or rip a protected CD, the software replaces the music with static.” Or, if things work properly, it will let you copy a DRM-wrapped version of the music to the PC—but that version can only be used three times on CD-Rs.

As Felten notes, the copy protection is clumsy—disabling autorun should stop it. “Or [you] can remove the software once it’s been installed, as was easily accomplished with the earlier SunnComm technology.” Here’s the rub: “Now, it seems, the latest innovation in CD copy protection involve[s] making the protection software harder to uninstall.” XCP2 uses malware (malicious software) techniques to do this—namely a “second component” that cloaks the existence of the first, even from administrators. That’s automatically bad: An administrator should always be able to see exactly what’s installed and what’s running. “What kind of software would want to hide from system administrators? Viruses, spyware, and rootkits (malicious programs that surreptitiously hand over control of the computer to a remote intruder).” Rootkits are particularly nasty—and sure enough, XCP2 uses a rootkit.

So what? So this:

Once the driver is installed, there’s no security mechanism in place to ensure that only the XCP2 software can use it. That means any application can make itself virtually invisible to standard Windows administration tools…

The next day, Wired News had a story, “The cover-up is the crime.” It refers to a “cacophony of criticism” over Russinovich’s revelation and notes, “We think the company is getting off easy.” The story calls a rootkit “a particularly insidious type of Trojan horse” (it tells portions of the OS to lie). It notes that Sony said it would issue a patch so antivirus software could undo the cloaking. But Wired holds that “the harm of the Sony DRM scheme is not that it enables evildoers, but that Sony itself did evil… By deliberately corrupting the most basic functionality of their customers’ computers, Sony broke the rules of fair play and crossed a bright line separating legitimate software from computer trespass.”

That day’s (November 2) FTT post notes that First4Internet denied there was really a problem—and noted that its team worked closely with antivirus companies such as Symantec. Worse, the company was moving “to new ways of cloaking files on a hard drive”—which means a different rootkit method. As Felton notes, “The problem is not that they used a particular rootkit method. The problem is that they used rootkit methods at all. Switching to a new rootkit method will, if anything, make the problem worse.” First4Internet also claimed “we haven’t had any comments about malware at all”—which Felten says is simply false. Felten suggests a four-step path “if SonyBMG wants to start recovering consumer trust”:

Ø    Admit that there is a problem.

Ø    Modify product packaging, company websites, and EULA language to disclose what the software actually does.

Ø    Release a patch or uninstaller.

Ø    Make clear that the companies support and permit research into the security implications of their products.

He goes on to note, “We don’t know yet whether the…software causes even more security or privacy problems for users” and any attempt to copy-protect CDs will face similar problems.

The next day, the companies released a software update claimed to “remove the cloaking technology”—but it also adds new stuff. The companies continued to assert that the original rootkit “does not compromise security,” leading Ed Felten to distrust their new assurances.

A week later, the first virus was discovered that used the Sony BMG software to hide itself. At that point, at least one public library had had enough: The Ann Arbor District Library said it wasn’t buying Sony BMG copy-protected CDs for the foreseeable future. (Reported by Jenny Levine, The shifted librarian.) FTT November 11 offers a “SonyBMG DRM customer survival kit”—instructions for seeing whether you have the rootkit, disabling the rootkit (but not the anti-copying software), removing the DRM software entirely (which requires trusting Sony BMG), and moving songs from copy-protected CDs onto iPods (or anywhere else). It’s a detailed post that you should read for yourself—but the final section is amusing, given that Felten quotes Sony BMG’s instructions verbatim. Basically, those instructions tell you how to eliminate DRM in any digital music that can be burned to an audio CD. Once you burn the music to an audio CD, you can rip it to MP3 or iTunes or anywhere: There’s no longer any copy protection. Felten:

You read that correctly—SonyBMG, which is willing to surreptitiously install a rootkit on your computer in the name of retarding copying of their music, will send, to anyone who asks, detailed instructions for making an unprotected copy of that same music.

J. Alex Halderman posted a lengthy essay on FTT, November 12, 2005: “Sony shipping spyware from SunnComm, too.” Sony BMG uses SunnComm’s MediaMax on other CDs; while it doesn’t use a rootkit, “it does behave in several ways that are characteristic of spyware.” It installs without meaningful consent or notification—including installing “around a dozen files” before offering you a license agreement, launching one of them even if you decline the agreement. The MediaMax-“protected” discs don’t include a proper uninstaller (some don’t include an uninstaller at all). The software “transmits information about you to SunnComm without notification or consent.”

Then things got worse. FTT, November 15, 2005: “Sony’s web-based uninstaller opens a big security hole; Sony to recall discs.” A Finnish researcher, “Muzzy,” noticed that the web-based uninstaller offered by Sony as a way to remove the XCP software has opens a “far greater security risk than even the original Sony rootkit.” The flaw “allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes.” (Sony BMG had by now recalled the pseudo-CDs and was offering to replace them for free.)

That seems bizarre—but apparently true. When you fill out Sony’s request form for the uninstaller, it downloads and installs an ActiveX control from First4Internet called CodeSupport. CodeSupport stays on your system—and it’s marked “safe for scripting,” so any web page can use it. CodeSupport doesn’t verify the source of code that it downloads. (Read the post for the gory details.) The result? You’ve uninstalled XCP2—and, if you use Internet Explorer, semi-permanently made your system even more vulnerable. Late on November 15, Sony suspended distribution of the flawed system.

A November 16 FTT post, “Immunize yourself against Sony’s dangerous uninstaller,” offers a link to a tool to disable CodeSupport (and prevent it from being reinstalled). Sony modified the uninstall process so that it doesn’t use CodeSupport—but left CodeSupport on the website.

On November 17, FTT was back to SunnComm MediaMax. SunnComm also offers an uninstaller if you pester them long enough—and that uninstaller also “opens up a major security hole” similar to the other one.” According to J. Alex Halderman, “I have verified that it is possible for a malicious web site to use the SunnComm hole to take control of PCs where the uninstaller has been used.” He says it’s even easier than with CodeSupport.

Wired News has another story (by Bruce Schneier) on November 17: “Real story of the rogue rootkit.” He calls it a “David and Goliath story of the tech blogs defeating a mega-corporation.” He calls this “a tale of extreme hubris” and “incompetence.” He notes that the rootkit itself might even infringe on copyright, since it seems to include an open-source MP3 encoder in violation of that encoder’s license agreement. Class-action lawsuits are underway in California and elsewhere. “While Sony could be prosecuted under U.S. cybercrime law, no one thinks it will be.” In addition to Schneier’s obligatory Windows-bashing, he discusses the “collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.” This is an excellent point, given that more than half a million PCs may have been infected with the Sony rootkit: McAfee and Symantec just weren’t there.

Other interesting themes are still developing—for example, XCP’s copyright infringement—but I’ll close for now by noting a November 17 Copyfight post, “Boiling frogs with Sony’s rootkit.” Wendy Seltzer compares Big Media’s DRM strategy to the old story about how to boil a frog: Put it in a pan of cold water and gradually turn up the heat. Thus, Apple iTunes had “modest” DRM restrictions—which became tougher, retroactively, on already-purchased tunes. If you accept iTunes limitations, “you might not notice as you lose the ability to do your own format-shifting.” And so on, and so on.

Sony BMG “turned up the heat too fast with its rootkit.” The result may be good for consuer rights—because us frogs are hot about it and jumping out of the pan. Consumer awareness is the only way to prevent spyware and viruses; it’s also essential to discourage and control DRM, or at least excessive DRM. “The average fan…suddenly has a vivid example of how DRM takes your music—and your computer—away from you.” Let’s hope people pay attention.

[*With a tip of the hat to the late great Phil Ochs]

Cites & Insights: Crawford at Large, Volume 5, Number 14, Whole Issue 70, ISSN 1534-0937, a journal of libraries, policy, technology and media, is written and produced by Walt Crawford, a senior analyst at RLG.

Cites & Insights is sponsored by YBP Library Services,

Hosting provided by Boise State University Libraries.

Opinions herein may not represent those of RLG, YBP Library Services, or Boise State University Libraries.

Comments should be sent to Comments specifically intended for publication should go to Cites & Insights: Crawford at Large is copyright © 2005 by Walt Crawford: Some rights reserved.

All original material in this work is licensed under the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.