Deep Rifts Exposed in Sony BMG Faux Pas

In a turn of events that’s as bizarre as it is disturbing, a major music label’s overzealous attempt to protect its content has widened the great divide that increasingly separates the music industry from consumers. Sony BMG’s boneheaded misuse of hacker technology has potentially compromised the security of millions of PCs, inspired a bunch of computer viruses, provoked class-action lawsuits, caused a firestorm of protest in online forums, and even attracted veiled criticism from the U.S. Department of Homeland Security.

In the hotseat is Sony BMG, the world’s second-largest family of music labels. Starting in mid-2005 the company shipped 4.7 million CDs embedded with XCP digital rights management software from U.K.-based First 4 Internet Ltd. XCP stands for Extended Copy Protection and to call it extended is putting it mildly.

The software installs itself as a Windows rootkit. That means it conceals its presence on the PC and could let an outsider commandeer the machine through IRC chat channels.

The rootkit is a favorite tool of virus writers, spammers, identity thieves—and now, apparently, large multinational record companies. It cannot be removed using the Windows “Add/Remove Programs” function. If you try to delete it manually, your PC may no longer recognize the disc drive, and you may have to reinstall Windows, just in case you didn’t have enough other weekend projects. Macs and standalone disc players are not affected.

It was not long before opportunistic hackers targeted the flock of exposed PCs by exploiting the XCP rootkit. The first of several viruses named Stinx was emailed to thousands of users under heading “photo approval,” according to Sophos, a British security firm. Other antivirus makers rushed out removal tools though many of them remove only the cloaking component.

Lawsuits began breaking like waves on the beach. California attorney Alan Himmerfarb filed the first one on November 1 in Los Angeles Superior Court. He alleged that Sony BMG broke three state laws, sought to have the offending discs withdrawn from circulation, and demanded damages. A class-action lawsuit was filed in New York by attorney Scott Kamber and others seemed likely at presstime.

The cases are likely to revolve around the End User Licensing Agreement embedded in the tainted CDs. Did Sony BMG give fair warning? Decide for yourself. Here is the EULA, courtesy of (saving me the hazard of actually sticking one of those CDs into my own PC):

“[T]his CD will automatically install a small proprietary software program (the ‘SOFTWARE’) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.”

Sony BMG posted a security fix on its website that removes the cloaking component “to alleviate any concerns that users may have about the program posing potential security vulnerabilities”—especially litigious users. For a complete uninstall, click on “uninstall requests.” You'll have to provide your email address. Sony's critics have noted that the uninstall process involves the use of a Microsoft Active-X component, another potential spyware enabler.

Sony BMG eventually halted production of the tainted CDs and now will pull many of the discs that are already in stores. Sony is also offering exchnages for those that have purchased discs with the rootkit software. They have not, however, taken any action on titles with other forms of DRM.

The Electronic Frontier Foundation has posted a list of XCP-infected CD titles. Affected artists include Trey Anastasio, Celine Dion, and jazz great Dexter Gordon.

The Sony BMG rootkit problem was first reported by Mark Russinovich and detailed extensively in his Sysinternals blog (see Nov. 2005 entries). The programming expert discovered the XCP software while scanning his own PC with a rootkit sniffer of his own invention. When he found it, getting rid of it took several advanced maneuvers. Along the way his PC stopped recognizing its disc drive.

Ironically, the Sony BMG release that triggered the problem in Russinovich’s PC was Van Zant’s Get Right with the Man. Van Zant’s manager told The New York Times that his voicemail is besieged with messages like “take your rootkit and shove it.” To be a fly on the wall in future Sony BMG meetings with artists and managers would be most interesting.

Meanwhile, messaging forums are exploding with animosity. The Amazon listing for the Van Zant CD—carefully identified by the online retailer as CONTENT/COPY-PROTECTED—includes “do not purchase” and “poison pill” warnings from user reviewers. A Boycott Sony website has sprung up.

Even the U.S. Department of Homeland Security is rapping Sony’s knuckles, though without naming the company directly. “In the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days,” assistant secretary Stewart Baker told the U.S. Chamber of Commerce. “It’s very important to remember that it’s your intellectual property—it’s not your computer.”

With CD sales slumping in four out of the last five years, this digital free-for-all must be making the major music labels uneasy. Some consumers are speculating that file sharing may be safer than buying a disc. Of course, even if you dodge the now-infamous rootkit, unprotected downloading still might expose you to an expensive lawsuit, and the file-sharing service might bring spyware of its own. But the question is symptomatic of the rift between a public that wants its PCs and iPods to stay unfettered and a music industry desperate to reverse declining profits.

Finally, the ruckus begs questions about Sony's future. The company has spent decades developing new technologies and acquiring a reputation for quality. Now its various hardware divisions enter the holiday shopping season dodging (undeserved) bullets. With Blu-ray poised at the end of the diving board, this controversy could not have come at a worse time. Consumers vote with their dollars and reputation is a fragile thing.

Mark Fleischmann is the author of the annually updated book Practical Home Theater. For links to the latest edition, visit