November 11, 2005

Piracy Prevention Turns into PR Nightmare

Filed under: Business Moves,Consumer Outrage,Corporate Outrage — Tom @ 6:57 pm

It’s one thing to protect your intellectual property, it’s quite another to leave your customers vulnerable to hackers and thieves in the process (bolds are mine):

Sony to Suspend Making Antipiracy CDs

WASHINGTON (AP) – Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the “XCP” technology as a precautionary measure. “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,” the company said in a statement.
The antipiracy technology, which works only on Windows computers, prevents customers from making more than a few copies of the CD and prevents them from loading the CD’s songs onto Apple Computer’s popular iPod portable music players. Some other music players, which recognize Microsoft’s proprietary music format, would work.
Sony’s announcement came one day after leading security companies disclosed that hackers were distributing malicious programs over the Internet that exploited the antipiracy technology’s ability to avoid detection. Hackers discovered they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony technology.
A senior Homeland Security official cautioned entertainment companies against discouraging piracy in ways that also make computers vulnerable. Stewart Baker, assistant secretary for policy at DHS, did not cite Sony by name in his remarks Thursday but described industry efforts to install hidden files on consumers’ computers.
“It’s very important to remember that it’s your intellectual property, it’s not your computer,” Baker said at a trade conference on piracy. “And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”

Sony itself violated John Dvorak’s first rule of ethical computer software company conduct (which he thinks should be a law):

“Any person who knowingly writes or reads files from another person’s computer by personal or robotic means for whatever reason whatsoever and without the permission of the party involved, with full knowledge of the activity each and every time the action is performed, is guilty of a felony and subject to fine and imprisonment not to exceed $10,000 and one year in prison for each offense.”

Sony hasn’t conceded its right to mess with the inner workings of its customers’ computers. Very, bad, idea, and probably bad for business too.

UPDATE: Commenter Kevin Irwin below refers to this BBC article, which has a passage that better explains what Sony was doing, and makes it clear how vulnerable it made users’ computers:

Windows programming expert Mark Russinovich discovered that the Sony XCP copy protection system was a so-called “root-kit” that hid itself deep inside the Windows operating system.

XCP uses these techniques to install a proprietary media player that allows PC users to play music on the 20 CDs Sony BMG is protecting with this system. The CDs affected are only being sold in the US.

Soon after Mr Russinovich exposed how XCP worked security experts speculated that it would be easy to hijack the anti-piracy system to hide viruses.

Now anti-virus companies have discovered three malicious programs that use XCP’s stealthy capabilities if they find it installed on a compromised PC.

If you mess with the root, you’re messing with all the security that Microsoft has added in its Service Pack 2 and other updates to protect the root.

It would be interesting to know, but I doubt that Sony consulted Microsoft before they just went ahead and did this. If they had, they could at least have a shot at defending themselves, which by the way they need to (from the BBC article): “At last count six class-action lawsuits have been started against the company. As the Boycott Sony blog pointed out, the appearance of these viruses could make it much easier for lawyers to argue that the XCP software can cause real harm to a user’s computer. “

Speaking of the Sony Boycott Blog, the blog’s author is semi-pleased:

So, is this Victory? I don’t think so. But it is a victory. Yes, music listeners are still being treated like criminals by the music industry; yes, our rights are still being infringed by increasingly draconian DRM. (“Digital Rights Management”–Ed.)

But, apparently, a line in the sand has been drawn. It’s OK to restrict our rights but not to break our computers to do it. Yay, he said listlessly.

I happen to think that users are willing to put up with reasonable controls over intellectual property that does not unduly inconvenience them. The location of the undue inconvencience line is the big question, but the line should definitely be somewhere outside the user’s computer.

The blog also notes potential vulnerability for Mac users when companies like Sony attempt to use invasive technology, since in the Mac’s case “the latest versions of the Suncomm DRM used on other Sony BMG releases installs one or more kernel extensions under Mac OS X.” My message as a Mac user: “Nobody messes with my kernel.”

UPDATE 2, Nov. 13: Sony appears to be stuck on stupid (HT Drudge):

Sony BMG has still not identified which of its music CDs contain the software. Earlier this week, however, the Electronic Frontier Foundation, a US-based consumer advocacy group, identified at least 19 Sony BMG music CDs that the group claims install the software when played on a PC.

Critics, including the EFF, claim the software also slows down PCs and makes them more susceptible to crashes and third-party attacks. “Since the program is designed to hide itself, users may have trouble diagnosing the problem,” the EFF said.



  1. Yes, this is ridiculous. I don’t think they get it. If people “really” want to rip mp3′s off of a CD, they can simply use linux and circumvent Sony’s trojan horse.

    Comment by Kevin Irwin — November 11, 2005 @ 8:16 pm

  2. And it looks like Sony is putting this campaign to an abrupt end

    Comment by Kevin Irwin — November 12, 2005 @ 11:25 am

  3. See Update to the post. Thanks for the info.

    Comment by TBlumer — November 12, 2005 @ 1:10 pm

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.