November 14, 2005

Spoutin' Off: What in the world was Sony thinking?

By Michael Rau

November 14 2005

A few days ago, it was discovered that some recent CD releases on the Sony/ BMG label contain a Digital Rights Management (DRM) application called XCP, which, when you play the CD on a PC, surreptitiously installs itself on that computer.

Facing revolt on several fronts, Sony has since announced that they are "temporarily suspending the manufacture of CDs containing XCP technology," but did so in a rather defensive and ambiguous manner.

The purpose of XCP, ostensibly, is to limit the manner in which and number of times you can copy the songs from the CD. In this, it's similar to the DRM schemes employed for virtually all legally purchased digital downloads, such as Apple's FairPlay.

I'm no fan of these either, but Sony has really gone over the top. Instead of containing code which controls duplication and distribution limitations, the Sony CDs actually install an application on your computer using a particularly insidious type of software known as a rootkit. This is a system administrative toolset which allows the user to hide the functions and location of the application it installed. Rootkits are used by hackers to remotely gain access to and control over PCs.

Just the idea that a company with the size and market penetration of Sony would be so comfortable engaging in such a flagrant invasion of personal privacy is absolutely frightening. The fact that they chose to use a rootkit-based application to hide and shield their work seems to indicate an intent to engage in subterfuge.

Internet security firm Computer Associates has blacklisted XCP, labeling it as spyware and identifying several malicious characteristics. First and foremost is the absence of an End User License Agreement (EULA). This is all the legalese you're supposed to read and agree to before software is installed on your system. It protects the provider from liability but also provides legal disclosure to you, the end-user, as to what the software will and will not do.

Other malware characteristics present in XCP are the absence of a mechanism to uninstall the software, and perhaps worst of all, there's apparently a device which gathers information about you and your computer and sends it back to Sony without your permission.

And if that's not enough, it turns out that by running the Sony DRM software, you open your computer up to other Trojan horse applications which are already being written to take advantage of the rootkit which you so conveniently installed.

The Electronic Frontier Foundation has identified 19 current Sony/BMG CD titles which contain their DRM software. The list can be found at this link: http://www.eff.org/deeplinks/archives/004144.php.

I recommend that you avoid these products like the plague, if for no other reason than on sheer principle. And be forewarned: If you do choose to play one of these on your Windows PC, you WILL compromise the security of your system.

Now I'm a pretty strong defender of the concept of intellectual property rights. After all, I depend on someone paying me for the words I write or other creative work I do to make a living. I believe people who sell bootleg products for profit are enemies of the arts and should be interdicted, prosecuted and punished.

I'm OK with individuals sharing an occasional song or video, but often feel that some people abuse this right and should be more conscientious about the loss-of-livelihood to the creator. Consider: If artists can't support themselves, chances are there's going to be less art.

But this isn't so much about protecting artists - keep in mind that on average, less than 40 cents of the cost of a major-label CD actually goes to the originating talent - as it is about an industry protecting its control and domination over the very artists whose interests they claim to represent.

DRM schemes treat consumers as criminals. I believe that these (and other) restrictive policies are more responsible for the proliferation of peer-to-peer downloading, often illegal, than any disrespect for the law. It's ridiculous to me that if I buy and download media through a legal online source, the seller would have any say-so as to how I choose to consume my purchase. But at least you know the conditions, more-or-less, when you acquire digital media from these services.

In contrast, Sony cheated - plain and simple. They contemptuously chose to violate their customers' trust and privacy.

While announcing that they would temporarily suspend manufacturing CDs with the XCP software, Sony also made it clear that they reserve the right to start using it again whenever they choose. The only way you'll probably ever know is if they get caught, again.

Based on how lightly they obviously regard my rights, it seems reasonable to assume they'd be as cavalier with my privacy across their product line and possibly within their customer service system, too.

I don't know about you, but I'll think carefully before I buy another Sony product.

Michael Rau is a mass-communications consultant in Virginia Beach. To send feedback or view past columns, visit http://dailypress.asoundidea.com

Copyright © 2005, Daily Press