Sony Copy-Protection Software Alarms Music Consumers

Sony BMG Music's XCP copy protection program included on some of its compact discs acts as spyware when installed on a home computer, and puts such systems at risk for easy access to hackers and viruses, raising alarms among music consumers--many of whom now use a home computer as their primary entertainment system.

According to widespread reports in the press and on the Internet, XCP, known as a "root-kit" program, has been bundled with about 20 recent Sony BMG titles. When one of these CDs is loaded into a Windows PC system, a pop-up appears prompting users to "agree" to install the program in order to play the CD. Once installed, XCP is not visible to computer users, is not detected by traditional anti-virus software, and attempts to remove it may destroy the computer system.

More troubling, XCP appears to allow computer viruses easy access to computer systems. As reported today by BBC News, three virus variants have been found that are designed to take advantage of the opportunity Sony BMG has created to damage a home computer system. Macintosh systems appear to be unaffected.

Sony response inadequate - even dangerous

Sony has since apologized for the problem and claims it is working with a computer security firm to address the problem. Last week, Sony BMG put a "patch" on its Web site for the antipiracy program; however, the "patch" does not remove the program, but merely removes its "cloak" to make it visible on a consumer's hard drive. Further investigation of the "patch" by some computer users found that it may also add additional files to the XCP program. Disturbingly, when asked what responsibility Thomas Hesse, president of Sony BMG's global digital business division, feels over this issue, he replied, "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

The problems with XCP were discovered last month by Mark Russinovich of Sysinternals.com, whose computer suffered system falure when he tried to remove the program. Russinovich also found the problems associated with the so-called "patch," which was issued by First4Internet, a British company that also wrote the XCP program. According to Russinovich, the method the "patch" uses to remove the XCP "cloak" could cause Windows to crash. The patch does not remove or uninstall the program.

Identifying CDs with the root-kit

Sony stated that about 20 CD titles carry the new root-kit, but has refused to identify the specific titles. Electronic Frontier Foundation (EFF), a non-profit watchdog group for electronics consumers, was able to identify 20 titles it found carry the XCP file; however, these have not been confirmed by Sony, and it is possible there are others. Titles include popular releases by Switchfoot, Natasha Bedingfield, and Amerie.

EFF advises consumers to examine a CD's packaging to look for the IFPI logo indicating the disc has a copy-protection. The IFPI logo is a circle with a triangle inside it, with another circle and triangle, roughly forming a "C within a C" (for "copy control"). These CDs will also have "playability" information on the back. Since there are other copy control programs besides XCP, check the fine print. If it directs you to "cp.sonybmg.com/xcp" for help, then the CD is encoded with XCP.

Personal experience

Concerned over the dangers to my own computer system, I examined my CD collection in search of CDs with the IFPI logo. I found three titles with it: Will Young's Friday's Child, Natasha Bedingfield's Unwritten (UK version), and David Gray's Life in Slow Motion (US version). Thankfully, none of them appear to use the XCP program, and I have had no problems uploading these CDs to my computer for use with iTunes and my iPod. I'm not sure how my computer has managed to avoid these CDs' copy protection features, but it may be because I always have iTunes already running whenever I upload a new CD, therefore the computer never tries to launch any "auto-play"programs on the CDs to play them with other programs. My computer is also set to prompt me as to which program I want to use "auto-play" CDs with, so I can control how CDs and DVDs with auto-play are launched. I would recommend avoiding putting any XCP CDs in your computer, but also to disable your CD drive's "auto-play" feature to prevent unwanted software from automatically installing itself on your computer.

Further reading

Here are links to further information on this subject that I found most helpful:

Electronic Frontier Foundation (EFF) - list of XCP-infested CDs and how to identify thems:
http://www.eff.org/deeplinks/archives/004144.php **

EFF - The XCP end user license agreement (I didn't discuss this above, but it is also problematic):
http://www.eff.org/deeplinks/archives/004145.php

CNET.com column on this issue by Section Editor Molly Wood:
http://www.cnet.com/4520-6033_1-6376177.html?part=rss&subj=edfeat&tag=DRM+this%2C+Sony%21

The Register, information on how Sony can damage your computer:
http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/

BBC News: How viruses are already taking advantage of Sony's XCP:
http://news.bbc.co.uk/1/hi/technology/4427606.stm

BBC News: Story on the so-called "patch" Sony offers:
http://news.bbc.co.uk/1/hi/technology/4427606.stm

The Register: The contemptible response by Sony's president:
http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/

Blog by Mark Russinovich of Sysinternals.com:
http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html

UKMix: Good discussion on my favorite music BB side about this issue:
http://www.ukmix.org/forums/viewtopic.php?topic=28882&forum=2

**Note (Updated 11/11/05, 2:45 p.m. ) A quick scan of the new CDs at a record store today uncovered some additional titles that contain the XCP. They are the new discs from Bette Midler andMontgomery Gentry.