Sony suspends rootkit DRM

No recall

Sony BMG has said it will suspend production of audio 'CDs' that use XCP, the rootkit-style DRM developed by British company First4Internet Ltd. However the music giant refused to apologize for the software, which exposes PCs to malware and which can disable the PC's CD drive when users try to remove the software.

Sony also declined to follow EMI's example in September and recall CDs already in the retail channels.

Around 20 CDs use XCP, which has been on the market since April. (The EFF has a list, here).

But since a security website drew attention to implications of XCP last week, Sony has been deluged with complaints, prompting lawsuits in California and Italy.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," Sony said in a statement. "Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use."

Sony may rue the wave of consumer outrage, and the subsequent lawsuits. But it may also note that the scandal took more than six months to surface.

And the music publisher isn't exactly rushing to make amends. Sony's unfortunately worded phrase "ease of consumer use" reminds us that while the stealth DRM software installs itself without permission (the click-through statement fails to inform of the user of its true nature), uninstalling it requires the CD buyer to request permission from Sony via a web form. So it's hard to take Sony BMG's assurances seriously.

You can read Sony's statement here. Symantec has posted an advisory and removal tool here. ®

Sponsored: 10 ways wire data helps conquer IT complexity