Sony BMG faces digital-rights seige

Ripped over anti-rip rootkit

Consumers and their attorneys are not the only ones miffed at Sony BMG's tactics. One label distributed by the media giant, ATO Records, said its artists and customers have complained about the surreptitious software installation and stressed that it never agreed that the media giant could put copy protection on its CDs. Currently, the company is not considering legal action, said a spokesperson, who asked not to be named.

"Our artists and our customers are pretty upset, but we are in talks with Sony BMG about this issue," the spokesperson said. "We are not pursuing any legal avenues yet."

For Mark Russinovich, chief software architect for Winternal Software and one of the original discoverers of the Sony BMG rootkit, the code is taking copy protection to an unpalatable extreme. Russinovich firmly labels the technology a rootkit and spyware, not the least because Sony BMG has placed high hurdles in the way of any consumer that wants to uninstall the program. The copy-protection software cannot be uninstalled under Windows XP except by contacting Sony BMG through a special Web site, receiving a special code and sacrificing some privacy, Russinovich said.

The security researcher is not the only one who believes that Sony's copy protection weakens system security. The emergence of a Trojan horse that attempts to hide itself using the software has at least one antivirus firm - U.K.-based Sophos - offering to disable the protection mechanism, an action that could violate the Digital Millennium Copyright Act (DMCA). Sophos believes that offering the tool is about protecting customers, said Graham Cluley, senior technology consultant for firm.

"I appreciate that Sony had good intentions - we want people to pay for content as well, but we are also against introducing vulnerabilities into people's systems," he said. "I would hope that Sony would be pleased that we are helping them fix their software. And I would hope that, in the future, Sony would want to provide software that does not have a back door in it."

Such anti-rootkit tools raise the question of whether removing the software, even if it one can prove it weakens system security, is legal under the controversial DMCA, EFF's Schultz said. The DMCA protects digital-rights management software from attackers, but also from people who seek to use the content in a historically fair-use context. The DMCA, passed in 1998, makes it illegal for anyone to "circumvent a technological measure that effectively controls access to a work protected under" the law. Whether protecting copyrights trumps protecting a user's system will likely be tested in the coming court battles, Schultz said.

The court cases will also likely focus on Sony BMG's end-user license agreement, which briefly mentions the installation of "a small proprietary software program." Software EULAs have gained notoriety as long legal notices that consumers never read, so the current case may be a good test of whether they are a legitimate contract between the consumer and the software maker, Schultz said.

"Their whole defense to this practice relies on the end user license agreement," he said. "They have set this up so that when someone puts the CD in their drive, this 3,000-word license agreement pops up. Can people give consent in that way to such an invasive practice?"

The flurry of lawsuits and complaints suggest that, for consumers and security experts, the answer is a resounding "no."

Copyright © 2005, SecurityFocus

Biting the hand that feeds IT © 1998–2018