Sony’s ‘rootkit’ opens massive can of worms

David Canton - For the London Free Press - January 7, 2006 Read this on Canoe

The "Sony rootkit," Sony-BMG's recent attempt to prevent copying of its music CDs, has created a public-relations nightmare, angered privacy and security experts worldwide and exposed them to lawsuits.

Sony decided to use Extended Copy Protection (XCP) on 52 CD titles.

XCP is a rootkit, a program used by virus writers. It enters into a computer uninvited, copies itself to the "root" of a computer and hides its presence from the user by disguising itself as system files.

XCP is cloaked from detection from those wishing to remove it. It prevents the user from playing the CD in certain media player programs. The program transmits information back to Sony about the customer's listening habits.

Sony dismissed complaints that XCP violated users' privacy, arguing it was simply protecting its intellectual property rights. Sony relied on the End User License Agreement that appears on the screen when a CD with XCP is played on a computer. EULAs are standard for software, but unusual for music.

The EULA informed users the CD would install a "small proprietary software program" intended to protect the audio files.

The EULA also contained unusual provisions that, among other things, said the company can put backdoor programs on your computer that allow it to use self help to "enforce their rights" and if by doing so it destroys your computer or cause a security risk, it's not responsible.

Many argued the EULA was insufficient, as it said nothing about installing cloaked files in the root of the user's computer or transmitting information.

Security experts said computers could be vulnerable to viruses that use XCP's cloaking feature. Sony claimed these concerns were theoretical until several viruses specifically designed to take advantage of the cloaking feature were discovered.

Sony provided a patch that removed XCP's cloaking, allowing security software to detect these viruses. This did not placate critics as it did not actually remove XCP and installed new files that could not be removed without Sony-BMG's consent.

XCP proved nearly impossible for users to uninstall manually without disabling their CD drive or triggering a system crash. When Sony finally offered an XCP uninstaller, users had to fill out online request forms, requiring information such as the user's name and e-mail address.

This uninstall program caused as many problems as it solved.

Sony then temporarily suspended its use of XCP. It yanked XCP CDs from store shelves and offered replacements for already purchased CDs. About 4.7 million CDs had been shipped and 2.1 million sold. More than half a million networks have been infected.

Sony's legal problems began when multiple class-action lawsuits were launched based on claims Sony violated U.S. state and federal laws against computer tampering and malicious software and has committed fraud, trespassing and false advertising.

The Texas attorney general filed a civil lawsuit, seeking $100,000 for each violation of that state's Consumer Protection Against Computer Spyware Act.

There are now claims the XCP software can be prevented from installing merely by putting a piece of tape on a strategic spot on the CD.

So all in the name of copy protection, Sony-BMG has angered customers, musicians and retailers, lost sales, possibly breached privacy and computer trespass laws, exposed customers to viruses, allegedly used code in the XCP they were not licensed to use, denied and covered up what they had done and dismissed legitimate concerns as unfounded.

Leads one to wonder why Canada is considering amending its copyright legislation to make it illegal to defeat digital rights management software.