Business Impact

Inside the Spyware Scandal

When Sony BMG hid a “rootkit” on their CDs, they spied on you and let hackers into your computer. What were they thinking?

May 1, 2006

John Guarino is the owner of TecAngels, a two-man computer consultancy in Manhattan. Give Guarino your ailing Windows PC, and in two or three hours he’ll return it to you in perfect health. Often, he can solve his customers’ problems over the phone.

But last summer, Guarino came across a problem he couldn’t fix. In the process of flushing out the spyware and viruses infecting his customers’ computers, he began to find the same mysterious intruders in machine after machine. They were strangely named files lurking deep inside the “registry” where Windows stores settings and instructions that control all of a computer’s hardware and software.

To Guarino, the files looked like a rootkit – software that tricks an operating system into overlooking worms, viruses, and any other files a hacker might want to conceal inside a user’s computer. The files didn’t seem to be causing damage, and Guarino’s antivirus software didn’t identify them as threats. But they had appeared on people’s hard drives uninvited – the conventional definition of “malware” – so Guarino removed them.

But the files didn’t go quietly. After Guarino deleted them, the CD drives on his customers’ computers would stop working. The usual solution – reinstalling the software that drives the disc players – didn’t correct the problem. Guarino couldn’t explain this odd effect, and his customers weren’t paying him to spend hours researching it; they just wanted their computers back. So he would usually resort to the nuclear option: reinstall the operating system from scratch.

After six or seven of these encounters, Guarino was growing weary. Then, on September 30, he discovered the mysterious files on his own PC. “That’s what really pissed me off,” Guarino says. “I was like, ‘I can’t believe it. I have the latest firewall, the latest antivirus software, three or four antispyware programs. How did this get here?’”

Like any good investigator, Guarino backtracked. He knew that the files hadn’t been there the last time he had scanned his computer. He tried to reconstruct everything he had done with his machine over the previous few days – what programs he had installed, what e-mails he had received, what websites he had visited.

Then he remembered that he had purchased a music CD the day before and had played it on the computer. It was a Sony BMG Music Entertainment album called Touch, by the rhythm-and-blues singer Amerie. Unlike most CDs, this disc couldn’t be played using common media-player software such as iTunes, RealPlayer, or Windows Media Player. To hear the CD, purchasers had to install the customized Sony BMG player included on the disc. Guarino had done this.

Now he took a closer look at the CD’s jewel box. One phrase popped out at him: “Content Enhanced and Protected.” Evidently, the disc carried some form of digital rights management (DRM) software – a program designed to control copying and thus discourage piracy.

Finally, the pieces came together. The mystery files resembled a rootkit; the usual purpose of a rootkit is to hide something; a copy protection program was the kind of thing its creators might wish to hide from users; and removing this particular rootkit disabled the CD drive. Guarino could only conclude that the malware’s source was Sony BMG itself.

“That’s when I gave up,” Guarino says. He could fight malware one machine at a time. But if the world’s second-largest record company wanted to install secret software on its customers’ computers, he would never win.

Before putting the problem aside, Guarino did one very important thing. He e-mailed his logs to F-Secure, a computer security firm in Helsinki, Finland, whose software he had used to detect the files. Though F-Secure’s malware watchers had not previously encountered the rootkit, they were quickly able to confirm Guarino’s suspicions. Over the next two weeks, they came to another, much more troubling realization: the rootkit could hide other files as -easily as it hid Sony BMG’s copy protection software. Every computer that had ever been used to play a copy-protected Sony BMG disc was now, in effect, an open receptacle for worms, viruses, and other malware.

On October 17, F-Secure contacted Sony. Two weeks later, respected security expert Mark Russinovich found the rootkit on his own computer and publicized his findings on his widely read blog. He also discovered that other software installed along with the copy protection program secretly contacted Sony BMG via the Internet every time a PC user played a copy-protected disc. And over the next several months, what had begun as a curiosity in Guarino’s little shop escalated into a full-blown scandal, complete with backroom negotiations, public exposés, heated denials, angry boycotts, vengeful lawsuits, and rueful apologies.

Though its original purpose was to hide software that prevented listeners from making more than three copies of their music, Sony BMG’s rootkit became the most public symbol to date of the perceived excesses of DRM tech-nology – and of the growing suspicion media companies seem to harbor toward their own customers. The scandal is still having repercussions. It has reignited a dispute in the public sphere over the ways consumers should be allowed to use copyrighted digital information and, conversely, just how far copyright holders can go to secure their intellectual property against piracy. (See “Who Will Own Ideas?”, a TR special package published in June 2005.)

Taken to extremes, experts say, digital rights management not only curtails people’s right to make “fair use” of copyrighted material, which is guaranteed by U.S. copyright law, but can even create new technological hazards. “When you build computer systems where you’re not protecting the user, but something from the user, you have very bad security,” says Bruce Schneier, a luminary in the field of computer security and chief technical officer of Counterpane Internet Security in Mountain View, CA. “That’s my biggest fear – this notion that the user is the enemy.”

The story of the Sony BMG rootkit fiasco is about more than bad corporate judgment or the ongoing struggle over the rights of consumers to do what they want with the things they own. It is also about fear and the excesses it can arouse. When media companies apply such powerful, secret tools to content protection, it suggests that their nervousness over piracy has turned to panic. Although Sony BMG insists that the rootkit was deployed unintentionally, the episode persuaded many observers that the music industry had come to see deception as an indispensable component of digital rights management. It should be no surprise when customers who feel they are being treated like thieves stop buying things. If there is one message in Sony BMG’s experience for other companies entering the digital world, it is that distrust engenders distrust.

Schoolyard Piracy
Demand for digital “content” (a feeble but convenient jargon word for everything from poetry to podcasts) is greater than ever. Sales of downloadable music worldwide nearly tripled between 2004 and 2005, from $380 million to $1.1 billion, and now represent about 6 percent of all music sales. As of March 2004, Apple’s iTunes music store was selling songs at a pace of about 2.5 million per week. According to the U.K. version of Macworld magazine, it now sells three million songs every day.

One might expect content producers and distributors to be thrilled by digital’s takeoff. But in reality, they are often preoccupied with the ever present threat of rampant copying. And for good reason: in a one-month period in 2005, 3.8 million U.S. households downloaded music using the free peer-to-peer file-sharing services WinMX and Limewire, while only 1.7 million households purchased files from iTunes, according to market research firm NPD Group. The Recording Industry Association of America puts the lost retail revenues from digital music piracy at $4.2 billion per year, and it has fought illegal downloads aggressively: in February, it announced that it had launched 750 new lawsuits against users of peer-to-peer file-sharing networks, bringing the total since 2003 to more than 18,000.

Preceding almost every illegal download, however, is a much more innocent act: ripping compressed computer files, such as MP3s, from a legitimately purchased CD. Ripping and burning CDs for personal use is perfectly legal in the United States. But Thomas Hesse, president of global digital business for Sony BMG, says it accounts for two-thirds of all piracy. “The casual piracy, the schoolyard piracy, is a huge issue for us,” he told the Reuters news service last year.

So recording companies like Sony BMG are naturally attracted to technologies that promise to thwart wayward fans. Enter digital rights management, an industry that emerged in the late 1990s to help publishers and studios maintain control over the contents of DVDs, software, and the like. For DRM companies and their clients, “control” means barring customers from opening digital files unless they have paid to do so. It means preventing the copying, printing, backing up, or replication of a work except when expressly permitted by the work’s license agreement.

For years the recording industry didn’t need this level of control, since consumer-grade CD players (introduced in 1982 by Philips and Sony) were designed exclusively to play music, not to export it in digital form. But by 1996, when PC manufacturers began to include CD-ROM drives as a standard feature in home computers, the threat of “casual piracy” had emerged; and when it debuted in 1999, Napster, the first popular Internet music-sharing system, made good on that threat. Recording companies began to lobby in Washington for greater legal penalties against those caught sharing files – and also began looking for ways to make copying and sharing more daunting for the average user.

This isn’t a straightforward matter. Protected discs must include DRM software to limit copying; yet at the same time, they must be playable on ordinary CD players. One way to meet both needs is to make CDs more like CD-ROMs, which often contain multiple “sessions” similar to the cuts on old vinyl LPs. The first session of a multi-session CD, starting at the center of the disc, contains music, and the outer sessions contain software. Normal CD players read only the first session and ignore the rest, while a Windows PC with its “autorun” feature turned on looks first for programs in the outer sessions that it can execute. (Luckily for DRM developers, autorun is activated by default in Windows XP, and most users never change this setting.)

When Sony BMG undertook the industry’s first large rollout of copy-protected CDs in 2005, it used the multisession method. On 52 Sony BMG albums released between January and November, the outer sessions included a Windows copy protection program called XCP (eXtended Copy Protection), which Sony licensed from a U.K. company called First 4 Internet, and a dual Macintosh/Windows program called MediaMax, from Phoenix, AZ-based SunnComm. This wasn’t the first time a label had attempted to sell CDs with anticopying software; Arista Records, a Sony BMG subsidi-ary, marketed a disc carrying MediaMax in late 2003, and rival Macrovision’s DRM software appeared on thousands of CDs from other labels beginning in 2002. What was unusual about the new Sony BMG discs, however, was the technique First 4 Internet had chosen to make XCP invisible.

Cloaking Device
When Sony originally hired First 4 Internet, it wasn’t to build a DRM system for consumer CDs. According to press interviews with First 4 Internet executives months before the rootkit scandal broke, it was to deter copying of pre-release music by the label’s own employees and contractors, and other recipients. The company’s first DRM product, XCP1, rendered the music session on multisession CD-Rs, the type of recordable CD used in music studios, unplayable by computers. That ability was attractive not just to Sony BMG but also to its three major rivals, Universal, EMI, and Warner Music Group, all of which had licensed XCP1 by 2002.

But this method wouldn’t work for consumer CDs, which needed to be playable in all types of devices, including computers, DVD players, video CD players, and ordinary players. So First 4 Internet developed a new program, XCP2, that uses a cleverer, slightly more permissive approach called “sterile burning.” This unappetizing term simply means that purchasers of a protected CD can rip it to their computers, then burn copies back to blank CD-Rs, but those copies cannot be used to make more copies. (XCP2 came to be known simply as XCP.)

According to Princeton University computer scientists Ed Felten and J. Alex Halderman, who “reverse-engineered” XCP as part of an academic investigation, the software has several distinct functions that are invoked separately. The first time an XCP-protected disc is loaded into a computer, it asks the user to consent to Sony BMG’s end-user license agreement (EULA). It then copies a number of programs and drivers to the hard drive and launches a proprietary media-player program. Once installed, according to a white paper -Halderman and Felten published in February, the new drivers listen for attempts by other media players such as iTunes to read audio tracks on the CD; if they detect one, they replace the data returned by the CD drive with random noise. Meanwhile, a “back door” in XCP allows the proprietary media player to read the disc’s raw data without distortion.

Built into the media player is a burning application that allows the owner of the CD to rip up to three copies of it and burn them to CD-Rs. These copies will contain everything on the original disc, including the audio tracks, the media player, and the copy protection software. But they will be sterile: the burning application will be disabled, meaning the copies can only be played, not ripped and burned again. Alternatively, users can rip individual tracks or entire albums to their hard drives, then burn up to three copies to CD-Rs in the Windows Media Audio format.

If it were easy for users to sidestep or disable all of these complex functions, the copy protection system would be useless. And here is the nub of the controversy over XCP and the Sony BMG discs: First 4 Internet’s developers decided that a number of the program’s files and operations should be hidden from average users. The drivers that interfere with other media players’ attempts to read a protected CD, for example, needed to be stored in a secret place where users couldn’t find and remove them. Then there was the file XCP uses to count the number of copies of the CD the user is still permitted to make. The burning application is disabled only when the counter reaches zero. If advanced users were able to find this file, they could potentially change the counter’s value back to three after each copy they burned.

Secrecy itself is routine in the software industry, but this was different. First 4 Internet achieved secrecy using a rootkit, then Sony BMG neglected to tell its customers about the program’s presence or to provide a straightforward way to uninstall it. The term “rootkit” derives from computer networks using Unix-style operating systems, where the system administrator – the person with all rights and privileges to change the system – is said to have “root” access. The first “root kits,” written in the mid-1990s, were collections of software tools used by Unix hackers to acquire root access and deposit rogue code without leaving a trail. Windows rootkits emerged in 1999 and became so commonplace that they could be downloaded free from hacker collectives such as the one that produces the online magazine Rootkit (www.rootkit.com). More sophisticated versions could be purchased on the Internet for a few hundred dollars.

First 4 Internet executives, citing ongoing legal action, would not answer Technology Review’s questions.Therefore, we do not know whether or not the company’s developers knew that they were creating a rootkit, or whether they modeled XCP upon one of the open-source or commercial rootkits. However, outsiders who examined XCP’s code found that it contained some open-source components, including code from one program that encodes music in the MP3 format and another that encrypts and decrypts music downloaded from Apple’s iTunes. (The latter was apparently part of a never implemented plan to make XCP compatible with iTunes, according to Halderman.)

Another unknown is whether XCP’s developers were aware that a rootkit, once installed on a customer’s computer, could open a passage for other viruses and Trojan horse programs. But Princeton’s Halderman says programmers at First 4 Internet must have been aware that the cloaking method they were employing was well known to malware writers. “They had to learn about this technique from other sources,” Halderman says. “And in the course of researching how to use this technique, it’s almost inconceivable that they wouldn’t have discovered that [cloaking other malware] is something that rootkits do.”

In any case, the company’s hiding technique was highly effective – so much so that no security expert noticed the rootkit for at least six months after the release of the first copy-protected discs. But soon after Russinovich posted his report, malware authors discovered that they could use the rootkit to keep anything from viruses to spyware out of the operating system’s view. Indeed, less than two weeks after the Sony BMG rootkit came to light, the first malware program designed to exploit it had surfaced. It was a “backdoor Trojan” called Troj/Stinx-E designed to hide itself inside the rootkit and allow other programs to take over users’ computers via connections to an instant-messaging system called Internet Relay Chat.

The Finnish Connection
F-Secure is headquartered in a boxy glass-and-aluminum building on Helsinki’s outskirts, just a block from the factory where Nokia – long before it became a cell-phone company – made thousands of kilometers of steel cable as part of Finland’s massive war reparations to the Soviet Union.

Dominating F-Secure’s second-floor command center are three big video screens. One depicts the architecture of a well-known computer virus as if it were a giant, spinning space station. Another shows a real-time map of malware activity worldwide. Mika Stahlberg, a research manager at F-Secure, is using the third screen to illustrate XCP’s stealth features.

“I can demonstrate using the Van Zant album,” Stahlberg says. He inserts Get Right with the Man, a country album by veteran rockers Johnny and Donnie Van Zant, into a computer under the command center’s triangular conference table. “We ordered this from Amazon last October. Okay, I put this in and it starts by default. Here’s the EULA. Of course, I want to listen to the music, so I click ‘Agree.’”

The player installs itself and launches automatically. Now Stahlberg chooses a guinea pig for the cloaking demonstration: the Windows calculator accessory. He starts the calculator, then opens the Windows Task Manager and selects the “Processes” tab, where a user can see a list of all of the programs currently running on the machine. “Okay, we can see it’s there in the process list – it’s called ‘calc.exe.’ Now let’s rename it.”

Stahlberg closes the calculator, finds the actual program file on the hard drive, and gives it a very specific name: “$sys$calc.exe.” He restarts the calculator. “Now look at the process list again. The calculator has disappeared.”

Stahlberg has just laid bare the main function of the Sony BMG rootkit: to make any file starting with the prefix “$sys$” undetectable. Among the files XCP keeps hidden in this way: aries, the ringleader program that waylays messages between applications and the operating system; crater, the filter driver that keeps other programs from reading the CD-ROM; and $sys$parking, which counts how many times the burning application has been used.

“What almost all rootkits do…is filter the output that applications get from certain operating-system functions,” Stahlberg explains. XCP filters out any output marked with the $sys$ prefix, so in Stahlberg’s demonstration, when the Task Manager asked Windows for a list of running programs, it got back everything except the calculator. A program with the $sys$ prefix in its name may be running – indeed, it may be taking up a large fraction of the system’s memory and CPU time – but to the Processes list and other applications such as Windows Explorer, it does not exist.

Of course, Stahlberg and his colleagues at F-Secure didn’t understand any of this the first time they examined a copy-protected Sony BMG disc, Switchfoot’s Nothing Is Sound. Immediately after receiving John Guarino’s log file, they ordered the CD and installed it on a quarantined PC, then used F-Secure’s own rootkit detection program, called Blacklight, to see how the disc’s software had altered the machine’s operating system. Blacklight found that there were more files in the system than Windows Explorer indicated – an unmistakable sign of a rootkit.

At first, the F-Secure researchers were reluctant to label the Sony BMG rootkit a security threat, since it was obviously being used for copy protection, not to spread viruses or spawn pop-up ads. “DRM as such is not bad,” says -Santeri Kangas, F-Secure’s director of research. “But when we analyzed what this could do as a vehicle for malware, we took a stand and said, ‘Well, this is dangerous.’”

F-Secure contacted Sony about the rootkit vulnerability on October 17. But the relationship got off to a bad start, according to Kangas. Not knowing whom to approach, F-Secure took the problem first to Sony DACD, an Austrian subsidiary that manufactures CDs. “They said, ‘Thank you, but this is from Sony BMG,’” Kangas recounts. When he and his colleagues finally reached Sony BMG’s Los Angeles headquarters, “The first reaction we got was, why were we talking about their copy protection software with a competing unit of Sony? They were rather angry.”

Once the recriminations passed, Sony BMG DRM managers asked Kangas and his staff to work with First 4 Internet on a way to safeguard owners of the protected CDs. “From our point of view, the only solution with this first version of XCP was to stop deploying it,” says Kangas. “But that was something they clearly didn’t want to do.” According to Kangas, First 4 Internet’s plan was simply to release a new version of XCP in 2006 without the rootkit – not to replace the millions of discs that had already been purchased – and offer an uninstaller tool to customers who asked for it.

Kangas and his team readied a public report on the rootkit but were waiting for First 4 Internet’s uninstaller before releasing it, as courtesy in the Internet security business demands. That’s when they were beaten to the punch by a Texan named Mark Russinovich.

Russinovich and colleague Bryce Cogswell are the authors of Sysinternals.com, one of the leading U.S. blogs on computer security. Russinovich is also the chief software architect at Austin-based Winternals Software and, by chance, the inventor of some of the very cloaking techniques used by XCP. He and Cogswell had spent part of 2005 working on Rootkit Revealer, a detection program similar to F-Secure’s Blacklight. One day in late October, Russinovich was running Rootkit Revealer on his own PC as part of a test to make sure the program wasn’t generating false positives. Russinovich says he purposely avoids the seedier areas of the Internet in order to keep his machine clear of malware – so he was astonished when Rootkit Revealer found actual rootkit files.

Just as Guarino had, Russinovich discovered that deleting the files disabled his CD-ROM drive. “Even a sophisticated home user, if they attempted to uninstall the rootkit by deleting the files, would end up crippling their machine,” Russinovich says. But since he had himself come up with most of the tricks Windows rootkits use to deceive the operating system and other applications, he wasn’t stymied. Russinovich was able to bypass the rootkit’s cloaking function and – after remembering that he’d recently played the copy-protected Sony BMG disc Get Right with the Man on his computer – trace the files it had been hiding to First 4 Internet and Sony BMG.

“It was disturbing to me, the fact that this thing had installed rootkit software on my PC,” Russinovich says. “It had installed itself without telling me. There didn’t appear to be any uninstaller. But what was most surprising of all was to run into a rootkit that was part of a well-known company’s DRM.”

Russinovich did not contact Sony BMG about his discovery; rather, he poured his findings into an angry blog entry published on Halloween. Within hours, Russinovich’s post was picked up by Slashdot, the famous home of “News for Nerds.” And from there the rootkit story raged across the blogosphere and even into mainstream newspapers. F-Secure – though it had been scooped by Russinovich – quickly got back into the game, publishing its own analysis of the rootkit on November 1.

Among music fans and technology watchers, reaction to the rootkit news was explosive. Within days, anti-DRM activists launched several boycotts against Sony BMG. “Sony aims at pirates – and hits users,” blared a November 9 headline in the Christian Science Monitor. Antivirus and security companies issued warnings advising consumers to avoid or return the Sony BMG discs. Bloggers fanned the flames; the word “rootkit” appeared in blogs 150 to 750 times every day throughout November, according to blog search engine Technorati.

Tempers flared further after November 4, when Russinovich announced in his blog that other software accompanying XCP on the Sony BMG discs “phoned home,” contacting Sony BMG over the Internet every time a user played a protected CD. Acting on a tip from a Finnish hacker and computer science student named Matti Nikki, Russinovich used a “network tracing” program to analyze traffic flowing into and out of his computer. He found that during startup, the protected CDs would check with a server at Sony BMG for fresh material for a rotating banner advertisement displayed with the player. This exchange was innocuous enough; but to Russinovich and readers of his blog, the affront was that Sony BMG had not disclosed in the CDs’ EULAs that the software would send data to the company or spelled out how that data would be used. “I doubt Sony is doing anything with the data,” Russinovich wrote, “but with this type of connection, their servers could record each time a copy-protected CD is played and the IP address [the location on the Internet] of the computer playing it.”

Security professionals, bloggers, and music fans weren’t the only ones who were dismayed. The U.S. Department of Homeland Security criticized Sony BMG for releasing products that undermined antivirus software and exposed both government-owned and privately owned computers to hackers. At a November 10 trade conference on piracy, Stewart Baker, the department’s assistant secretary for -policy, chastised big media for its obsession with DRM. “It’s very important to remember that it’s your intellectual property, [but] it’s not your computer,” Baker said.

Over and over again, people who encountered the rootkit expressed a sense of violation. John Guarino, the computer consultant, offers this analogy: “Say you want to install cable TV in your apartment. You call the cable company. They say someone is going to come and install it. The cable guy makes you sign something before he comes into the apartment. Then you find out he didn’t actually leave the apartment when he was done. He is still hiding. And you call the company and say, ‘This guy is still here,’ and they say, ‘But you signed the document.’ And you say, ‘Yeah, but he still shouldn’t be here. Where is he?’ and they say, ‘We’re not going to tell you that.’

“And not only is this guy hiding inside your apartment – he’s actually eating from your refrigerator, drinking your water, using the bathroom, and you can’t stop him. He could be inviting other friends over and letting them in. And if you try to find him and take him out yourself, he’s going to throw bombs, and you’ll have to call the construction guys to rebuild your whole apartment.

“That’s what Sony is doing. The rootkit uses your processor, it uses your memory, your hard disk. You can’t take it out easily, because they won’t tell you how. If you try to take it out, it actually messes up your computer. The only solution is to reinstall the whole operating system. It’s total lawlessness, and it’s unacceptable.”

Facing the Music
Despite the warnings from F-Secure in late October, Sony BMG was surprised by the controversy. Indeed, for days after Russinovich’s analysis hit the news, company executives showed little understanding of the fury it was arousing in the hearts of many of its customers. “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” Sony BMG’s Hesse said in an interview with National Public Radio on November 4.

But for the owners of the more than two million XCP-protected discs sold by Sony BMG between January and November, the reports came as a shock. Security flaws in commercial software are common; Microsoft’s products, for example, are so widely used that even the tiniest bug will eventually be discovered and exploited by a malware author, so the software giant publishes updates and patches on a monthly basis. But no software or media company of the stature of Sony BMG had ever distributed a program that, in the judgment of security experts, was deliberately designed to mimic malware.

Sony BMG did not immediately apologize but did try to solve the problem. Its first step, in early November, was to publish a Web-based program that customers could use to remove XCP from their systems. The move didn’t help matters. Matti Nikki in Finland discovered that a file that the uninstaller placed on a user’s computer to facilitate communication with Sony BMG’s servers could later be exploited by any website that wanted to send and execute malicious code. The uninstaller posed “a far greater security risk than even the original Sony rootkit,” according to Felten and Halderman, who verified Nikki’s discovery on November 15 in their widely followed blog, Freedom to Tinker.

A few days later, Sony BMG replaced the Web-based uninstaller with a safer, downloadable one. And gradually, the company seemed to recognize the scope of the public-relations disaster it faced. On November 11, Sony BMG announced that it would stop manufacturing music CDs with XCP. On November 14, the company said it regretted the inconvenience it had caused its customers and announced an exchange program to replace XCP–protected discs with new ones without the rootkit.

According to media reports, consumers had purchased 2.1 million of the copy-protected CDs. How many of these customers actually played the CDs on their computers, thus unwittingly installing the rootkit, is not clear. But Dan Kaminsky, an independent security researcher in Seattle, discovered evidence linking Sony’s rootkit to hundreds of thousands, if not millions, of systems across 131 countries. He calls that number “enormous,” especially when compared with figures for the spread of Internet worms and viruses. Kaminsky posted the statistics on his website, -doxpara.com, along with world maps showing the locations of affected networks.

Sony BMG, meanwhile, tried to respond to the specific worries raised by Russinovich, Kaminsky, and others. In a November 18 letter to the Electronic Frontier Foundation, which had earlier published its own open letter criticizing Sony BMG’s handling of the XCP episode, Sony counsel Jeffrey Cunard said that the company would never disclose the Internet addresses collected when XCP phoned home and that, in any case, these addresses were never associated with personally identifiable information. He also said that Sony BMG would be more careful in the future about evaluating copy-protection software and the EULAs that come with it. “Any present and future copy protection tech-nology used by Sony BMG will be tested, verified, and disclosed to consumers,” Cunard wrote.

Sony BMG representatives contacted by Technology Review in March and April would not name the executives responsible for licensing XCP from First 4 Internet or releasing the copy-protected discs, and they declined to make executives available for interviews. However, Cory Shields, director of the company’s communications office, said it was never Sony BMG’s intention to include software that caused security concerns on its compact discs. “The company’s intent was to deliver a technology that was consumer friendly, that would let people pursue the functionality that they wanted,” Shields said. “It certainly wasn’t the company’s intent to create a problem.”

Zone of Freedom
The recalls, exchanges, and apologies of November 2005 did not put the matter to rest. New York attorney general Eliot Spitzer criticized Sony in late November, after investigators found that discs carrying XCP had not yet been removed from stores. The Federal Trade Commission opened an inquiry, and Texas attorney general Greg Abbott sued Sony BMG for violating the state’s antispyware laws. Plaintiffs in at least five states filed suit, claiming damages against Sony BMG for impairing their computers.

Sony dealt with these suits quickly. Before December was out, the company had reached a tentative settlement with attorneys, who had consolidated the suits into a single complaint in the U.S. District Court for southern New York. The settlement provides anyone who owns a disc with XCP with a replacement disc, a $7.50 cash payment, and (ironically) free digital downloads of the music on the CD and up to three others. At press time, the court had not yet approved the full settlement, but the replacement program had begun.

But anger over the rootkit in the media and the blogosphere persisted even after news of the proposed settlement. What truly bothered consumers, it seemed, was not the damage done to their computers: the Troj/Stinx-E Trojan horse had not spread far, and there wasn’t time for a serious epidemic of other malware exploiting the XCP rootkit to emerge. Rather, CD buyers were upset that the software deliberately concealed its presence and contacted Sony BMG without their permission. They felt that XCP had trespassed against fundamental protections – the rights to privacy and private ownership and the freedoms of expression and access to information.

“I’m a music fan, and I’ve been watching with dismay the whole march of DRM, to the point that you practically have to sign a contract to open a CD box,” says Tim Jarrett, a Framingham, MA, Web developer and technology blogger. “So when I saw that Sony was not only including this DRM but doing it in such a way that it was opening up people’s computers to being exploited, I think something inside me just kind of snapped.” Jarrett decided to start the Sony Boycott Blog, which functioned for three months as one of the main clearinghouses for information about the rootkit saga. Judging from the comments they left, Jarrett’s -readers – who numbered up to 5,000 per day – were just as irked. “You have a zone of personal freedom – a personal space within which you can decide, for example, to read a book back to front, or read it 20 times, or make margin notes, or read it in the bathtub, or do a skit acting out the book to a friend,” says law professor Julie Cohen, who studies intellectual-property and data privacy law at the Georgetown University Law Center. “And having an automatic policeman or even just a flat-out architectural prohibition that appropriates that personal space is something that people experience as very intrusive.”

“I think we’re in this period where the content providers are trying to push the boundaries,” says Mark Russinovich. “They want to see just how far they can go to protect their content, and where that fine line is between protecting their content from casual piracy and annoying the consumer.”

Good DRM
The questions raised by the Sony BMG rootkit saga are whether protecting content necessarily means violating consumers’ right to control their private property, compromising the computer’s role as an instrument of culture and creativity, and sacrificing the principle of “fair use” (a provision in U.S. copyright law that allows the reproduction of copyrighted works for purposes of criticism, reporting, research, and archiving).

The initial signs are not good. Sony BMG’s blunder – however inadvertent it may have been – was an indication to many observers that copyright holders are in fact escalating the technology war, choosing to meddle more and more deeply with the workings of customers’ computers in a hasty and careless effort to limit freeloading.

“If Sony didn’t stop and take the time to ask First 4 Internet what XCP actually did, it’s their fault,” says Schneier of Counterpane Internet Security. “I find First 4 Internet less culpable, because Sony wanted to buy some sort of magic bullet, and they just said, ‘Here, use ours.’”

Sony BMG has never fully accepted the blame; even in the December settlement agreement the company denied that it bore any legal liability or that anyone had been damaged by any wrongful conduct. Still, by most measures of corporate responsibility, Sony BMG has gone to remarkable lengths to make up for the rootkit fiasco. The company now seems to be wary of crossing Russinovich’s “fine line.” “There has to be a balance struck between protection of content and nurturing and protection of technology,” acknowledges Sony BMG spokesman Cory Shields.

Indeed, Sony BMG’s mistakes in the rootkit case provide some insights into what good digital rights management would, by contrast, look like.

First, say computer security professionals, good DRM should be transparent. To these professionals, the rootkit episode carried secrecy too far. If a rootkit provides a hiding place for viruses, worms, and Trojans, it makes the job faced by computers’ virus-scanning software much more difficult. And if more legitimate companies start to design their software to mimic malware, that job becomes nearly impossible. “Now all of your security software has to distinguish between ‘good’ malicious code and ‘bad’ malicious code,” Schneier says.

To be consumer friendly, therefore, DRM software must be computer friendly. It should not hide itself from the computer’s operating system, nor take up more than its share of processing or memory. And the terms of use and functions of the software should be spelled out in a way that is clear to the user, not buried in a 20-page EULA. “People should understand the bargain they are making and the restrictions they may be subject to,” says David Sohn, a staff counsel specializing in intellectual-property law at the Center for Democracy and Technology in Washington, DC.

Second, DRM technology should respect users’ privacy and security. It should collect only that personal information needed for authentication, and only after obtaining the users’ consent. And content protection measures cannot be implemented at the expense of a computer system’s security against real malware.

Third, good DRM should be user serviceable. If a DRM system breaks, consumers should still be able to access the content they purchased, and if it becomes a security threat, they should be able to turn it off. Yet under the U.S. Digital Millennium Copyright Act (DMCA) of 1998, it is unlawful to circumvent the technology protecting digital content. There is no exception for cases such as that of the Sony BMG rootkit, where the DRM technology itself may be causing harm. This bizarre situation might be remedied if efforts by some lawmakers to amend the DMCA succeed. On December 14, for the third congressional session in a row, Rep. Zoe Lofgren, a Democrat from Silicon Valley, introduced a bill that would make it legal to circumvent DRM technology if the unprotected content is then used for noninfringing purposes, such as archiving. Lofgren’s bill has been referred to the House Committee on the Judiciary, where it awaits review.

Fourth, and perhaps most important, good DRM tech–nology should be flexible. The proposition Sony BMG made to customers with XCP was rather skimpy: buy this CD for $13.98 and you can make three copies, in Windows Media Audio format only. The copies can’t be copied – and they won’t play on other people’s computers. Reasonable DRM, by contrast, would give consumers the freedom to use the content they’ve purchased in noninfringing ways, such as ripping it to their computers and uploading it to their mobile players, or perhaps let them choose exactly how they would like to use the content and charge accordingly. Time-shifting (recording live audio feeds for consumption later), place-shifting (streaming music over the Internet from a home computer to a remote location), or even sampling and remixing might all come with different price tags. “The marketplace should reward or punish products based on whether they are providing the flexibility people want,” Sohn says.

Some DRM technologies offer increasing flexibility. Sohn points to FairPlay, the DRM system behind Apple’s iTunes, as one example other content distributors might do well to imitate: customers can listen to FairPlay-protected songs on a computer, make playlists, burn those playlists to CDs, and move the songs to portable devices. (Sohn is not a fan of FairPlay’s inability to operate with non-Apple products, however.) The success of the iTunes music store, Sohn says, suggests that this combination of features is “meeting consumer demand.” TiVo to Go is another example: owners of TiVo digital video recorders can transfer recorded shows to DVDs, desktop PCs, laptops, and mobile devices such as the video iPod and Sony’s PlayStation Portable.

But for every iTunes and TiVo, there are still numerous examples of restrictive DRM schemes that treat customers like criminals. Until there is consensus about what rights consumers deserve and which restrictions are necessary to protect the incomes of artists and their studios, buying digital content will probably continue to be a thorny business.

“There is absolutely a right for the holders of intellectual property to protect that property,” says Stephen -Toulouse, security program manager at the Microsoft Security Response Center, where researchers spent weeks last fall helping Windows users respond to the rootkit epidemic. “But as a consumer myself, I’d like to see software vendors and studios getting feedback from consumers and creating technologies that reflected it.”

In the end, then, the record labels’ best response to falling music revenues may be to exercise more imagination, not more control.

Wade Roush is senior editor at Technology Review.