In 2005 it was revealed that the implementation of copy protection measures on about 22 million CDs distributed by Sony BMG installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.
Sony BMG initially denied that the rootkits were harmful. It then released an uninstaller for one of the programs that merely made the program's files invisible while also installing additional software that could not be easily removed, collected an email address from the user and introduced further security vulnerabilities.
Following public outcry, government investigations and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs and the suspension of CD copy-protection efforts in early 2007.
In August 2000, statements by Sony Pictures Entertainment U.S. senior vice president Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems: "The industry will take whatever steps it needs to protect itself and protect its revenue streams ... It will not lose that revenue stream, no matter what ... Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC ... These strategies are being aggressively pursued because there is simply too much at stake." [1]
In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album White Lilies Island without warning labels stating that the CD contained copy protection. [2] [3] The CDs were eventually replaced. [2] [3] BMG and Sony both released copy-protected versions of certain releases in certain markets in late 2001, [4] [5] and a late 2002 report indicated that all BMG CDs sold in Europe would contain some form of copy protection. [6]
The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs [7] marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG's recorded music divisions. About two million of those CDs, [7] spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted the EULA, which made no mention of the software. The remaining 20 million CDs, [7] spanning 50 titles, [8] contained SunnComm's MediaMax CD-3, which was installed on either Microsoft Windows or macOS systems after the user was presented with the EULA, regardless of whether the user accepted it. However, macOS prompted the user for confirmation when the software attempted to modify the OS, whereas Windows did not.
The scandal began on October 31, 2005, when Winternals researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he determined had been recently installed on his computer by a Sony BMG music CD. Russinovich compared the software to a rootkit because of its surreptitious installation and efforts to hide its existence. He noted that the EULA does not mention the software, and he charged that the software is illegitimate and that digital rights management had "gone too far". [9]
Anti-virus firm F-Secure concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide. The DRM software will cause many similar false alarms with all AV software that detect rootkits. ... Thus it is very inappropriate for commercial software to use these techniques." [10] After public pressure, Symantec [11] and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced that it would include detection and removal capabilities in its security patches. [12]
Russinovich discovered numerous problems with XCP:
Soon after Russinovich's first post, several trojans and worms exploiting XCP's security holes appeared. [13] Some even used the vulnerabilities to cheat in online games. [14]
Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers, [15] but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy. [16] Russinovich noted that the removal program merely unmasked the hidden files installed by the rootkit but did not actually remove the rootkit. He also reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found that it was necessary to provide an e-mail address (which the Sony BMG Privacy Policy implied was added to various bulk e-mail lists) and to install an ActiveX control containing backdoor methods (marked as "safe for scripting" and thus prone to exploits). [17] [18] Microsoft later issued a killbit for the ActiveX control.
On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers.
On November 15, 2005, vnunet.com announced [19] that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores and allowing consumers to exchange affected CDs for versions without the software. The Electronic Frontier Foundation compiled a partial list of CDs with XCP. [20] Sony BMG maintained that "there were no security risks associated with the anti-piracy technology" despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. It said that XCP uses rootkit technology to hide certain files from the user and that the technique is a security threat to users. They also said that one of the uninstallation options provided by Sony BMG introduces further vulnerabilities. US-CERT advised: "Do not install software from sources that you do not expect to contain software, such as an audio CD." [21]
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves. [22] Internet-security expert Dan Kaminsky estimated that XCP was in use on more than 500,000 networks. [23]
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD according to SonyBMG's XCP FAQ. [24]
On November 18, 2005, Reuters reported that Sony BMG would exchange affected unsecure CDs for new unprotected discs as well as unprotected MP3 files. [25] As a part of the swap program, consumers could mail their XCP-protected CDs to Sony BMG and receive an unprotected disc via return mail.
On November 29, investigators for New York attorney general Eliot Spitzer found that, despite the recall of November 15, Sony BMG CDs with XCP were still for sale at some New York City music retail outlets. Spitzer said: "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, [and] I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony." [26]
The next day, Massachusetts attorney general Tom Reilly announced that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15. [27] He advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.
Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And MediaMax Content Protection" [28] with online claim filing and links to software updates and uninstallers. The deadline for submitting a claim was June 30, 2007. The website offered an explanation of the events as well as a list of all affected CDs. [29]
On November 21, 2005, Texas attorney general Greg Abbott sued Sony BMG. [30] The suit was the first filed by a U.S. state and was also the first filed under the state's 2005 spyware law. It alleged that the company surreptitiously installed the spyware on millions of CDs.
On December 21, 2005, Abbott added new allegations to the lawsuit, [31] claiming that MediaMax violated the state's spyware and deceptive trade practices laws because the MediaMax software would be installed on a computer even if the user declined the license agreement authorizing the action. Abbott stated: "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music", and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allowed for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit carried maximum penalties of $20,000 per violation. [32] [33] Sony was ordered to pay $750,000 in legal fees to Texas, accept customer returns of affected CDs, place a conspicuous detailed notice on its homepage, make "keyword buys" to alert consumers by advertising with Google, Yahoo! and MSN, pay up to $150 per damaged computer and agree to other remedies. Sony BMG also had to agree that it would not bring any claim that the legal settlement in any way constitutes the approval of the court. [34]
Class-action suits were filed against Sony BMG in New York and California. [35]
On December 30, 2005, the New York Times reported that Sony BMG had reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who had purchased the affected CDs. [36] According to the proposed settlement, those who had purchased an XCP CD would be paid $7.50 per purchased recording and provided the opportunity to download either a free album or three additional albums from a limited list of recordings if they elected to forgo the cash incentive. District judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006.
The settlement was designed to compensate those whose computers were infected but were not otherwise damaged. Those who had incurred damages not addressed in the class-action suit were free to opt out of the settlement and pursue their own litigation.
A fairness hearing was held on May 22, 2006, in New York. Claims were required to be submitted by December 31, 2006. Class members who wished to be excluded from the settlement were required to have filed before May 1, 2006. Those who remained in the settlement could attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney.
In Italy, ALCEI (an association similar to EFF) also reported the rootkit to the Financial Police, asking for an investigation under various computer crime allegations, along with a technical analysis of the rootkit. [37] [38]
The U.S. Department of Justice made no comment on whether it would take any criminal action against Sony. However, Stewart Baker of the Department of Homeland Security publicly admonished Sony, stating, "it's your intellectual property—it's not your computer." [39]
On November 21, the EFF announced that it was also pursuing a lawsuit over both XCP and the SunnComm MediaMax DRM technology. The EFF lawsuit also involved issues concerning the Sony BMG end-user license agreement.
It was reported on December 24, 2005, that Florida attorney general Charlie Crist was investigating Sony BMG spyware. [40]
On January 30, 2007, the U.S. Federal Trade Commission (FTC) announced a settlement with Sony BMG on charges that the CD copy protection had violated federal law [41] —Section 5(a) of the Federal Trade Commission Act, 15 USC 45(a)—by engaging in unfair and deceptive business practices. [42] The settlement required Sony BMG to reimburse consumers up to $150 to repair damage that resulted directly from its attempts to remove the software installed without their consent. [41] The settlement also required them to provide clear and prominent disclosure on the packaging of future CDs of any limits on copying or restrictions on the use of playback devices, and the company was prohibited from installing content-protection software without obtaining consumers' authorization. [41] FTC chairwoman Deborah Platt Majoras added: "Installations of secret software that create security risks are intrusive and unlawful. Consumers' computers belong to them, and companies must adequately disclose unexpected limitations on the customer use of their products so consumers can make informed decisions regarding whether to purchase and install that content." [43] [44]
Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of free and open-source software that was used in the program, [45] [46] including the LAME MP3 encoder, [47] mpglib, [48] FAAC, [49] id3lib, [50] mpg123 and the VLC media player. [51]
In January 2006, the developers of LAME posted an open letter stating that they expected "appropriate action" by Sony BMG, but that the developers had no plans to investigate or take action over the apparent violation of LAME's source-code license. [52]
Russinovich's report was discussed on popular blogs almost immediately following its release. [53]
NPR was one of the first major news outlets to report on the scandal on November 4, 2005. Thomas Hesse, Sony BMG's president of global digital business, said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?" [54]
In a November 7, 2005 article, vnunet.com summarized Russinovich's findings [55] and urged consumers to temporarily avoid purchasing Sony BMG music CDs. The following day, The Boston Globe classified the software as spyware, and Computer Associates' eTrust Security Management unit VP Steve Curry confirmed that the rootkit communicates personal information from consumers' computers (the CD being played and the user's IP address) to Sony BMG. [56] The methods used by the software to avoid detection were likened to those used by data thieves.
On November 8, 2005, Computer Associates classified Sony BMG's software as spyware and provided tools for its removal. [57] Russinovich said: "This is a step they should have taken immediately." [58]
The first virus to exploit Sony BMG's stealth technology to make malicious files invisible to both the user and antivirus programs surfaced on November 10, 2005. [59] One day later, Yahoo! News announced that Sony BMG had suspended further distribution of the controversial technology.[ citation needed ]
ZDNet News wrote: "The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used." [60]
On December 6, 2005, Sony BMG revealed that 5.7 million CDs spanning 27 titles were shipped with MediaMax 5 software. The company announced the availability of a new software patch to prevent a potential security breach in consumers' computers.
Sony BMG in Australia issued a press release indicating that no Sony BMG titles manufactured in Australia contained copy protection. [61]
Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.
A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.
Edward William Felten is the Robert E. Kahn Professor of Computer Science and Public Affairs at Princeton University, where he was also the director of the Center for Information Technology Policy from 2007 to 2015 and from 2017 to 2019. On November 4, 2010, he was named Chief Technologist for the Federal Trade Commission, a position he officially assumed January 3, 2011. On May 11, 2015, he was named the Deputy U.S. Chief Technology Officer. In 2018, he was nominated to and began a term as Board Member of PCLOB. Felten retired from Princeton University on July 1, 2021.
Sony BMG Music Entertainment was an American record company owned as a 50–50 joint venture between Sony Corporation of America and Bertelsmann. The venture's successor, the revived Sony Music, is wholly owned by Sony, following their buyout of the remaining 50% held by Bertelsmann. BMG was instead rebuilt as BMG Rights Management on the basis of 200 remaining artists.
Copy Control was the generic name of a copy prevention system, used from 2001 until 2006 on several digital audio disc releases by EMI Group and Sony BMG Music Entertainment in several regions. It should not be confused with the CopyControl computer software copy protection system introduced by Microcosm Ltd in 1989.
MediaMax CD-3 is a software package created by SunnComm which was sold as a form of copy protection for compact discs. It was used by the record label RCA Records/BMG, and targets both Microsoft Windows and Mac OS X. Elected officials and computer security experts regard the software as a form of malware since its purpose is to intercept and inhibit normal computer operation without the user's authorization. MediaMax received media attention in late 2005 in fallout from the Sony XCP copy protection scandal.
Nothing Is Sound is the fifth studio album by American alternative rock band Switchfoot. It was released on September 13, 2005 and debuted at number three on the Billboard 200. The first single from the album was "Stars," which was the number one most-added song on Modern Rock Radio and received much airplay on alternative rock stations upon release. A second single, "We Are One Tonight," was released in early 2006, though it did not enjoy much success on the Billboard charts.
CD/DVD copy protection is a blanket term for various methods of copy protection for CDs and DVDs. Such methods include DRM, CD-checks, Dummy Files, illegal tables of contents, over-sizing or over-burning the CD, physical errors and bad sectors. Many protection schemes rely on breaking compliance with CD and DVD standards, leading to playback problems on some devices.
12 Songs is the twenty-sixth studio album by Neil Diamond, released in 2005. It was his first studio album since 2001's Three Chord Opera. It was produced by Rick Rubin.
Life is the eighth studio album and the third English album recorded by Puerto Rican performer Ricky Martin. It was released by Columbia Records on October 10, 2005, in Europe, October 11, 2005, in the US and October 19, 2005, in Japan.
Extended Copy Protection (XCP) is a software package developed by the British company First 4 Internet and sold as a copy protection or digital rights management (DRM) scheme for Compact Discs. It was used on some CDs distributed by Sony BMG and sparked the 2005 Sony BMG CD copy protection scandal; in that context it is also known as the Sony rootkit.
Cactus Data Shield (CDS) is a form of CD/DVD copy protection for audio compact discs developed by Israeli company Midbar Technologies. It has been used extensively by EMI, BMG and their subsidiaries. CDS relies on two components: Erroneous Disc Navigation and Data Corruption.
Faso Latido is the second album by post-hardcore band A Static Lullaby. It was released in 2005 on Columbia Records, making it their only release on a major label. This album is one of the albums known to be affected by Extended Copy Protection. This is the last album with all five original members. Before Phil Pirrone and Nate Lindeman left to form Casket Salesmen as well as the departure of former drummer Brett Dinovo. The album was originally to be titled "Watch the Sunlight Burn", but was changed prior to its release. A music video was created for the song "Stand Up".
Dreamin' My Dreams is the fourteenth album of original recordings by Patty Loveless. Released in September 2005, the album debuted on the Billboard Top Country Albums chart on October 1, 2005 at #29, staying on the charts for 8 weeks until November 26, 2005.
Windows Sysinternals is a website that offers technical resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Originally, the Sysinternals website was created in 1996 and was operated by the company Winternals Software LP, which was located in Austin, Texas. It was started by software developers Bryce Cogswell and Mark Russinovich. Microsoft acquired Winternals and its assets on July 18, 2006.
Seven Year Ache is the third studio album by American country music singer Rosanne Cash, and her second for Columbia Records. It was released on February 28, 1981, and reached number one on the Billboard country album chart. Three singles were released from her album; in the order of the singles' release they were: the title track, My Baby Thinks He's a Train, and Blue Moon with Heartache.
Mary Mary is the third studio album by American duo Mary Mary. It was released by Columbia Records on July 19, 2005 in the United States, selling 57,000 copies in its first week. In 2006, the album won a Dove Award for Contemporary Gospel Album of the Year at the 37th GMA Dove Awards.
My Very Special Guests is a duet album by American country music artist George Jones, released in 1979 by Epic Records.
On Tuesday, Sony confirmed that it had incorporated copy-protection software in promotional CD copies of the Michael Jackson single 'You Rock My World'.
{{cite news}}
: CS1 maint: unfit URL (link)