Sony’s Secret DRM and the Power of the Blogosphere
Sony BMG Music Entertainment placed Digital Rights Management (DRM) software onto its CDs in order to prevent people from copying the music on their computers. The software restricts the number of times that a person can copy a CD on his or her computer. According to a BBC article:
About 20 titles are thought to be using the XCP software and in May 2005 Sony said more than two million discs had been shipped using the technology. XCP is just one of several anti-piracy systems Sony is trying.
XCP only allows three copies of an album to be made and only allows the CD to be listened to on a computer via a proprietary media player. The hidden files are installed alongside the media player.
Sony had been using the software for about 8 months, until Mark Russinovich, a computer expert and blogger, discovered it and blogged about it on October 31, 2005.
According to an article in USA Today:
The controversy started Monday after Windows expert Mark Russinovich posted a Web log report on how he found hidden files on his PC after playing a Van Zant CD. He also said it disabled his CD drive after he tried to manually remove it.
Russinovich made the discovery while running a program he had written for uncovering file-cloaking “RootKits.” In this case, the Sony program hid the anti-piracy software from view. Similar technology also has been used by virus and worm writers to conceal their code.
A firestorm quickly erupted over what appeared to be an attempt by the music company to retain control over its intellectual property by secretly installing hidden software on the PCs of unsuspecting customers.
Sony’s End User License Agreement (EULA) said that software will be installed into people’s computers, but it did not mention that it would be hidden or hard to delete.
According to the BBC article, there was reason for computer users to be concerned about the hidden files:
Mr Russinovich feared that diligent users trying to keep their systems clean of viruses could stumble across the hidden XCP files, delete them and inadvertently cripple their computer.
His worries were echoed by Mikko Hypponen, chief research officer at Finnish security firm F-Secure, who has been looking into XCP since he first came across it in late September.
“What we are scared of is when we find a new virus written by someone that relies on the fact that this [XCP] software is running on tens of thousands of computers around the world,” he said. “The rootkit would hide that virus from pretty much any anti-virus program out there.”
After Russinovich blogged about finding the Sony software, the blogosphere erupted into action. According to a Reuter’s article:
Within 24 hours, online tech-news sites including SlashDot and CNet had posted news about Russinovich’s account. And by November 2, Sony BMG had posted instructions on its own site (cp.sonybmg/xcp) for removing the DRM.
This incident raises a number of interesting issues.
First, to what extent are Sony’s disclosures about the software adequate? This could potentially be a violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030. I’m no expert here, but the Act prohibits different forms of unauthorized access to computers. For example the CFAA prohibits knowingly transmitting “a program, information, code, or command” or “intentionally access[ing] a protected computer without authorization” that causes damage to a protected computer. §1030(5)(A)(i).
An interesting discussion about the issue has emerged on Eric Goldman’s (law, Marquette) Technology & Marketing Law blog. According to Goldman:
Sony has the right to protect its music via DRM. Doing so may require the installation of client-side software. Sony has disclosed the install in the EULA. It seems like everything is legally kosher.
(One possible angle I haven’t seen addressed: when was the EULA presented, and what happened if a buyer balked at the EULA? In the context of a CD, it may be that the EULA wasn’t presented until after purchase. If the EULA doesn’t allow for a refund if the buyer doesn’t agree with its terms, the EULA disclosure may be too late from a legal standpoint).
According to the EULA:
As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.
Although this informs people that software will be installed into their computers, it doesn’t tell them much about the software, the fact that it is hidden, or the fact that it is very hard to remove or delete.
One issue is whether making the software hidden and difficult to delete constitutes “exceeding authorized access,” which is also prohibited under the CFAA. People may authorize limited access to their computers, but that doesn’t entitle one to have permanent access. If the software is hidden from view and extremely difficult to get rid of without causing damage, is it designed to stick around beyond what users are authorizing?
Second, how far can companies go in using DRM to protect their copyrights? This incident might very well run afoul of the law because Sony may not have made adequate disclosures to CD users. But what if Sony did clearly and explicitly disclose the facts about the software? Any potential CFAA violations would now be significantly harder to make.
Third, this incident displays the power of the blogosphere. Mark Russinovich’s post ignited an uproar across the blogosphere, the mainstream media picked up the story, and Sony quickly responded.