Worse and Worser
From the vantage point of Sony BMG'S corporate headquarters, it probably seemed like a good idea at the time. With music piracy up and profits down, it made complete sense to add some get-tough digital-rights management (DRM) to certain CDs. But what seemed smart in the corporate world led to a royal debacle in the real world.
As we reported last month, the world's second-largest music group used DRM technology that placed stealth software deep in your PC to limit your copying of certain CDs - and even to monitor your playback choices. Calling that unsportsmanlike behavior, security experts denounced the move, and the Internet buzzed with complaints. Sony BMG said it "deeply regretted any disruption this may have caused." The Bad Vibes meter was red-lining. Then things got really bad.
It all began when Sony BMG placed Extended Copyright Protection (XCP) software on 52 CDs. If you put one of the discs in a regular player, everything was fine. But if you popped it into your PC, you had to accept the antipiracy program and let it install a proprietary media player needed to play the CD. The program also installed hidden "rootkit" software deep in Windows. (Macs weren't affected.) Not only was the software difficult to detect, but it was also difficult to remove - to the point where inartful removal might disable your computer. Meanwhile, the software limited the number of copies you could burn and prevented you from loading the songs to an iPod (though it okayed some other MP3 players). It also included spyware that could report your music habits back to the home office (a common "feature" of many Web-based programs). To its (weak) credit, Sony BMG had devised a legalese disclosure that was displayed when the software was installed.
At best, the efficacy of the whole thing was debatable. Less debatable was an unexpected consequence. Spotting an opening, hackers spread several viruses (including Stinx-E) that exploited the Sony BMG rootkit. That's where the line was crossed. To protect its rights, Sony BMG had jeopardized the computer security of its customers.
After a few days of parrying, Sony BMG surrendered. It stopped making CDs with XCP. It recalled all the titles with the software, amounting to about 5 million discs, and offered to exchange the tainted CDs with new ones (www.upsrow.com/sonybmg). The company also posted a link (http://cp.sonybmg.com/xcp/english/updates.html) to software that would uninstall the files. (Adding to the confusion, early versions of the patch made computers vulnerable to other kinds of malicious code.) Lending a helping hand, Microsoft updated its Windows AntiSpyware with tools to detect and remove the rootkit. In other words, the damage control was extensive.
Not amused (or fully appeased), the Electronic Frontier Foundation, a digital-rights advocacy group, filed a lawsuit against Sony BMG for violating consumers' rights and antispyware statutes. And at least six other class-action lawsuits are pending.
The supreme irony? Many honest people avoid illegal file sharing precisely because they're afraid of contracting a virus. Now, they buy a Sony BMG disc, and it makes them vulnerable to - guess what? - viruses. Could anything be worse than that? Sure. What if music lovers, rightfully alarmed by the scary consequences of playing CDs, decided to just stop buying them altogether? That would be the worstest.