Sony faces music over spy software

Wired on Friday: It has, by any measure, been a terrible few days to be the head of music company Sony BMG

Wired on Friday: It has, by any measure, been a terrible few days to be the head of music company Sony BMG. Chief executive Andy Lack was already hovering in the corners of the financial yellow pages after rumours of an attempted coup against him by executives from joint owners Bertelsmann. Then the furore over the software embedded in his company's music CDs hit.

And, as they say in his industry, the hits kept on coming. The original story was shocking enough: to dissuade customers from copying their own purchased music, Sony placed custom third-party software on at least 20 US CD releases. The program runs automatically when you place the CD in a Windows machine.

The problem is this. The software is trying to stop the owner of the computer from doing something that's eminently within his or her power - copying the music that is digitally stored on the CD. As with most copying, it's a simple procedure for a general purpose computer and there are a number of ways and commercial utilities to do it. And, in the US, it's also legal.

So how do you stop paying customers from using their computers to do a simple, legal task? In Sony BMG's case, it was by delivering a sneaky program onto every machine their CDs touched. The program had to be sneaky, because it was, in Sony BMG's eyes, enemy territory. It scanned for any program that might copy the precious CD - including Apple's iTunes and other legitimate software.

READ MORE

It concealed itself in the lowest layers of the computers' operating system. It constantly ran in the background, using up a computer's power to monitor whether any Sony BMG CD copying was being done, or whether someone was attempting to remove it. And it attempted to give no trace that it was present, or that there was any way of removing it if found.

The security researcher who stumbled on this unwanted software was Mark Russinovitch. He tracked the origin to Sony's CDs and was amazed, since he had expected the culprit to be a "malware" author. The software was almost indistinguishable from the programs criminals create to infect and then disguise themselves in innocent machines. In computer security terms, Sony's copy protection was a "rootkit", a program designed to seize control of a computer, and cover its tracks.

It got worse. After Sony grudgingly admitted that the software existed and offered a way to remove it for those who did not want an uninvited guest on their hard drive, the same researcher discovered issues with the uninstaller.

In a move designed to fan the flames, Sony forced angry customers to part with personal information, submit reasons, and install "new" software to delete the copy protection software.

And there's more. It turns out that this new software - designed to remove the old, bad software - has massive security flaws that could allow any website, not just Sony's, to remotely infect and control a compromised machine.

There are more twists and turns to this debacle, but suffice to say that, by the time you read this, Sony BMG will be dragged kicking and screaming into offering compensation to customers whose computers have been infected with their software - if only because at least class action three lawsuits are now pending against Sony.

The question that Lack and other executives should be asking is what should they have done? The first, is practical. By far the greatest part of Sony's problem is that they employed a third party to write the software and did not sufficiently audit it.

Most copy protection is, as long-time computer veterans will tell you, almost entirely a sham. At best it can temporarily slow down a determined infringer. At worst, it achieves that marginal slowdown by massively inconveniencing your lawful customer base. Any "digital rights management" software has to be treated with suspicion.

Secondly, don't get greedy. Sony BMG presumably set about its software jihad against its customers to prevent them from copying its CDs and placing songs on the internet. But once you start working against customers on their own computers, the temptation to increase your powers grows stronger.

Sony's product fiddled with the fragile structure of Windows, occupied memory and computer time and also sent messages to Sony's servers that revealed when customers were listening to their music. That's not something that stops piracy, nor is it behaviour that CD listeners expect from their purchase.

The truest resemblance between Sony's software and "rootkits" is the motive: to seize control of someone else's computer for your own gain, and their loss. If there was a consumer benefit to this software, Sony wouldn't have had to have hidden it, and if there wasn't a gain for Sony, the company would have backed down a long time ago and saved themselves from a drawn-out public relations debacle.

It's an ill wind that blows no good though. The public has been warned to look out for sneaky software, even from apparently trustworthy sources. Music industry competitors will understand that digital rights management poses problems, and, one supposes, within Sony, Lack's enemies have another stick with which to beat him.