Sony BMG copy protection rootkit scandal

Following public outcry, government investigations and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs and the suspension of CD copy-protection efforts in early 2007.

In August 2000, statements by Sony Pictures Entertainment U.S. senior vice president Steve Heckler foreshadowed the events of late 2005.

"[1] In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album White Lilies Island without warning labels stating that the CD contained copy protection.

About two million of those CDs,[7] spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted the EULA, which made no mention of the software.

The scandal began on October 31, 2005, when Winternals researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he determined had been recently installed on his computer by a Sony BMG music CD.

[14] Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers,[15] but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy.

[20] Sony BMG maintained that "there were no security risks associated with the anti-piracy technology" despite numerous virus and malware reports.

On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM.

"[21] Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.

Spitzer said: "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, [and] I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony.

[32][33] Sony was ordered to pay $750,000 in legal fees to Texas, accept customer returns of affected CDs, place a conspicuous detailed notice on its homepage, make "keyword buys" to alert consumers by advertising with Google, Yahoo!

[35] On December 30, 2005, the New York Times reported that Sony BMG had reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who had purchased the affected CDs.

[42] The settlement required Sony BMG to reimburse consumers up to $150 to repair damage that resulted directly from its attempts to remove the software installed without their consent.

[41] The settlement also required them to provide clear and prominent disclosure on the packaging of future CDs of any limits on copying or restrictions on the use of playback devices, and the company was prohibited from installing content-protection software without obtaining consumers' authorization.

[41] FTC chairwoman Deborah Platt Majoras added: "Installations of secret software that create security risks are intrusive and unlawful.

"[43][44] Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of free and open-source software that was used in the program,[45][46] including the LAME MP3 encoder,[47] mpglib,[48] FAAC,[49] id3lib,[50] mpg123 and the VLC media player.

Thomas Hesse, Sony BMG's president of global digital business, said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?

"[54] In a November 7, 2005 article, vnunet.com summarized Russinovich's findings[55] and urged consumers to temporarily avoid purchasing Sony BMG music CDs.

The following day, The Boston Globe classified the software as spyware, and Computer Associates' eTrust Security Management unit VP Steve Curry confirmed that the rootkit communicates personal information from consumers' computers (the CD being played and the user's IP address) to Sony BMG.

"[58] The first virus to exploit Sony BMG's stealth technology to make malicious files invisible to both the user and antivirus programs surfaced on November 10, 2005.

[citation needed] ZDNet News wrote: "The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases."

Screenshot of the Sony CD audio player, playing Switchfoot 's fifth studio album Nothing Is Sound .