Sony BMG copy protection rootkit scandal: Difference between revisions
(122 intermediate revisions by 68 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Sony BMG's implementation of copy protection measures}} |
|||
⚫ | |||
{{use mdy dates |date=May 2020 }} |
|||
⚫ | |||
⚫ | In 2005 it was revealed that the implementation of [[copy protection]] measures on about 22 million [[compact disc|CD]]s distributed by [[Sony BMG]] installed one of two pieces of software that provided a form of [[digital rights management]] (DRM) by modifying the [[operating system]] to interfere with [[Compact Disc and DVD copy protection|CD copying]]. Neither program could easily be uninstalled, and they created [[Vulnerability (computing)|vulnerabilities]] that were exploited by unrelated [[malware]]. One of the programs would install and "[[phoning home|phone home]]" with reports on the user's private listening habits, even if the user refused its [[end-user license agreement]] (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of [[copyleft]]ed [[free software]] in an apparent [[Copyright infringement|infringement of copyright]], and configured the operating system to hide the software's existence, leading to both programs being classified as [[rootkit]]s. |
||
⚫ | Sony BMG initially denied that the rootkits were harmful. It then released an [[uninstaller]] for one of the programs that merely made the program's files invisible while also installing additional software that could not be easily removed, collected an [[email address]] from the user and introduced further security vulnerabilities. |
||
⚫ | |||
⚫ | Following public outcry, government investigations and [[Class action|class-action lawsuit]]s in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a [[product recall|recall]] of about 10% of the affected CDs and the suspension of CD copy-protection efforts in early 2007. |
||
⚫ | Sony BMG initially denied that the rootkits were harmful. It then released |
||
⚫ | |||
==Background== |
==Background== |
||
In August 2000, statements by [[Sony Pictures Entertainment]] |
In August 2000, statements by [[Sony Pictures Entertainment]] U.S. senior vice president Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the [[Americas Conference on Information Systems]]: "The industry will take whatever steps it needs to protect itself and protect its [[revenue stream]]s ... It will not lose that revenue stream, no matter what ... Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall [[Napster]] at source – we will block it at your cable company. We will block it at your phone company. We will block it at your [[Internet service provider|ISP]]. We will firewall it at your PC ... These strategies are being aggressively pursued because there is simply too much at stake."<ref>Anastasi, Michael A. [http://www.nyfairuse.org/sony.xhtml "Sony Exec: We Will Beat Napster"] {{Webarchive|url=https://web.archive.org/web/20090318115847/http://www.nyfairuse.org/sony.xhtml |date=March 18, 2009 }}, ''New Yorkers For Fair Use'', August 17, 2000. Retrieved November 13, 2006.</ref> |
||
In Europe, BMG created a minor scandal in 2001 when it released [[Natalie Imbruglia]]'s second album |
In Europe, BMG created a minor scandal in 2001 when it released [[Natalie Imbruglia]]'s second album ''[[White Lilies Island]]'' without warning labels stating that the CD contained copy protection.<ref name="elreg">{{cite web |author=Smith, Tony |title=BMG to replace anti-rip Natalie Imbruglia CDs |publisher=The Register |date=2001-11-19 |url=https://www.theregister.co.uk/2001/11/19/bmg_to_replace_antirip_natalie/ |access-date=2009-08-24 |url-status=dead |archive-url=https://web.archive.org/web/20100217044257/https://www.theregister.co.uk/2001/11/19/bmg_to_replace_antirip_natalie/ |archive-date=2010-02-17 }}</ref><ref name=cnet>{{cite web | author = Borland, John | title = Customers put kibosh on anti-copy CD | publisher = CNET | date = 2001-11-19 | url = http://news.cnet.com/2100-1023-276036.html%26tag%3Dmn_hd | access-date = 2009-08-24 | archive-date = June 17, 2011 | archive-url = https://web.archive.org/web/20110617002457/http://news.cnet.com/2100-1023-276036.html%26tag%3Dmn_hd | url-status = live }}</ref> The CDs were eventually replaced.<ref name="elreg"/><ref name=cnet/> BMG and Sony both released copy-protected versions of certain releases in certain markets in late 2001,<ref name="newsci">{{cite web | author = Fox, Barry | title = NSync CD is copy protection 'experiment' | publisher = [[New Scientist]] | date = 2001-10-02 | url = https://www.newscientist.com/article/dn1367-nsync-cd-is-copy-protection-experiment.html | access-date = 2009-08-24 | archive-date = May 31, 2015 | archive-url = https://web.archive.org/web/20150531054935/http://www.newscientist.com/article/dn1367-nsync-cd-is-copy-protection-experiment.html | url-status = live }}</ref><ref name="idgmj">{{cite news | author = Rohde, Laura | title = Sony: Downbeat for a new online music battle | publisher = [[International Data Group|IDG]] | date = 2001-09-27 | url = http://archives.cnn.com/2001/TECH/industry/09/27/sony.music.battle.idg/index.html | access-date = 2009-09-26 | quote = On Tuesday, Sony confirmed that it had incorporated copy-protection software in promotional CD copies of the Michael Jackson single 'You Rock My World'. | archive-date = May 28, 2008 | archive-url = https://web.archive.org/web/20080528055019/http://archives.cnn.com/2001/TECH/industry/09/27/sony.music.battle.idg/index.html | url-status = dead }}</ref> and a late 2002 report indicated that all BMG CDs sold in Europe would contain some form of copy protection.<ref name="elregpirate">{{cite web | author = Lettice, John | title = 'No more music CDs without copy protection', claims BMG unit | publisher = The Register | date = 2002-11-06 | url = https://www.theregister.co.uk/2002/11/06/no_more_music_cds_without/ | access-date = 2009-08-24 | archive-date = August 10, 2017 | archive-url = https://web.archive.org/web/20170810133947/https://www.theregister.co.uk/2002/11/06/no_more_music_cds_without/ | url-status = live }}</ref> |
||
== Copy-protection software == |
== Copy-protection software == |
||
The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs<ref name=EFFinfo>{{cite web|url=https://www.eff.org/cases/sony-bmg-litigation-info|title=Sony BMG Litigation Info|date=1 July 2011| |
The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs<ref name=EFFinfo>{{cite web|url=https://www.eff.org/cases/sony-bmg-litigation-info|title=Sony BMG Litigation Info|date=1 July 2011|access-date=April 10, 2013|archive-date=April 1, 2013|archive-url=https://web.archive.org/web/20130401094122/https://www.eff.org/cases/sony-bmg-litigation-info|url-status=live}}</ref> marketed by Sony BMG, the record company formed by the 2004 [[Mergers and acquisitions|merger]] of Sony and BMG's recorded music divisions. About two million of those CDs,<ref name=EFFinfo/> spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on [[Microsoft Windows]] systems after the user accepted the EULA, which made no mention of the software. The remaining 20 million CDs,<ref name=EFFinfo/> spanning 50 titles,<ref>[http://news.bbc.co.uk/1/hi/technology/4511042.stm "Anti-Piracy CD Problems Vex Sony"] {{Webarchive|url=https://web.archive.org/web/20060621211736/http://news.bbc.co.uk/1/hi/technology/4511042.stm |date=June 21, 2006 }}, BBC News. Retrieved November 22, 2006.</ref> contained SunnComm's [[MediaMax CD-3]], which was installed on either Microsoft Windows or [[macOS]] systems after the user was presented with the EULA, regardless of whether the user accepted it. However, macOS prompted the user for confirmation when the software attempted to modify the OS, whereas Windows did not. |
||
=== XCP rootkit === |
=== XCP rootkit === |
||
{{main|Extended Copy Protection}} |
{{main|Extended Copy Protection}} |
||
The scandal |
The scandal began on October 31, 2005, when [[Winternals]] researcher [[Mark Russinovich]] posted to his [[blog]] a detailed description and technical analysis of F4I's XCP software that he determined had been recently installed on his computer by a Sony BMG music CD. Russinovich compared the software to a [[rootkit]] because of its surreptitious installation and efforts to hide its existence. He noted that the [[End-user license agreement|EULA]] does not mention the software, and he charged that the software is illegitimate and that [[digital rights management]] had "gone too far".<ref>{{cite web |last=Russinovich |first=Mark |url=http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx |title=Sony, Rootkits and Digital Rights Management Gone Too Far |work=Mark's Blog |publisher=Microsoft MSDN |date=2005-10-31 |access-date=2009-07-29|archive-url=https://web.archive.org/web/20150317040653/http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx |archive-date=2015-03-17 }}</ref> |
||
Anti-virus firm [[F-Secure]] concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide |
Anti-virus firm [[F-Secure]] concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by [[Malware|malicious software]] to hide. The DRM software will cause many similar false alarms with all AV software that detect rootkits. ... Thus it is very inappropriate for commercial software to use these techniques."<ref>Larvala, Samuli. [http://www.f-secure.com/v-descs/xcp_drm.shtml "F-Secure Rootkit Information : XCP DRM Software"], ''F-secure Computer Rootkit Information Pages,'' November 29, 2005. Retrieved November 1, 2006. {{webarchive |url=https://web.archive.org/web/20070114004321/http://www.f-secure.com/v-descs/xcp_drm.shtml |date=January 14, 2007 }}</ref> After public pressure, [[NortonLifeLock|Symantec]]<ref>[http://www.symantec.com/security_response/writeup.jsp?docid=2005-110615-2710-99 "SecurityRisk.First4DRM"] {{Webarchive|url=https://web.archive.org/web/20060819144604/http://www.symantec.com/security_response/writeup.jsp?docid=2005-110615-2710-99 |date=August 19, 2006 }}, ''Symantec Security Response,'' November 2005. Retrieved November 22, 2006.</ref> and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced that it would include detection and removal capabilities in its security patches.<ref>[http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html "Sony's DRM Rootkit: The Real Story"] {{Webarchive|url=https://web.archive.org/web/20060830154002/http://www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html |date=August 30, 2006 }}, ''Schneier On Security,'' November 17, 2005. Retrieved November 22, 2006.</ref> |
||
Russinovich discovered numerous problems with XCP: |
Russinovich discovered numerous problems with XCP: |
||
* It creates security holes that can be exploited by malicious software such as [[computer worm|worms]] or [[computer virus|viruses]]. |
* It creates [[Vulnerability (computing)|security holes]] that can be exploited by malicious software such as [[computer worm|worms]] or [[computer virus|viruses]]. |
||
* It constantly runs in the background and excessively consumes system resources, slowing down the user's computer, regardless of whether |
* It constantly [[Background process|runs in the background]] and excessively consumes system resources, slowing down the user's computer, regardless of whether a protected CD is playing. |
||
* It employs unsafe procedures to start and stop, which could lead to system |
* It employs unsafe procedures to start and stop, which could lead to [[Crash (computing)|system crash]]es. |
||
* It has no [[uninstaller]], and is installed in such a way that inexpert attempts to uninstall it can |
* It has no [[uninstaller]], and is installed in such a way that inexpert attempts to uninstall it can cause the operating system to fail to recognize existing drives. |
||
Soon after Russinovich's first post, |
Soon after Russinovich's first post, several [[Trojan horse (computing)|trojans]] and worms exploiting XCP's security holes appeared.<ref>[http://news.bbc.co.uk/2/hi/technology/4427606.stm "Viruses use Sony anti-piracy CDs"] {{Webarchive|url=https://web.archive.org/web/20160306033759/http://news.bbc.co.uk/2/hi/technology/4427606.stm |date=March 6, 2016 }}, ''BBC News'', 2005-11-11.</ref> Some even used the vulnerabilities to cheat in online games.<ref>{{cite web|url=https://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/|title=World of Warcraft hackers using Sony BMG rootkit|website=[[The Register]]|access-date=August 10, 2017|archive-date=July 2, 2017|archive-url=https://web.archive.org/web/20170702071126/http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/|url-status=live}}</ref> |
||
Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers,<ref>{{cite web |url=http://cp.sonybmg.com/xcp/english/updates.html |title=Information about XCP protected CDs |date=2007-10-17 | |
Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers,<ref>{{cite web |url=http://cp.sonybmg.com/xcp/english/updates.html |title=Information about XCP protected CDs |date=2007-10-17 |access-date=2011-06-20 |archive-url=https://web.archive.org/web/20071017025108/http://cp.sonybmg.com/xcp/english/updates.html |archive-date=2007-10-17 |url-status=dead }}</ref> but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy.<ref>[http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"] {{Webarchive|url=https://web.archive.org/web/20100506025509/http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx |date=May 6, 2010 }}, ''Mark's Blog,'' November 4, 2005. Retrieved November 22, 2006.</ref> Russinovich noted that the removal program merely unmasked the hidden files installed by the rootkit but did not actually remove the rootkit. He also reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found that it was necessary to provide an e-mail address (which the Sony BMG Privacy Policy implied was added to various bulk e-mail lists) and to install an [[ActiveX|ActiveX control]] containing [[Backdoor (computing)|backdoor]] methods (marked as "safe for scripting" and thus prone to exploits).<ref>Nikki, Matti. [http://hack.fi/~muzzy/sony-drm/ "Muzzy's research about Sony's XCP DRM system"] {{webarchive |url=https://web.archive.org/web/20051124032239/http://hack.fi/~muzzy/sony-drm/ |date=November 24, 2005 }} Retrieved June 21, 2014.</ref><ref>{{Cite web|url=https://www.cnet.com/news/attack-targets-sony-rootkit-fix/|title=Attack targets Sony 'rootkit' fix|first=Alorie|last=Gilbert|website=CNET|access-date=May 13, 2020|archive-date=September 14, 2019|archive-url=https://web.archive.org/web/20190914062314/https://www.cnet.com/news/attack-targets-sony-rootkit-fix/|url-status=live}}</ref> Microsoft later issued a [[killbit]] for the ActiveX control. |
||
On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers. |
On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers. |
||
=== MediaMax CD-3 === |
|||
{{main|MediaMax CD-3}} |
|||
{{expand section|date=April 2013}} |
|||
== Legal and financial problems == |
== Legal and financial problems == |
||
=== Product recall === |
=== Product recall === |
||
On November 15, 2005 [[vnunet.com]] announced<ref>{{cite web |
On November 15, 2005, [[vnunet.com]] announced<ref>{{cite web |
||
|url=http://www.vnunet.com/vnunet/news/2146053/sony-backs-root-kit-anti-piracy |
|url=http://www.vnunet.com/vnunet/news/2146053/sony-backs-root-kit-anti-piracy |
||
|title=Sony backs out of rootkit anti-piracy scheme |
|title=Sony backs out of rootkit anti-piracy scheme |
||
|author=vunet.com |
|author=vunet.com |
||
|date=2005-11-15 |
|date=2005-11-15 |
||
| |
|archive-url=https://web.archive.org/web/20051124115346/http://www.vnunet.com/vnunet/news/2146053/sony-backs-root-kit-anti-piracy|archive-date=2005-11-24}}</ref> that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores and allowing consumers to exchange affected CDs for versions without the software. The Electronic Frontier Foundation compiled a partial list of CDs with XCP.<ref>{{cite web |url=https://www.eff.org/deeplinks/2005/12/updated-sony-bmg-drm-spotters-guide |title=Updated Sony BMG DRM Spotter's Guide {{pipe}} Electronic Frontier Foundation |publisher=Eff.org |date=2005-11-08 |access-date=2011-10-22 |archive-date=March 14, 2011 |archive-url=https://web.archive.org/web/20110314013220/https://www.eff.org/deeplinks/2005/12/updated-sony-bmg-drm-spotters-guide |url-status=live }}</ref> Sony BMG maintained that "there were no security risks associated with the anti-piracy technology" despite numerous virus and malware reports. On November 16, 2005, [[US-CERT]], part of the United States Department of Homeland Security, issued an advisory on XCP DRM. It said that XCP uses rootkit technology to hide certain files from the user and that the technique is a security threat to users. They also said that one of the uninstallation options provided by Sony BMG introduces further vulnerabilities. US-CERT advised: "Do not install software from sources that you do not expect to contain software, such as an audio CD."<ref>[http://www.us-cert.gov/current/archive/2005/11/17/archive.html#xcpdrm "First 4 Internet XCP DRM Vulnerabilities"], ''US-CERT Activity Archive,'' November 15, 2005. Retrieved November 22, 2006. {{webarchive |url=https://web.archive.org/web/20070927202807/http://www.us-cert.gov/current/archive/2005/11/17/archive.html#xcpdrm |date=September 27, 2007 }}</ref> |
||
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.<ref>Taylor, Paul. [http://news.ft.com/cms/s/e9e41f72-56f4-11da-b98c-00000e25118c.html "Sony BMG bows to pressure"], ''Financial Times,'' November 17, 2005. Retrieved November 22, 2006.</ref> |
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.<ref>Taylor, Paul. [http://news.ft.com/cms/s/e9e41f72-56f4-11da-b98c-00000e25118c.html "Sony BMG bows to pressure"] {{Webarchive|url=https://web.archive.org/web/20051124174903/http://news.ft.com/cms/s/e9e41f72-56f4-11da-b98c-00000e25118c.html |date=November 24, 2005 }}, ''Financial Times,'' November 17, 2005. Retrieved November 22, 2006.</ref> Internet-security expert [[Dan Kaminsky]] estimated that XCP was in use on more than 500,000 networks.<ref>[http://news.bbc.co.uk/2/hi/technology/4445550.stm "More pain for Sony over CD code"] {{Webarchive|url=https://web.archive.org/web/20061220135852/http://news.bbc.co.uk/2/hi/technology/4445550.stm |date=December 20, 2006 }}, ''BBC News,'' November 17, 2005. Retrieved November 22, 2006.</ref> |
||
It was estimated by internet security expert [[Dan Kaminsky]] that XCP was in use on more than 500,000 networks.<ref>[http://news.bbc.co.uk/2/hi/technology/4445550.stm "More pain for Sony over CD code"], ''BBC News,'' November 17, 2005. Retrieved November 22, 2006.</ref> |
|||
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the [[ |
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the [[jewel case]] for the CD according to SonyBMG's XCP FAQ.<ref>{{cite web |
||
|url = http://cp.sonybmg.com/xcp/english/faq.html |
|url = http://cp.sonybmg.com/xcp/english/faq.html |
||
|title = SonyBMG's XCP FAQ |
|title = SonyBMG's XCP FAQ |
||
| |
|url-status = dead |
||
| |
|archive-url = https://web.archive.org/web/20090130042127/http://cp.sonybmg.com/xcp/english/faq.html |
||
| |
|archive-date = 2009-01-30 |
||
|df = |
|||
}}</ref> |
}}</ref> |
||
On November 18, 2005 [[Reuters]] reported that Sony BMG would exchange affected |
On November 18, 2005, [[Reuters]] reported that Sony BMG would exchange affected unsecure CDs for new unprotected discs as well as unprotected MP3 files.<ref>{{cite web|url=http://today.reuters.com/investing/financeArticle.aspx?type=governmentFilingsNews&storyID=URI:urn:newsml:reuters.com:20051118:MTFH53938_2005-11-18_20-35-33_L18167933:1 |access-date=November 19, 2005 |title=Business News & Financial News {{pipe}} Reuters }}{{dead link|date=June 2016|bot=medic}}{{cbignore|bot=medic}}</ref> As a part of the swap program, consumers could mail their XCP-protected CDs to Sony BMG and receive an unprotected disc via return mail. |
||
⚫ | On November 29, investigators for New York attorney general [[Eliot Spitzer]] found that, despite the recall of November 15, Sony BMG CDs with XCP were still for sale at some New York City music retail outlets. Spitzer said: "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, [and] I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."<ref>Hesseldahl, Arik. [http://businessweek.com/technology/content/nov2005/tc20051128_573560.htm " Spitzer Gets on Sony BMG's Case "] {{webarchive|url=https://web.archive.org/web/20051201023832/http://www.businessweek.com/technology/content/nov2005/tc20051128_573560.htm |date=2005-12-01 }}, ''BusinessWeek Online,'' November 29, 2005. Retrieved November 22, 2006.</ref> |
||
Information about the swap can be found at the Sony BMG swap program website.<ref>{{cite web |url=http://cp.sonybmg.com/xcp/ |title=Archived copy |accessdate=2005-11-04 |deadurl=yes |archiveurl=https://web.archive.org/web/20051104045215/http://cp.sonybmg.com/xcp/ |archivedate=2005-11-04 |df= }}</ref> As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and be sent an unprotected disc via return mail. |
|||
⚫ | The next day, Massachusetts attorney general [[Thomas Reilly (Massachusetts politician)|Tom Reilly]] announced that Sony BMG CDs with XCP were still available in [[Boston]] despite the Sony BMG recall of November 15.<ref>{{cite web |url=http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1540 |title=Office of the Attorney General |publisher=Ago.state.ma.us |access-date=2010-08-22 |archive-date=December 28, 2005 |archive-url=https://web.archive.org/web/20051228124217/http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1540 |url-status=live }}</ref> He advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG. |
||
⚫ | On November 29 |
||
⚫ | Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And MediaMax Content Protection"<ref>{{cite web|url=http://www.sonybmgcdtechsettlement.com/ |title=Information Web Site for the Sony BMG CD Technologies Settlement |date=2006-12-21 |access-date=2011-06-20 |archive-url=https://web.archive.org/web/20061221221411/http://www.sonybmgcdtechsettlement.com/ |archive-date=2006-12-21 |url-status=dead}}</ref> with online claim filing and links to software updates and uninstallers. The deadline for submitting a claim was June 30, 2007. The website offered an explanation of the events as well as a list of all affected CDs.<ref>{{cite web |url=http://cp.sonybmg.com/xcp/english/titles.html |title=CD's Containing XCP Content Protection Technology |access-date=2008-12-24 |url-status=dead |archive-url=https://web.archive.org/web/20071012024250/http://cp.sonybmg.com/xcp/english/titles.html |archive-date=October 12, 2007 }}</ref> |
||
⚫ | The next day, Massachusetts |
||
⚫ | |||
As of April 2, 2008 Sony BMG's website finally offered consumers their explanation and list of affected CDs.<ref>{{cite web |url=http://cp.sonybmg.com/xcp/english/titles.html |title=CD’s Containing XCP Content Protection Technology |accessdate=2008-12-24 |deadurl=yes |archiveurl=https://web.archive.org/web/20071012024250/http://cp.sonybmg.com/xcp/english/titles.html |archivedate=October 12, 2007 |df= }}</ref> |
|||
=== Texas state action === |
=== Texas state action === |
||
On November 21, 2005, Texas |
On November 21, 2005, Texas attorney general [[Greg Abbott]] sued Sony BMG.<ref>{{cite web |url=http://www.oag.state.tx.us/oagnews/release.php?id=1266 |title=Texas Attorney General |publisher=Oag.state.tx.us |date=2005-11-21 |access-date=2010-08-22 |archive-date=July 25, 2010 |archive-url=https://web.archive.org/web/20100725211827/http://www.oag.state.tx.us/oagnews/release.php?id=1266 |url-status=dead }}</ref> The suit was the first filed by a U.S. state and was also the first filed under the state's 2005 spyware law. It alleged that the company surreptitiously installed the spyware on millions of CDs. |
||
On December 21, 2005, Abbott added new allegations to |
On December 21, 2005, Abbott added new allegations to the lawsuit,<ref>{{cite web |url=http://www.oag.state.tx.us/oagnews/release.php?id=1370 |title=Texas Attorney General |publisher=Oag.state.tx.us |access-date=2010-08-22 |archive-date=June 19, 2006 |archive-url=https://web.archive.org/web/20060619115116/http://www.oag.state.tx.us/oagnews/release.php?id=1370 |url-status=live }}</ref> claiming that MediaMax violated the state's spyware and deceptive trade practices laws because the MediaMax software would be installed on a computer even if the user declined the license agreement authorizing the action. Abbott stated: "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music", and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allowed for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit carried maximum penalties of $20,000 per violation.<ref>{{cite news |url=http://dallas.bizjournals.com/dallas/stories/2005/12/19/daily31.html |title=AG throws more allegations at Sony BMG |publisher=dallas.bizjournals.com. |date=December 21, 2005 |access-date=2011-06-20 |archive-date=March 14, 2007 |archive-url=https://web.archive.org/web/20070314133402/http://dallas.bizjournals.com/dallas/stories/2005/12/19/daily31.html |url-status=live }}</ref><ref>{{cite news|url=http://sanantonio.bizjournals.com/sanantonio/stories/2005/12/19/daily32.html |title=Attorney General ups the ante in lawsuit against Sony BMG|publisher=sanantonio.bizjournals.com. |date=December 22, 2005 |access-date=2011-06-20 |archive-date=June 14, 2006 |archive-url=https://web.archive.org/web/20060614041507/http://sanantonio.bizjournals.com/sanantonio/stories/2005/12/19/daily32.html |url-status=live }}</ref> Sony was ordered to pay $750,000 in legal fees to Texas, accept customer returns of affected CDs, place a conspicuous detailed notice on its homepage, make "keyword buys" to alert consumers by advertising with Google, Yahoo! and MSN, pay up to $150 per damaged computer and agree to other remedies. Sony BMG also had to agree that it would not bring any claim that the legal settlement in any way constitutes the approval of the court.<ref>{{cite web |url=https://www.texasattorneygeneral.gov/newspubs/releases/2006/121406sony_afj.pdf |title=No.GV505065 |publisher=texasattorneygeneral.gov |access-date=2006-12-19 |archive-date=May 28, 2014 |archive-url=https://web.archive.org/web/20140528060856/https://www.texasattorneygeneral.gov/newspubs/releases/2006/121406sony_afj.pdf |url-status=live }}</ref> |
||
=== New York and California class |
=== New York and California class-action suits === |
||
[[Class action suit]]s were filed against Sony BMG in New York and California.<ref> |
[[Class action suit|Class-action suit]]s were filed against Sony BMG in New York and California.<ref>{{cite news |url=http://news.bbc.co.uk/1/hi/technology/4424254.stm |title=Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software |work=BBC News |date=November 10, 2005 |access-date=November 22, 2006 |archive-date=May 30, 2009 |archive-url=https://web.archive.org/web/20090530180551/http://news.bbc.co.uk/1/hi/technology/4424254.stm |url-status=live }}</ref> |
||
On December 30, 2005, the [[New York Times]] reported that [[Sony BMG]] had reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who |
On December 30, 2005, the ''[[New York Times]]'' reported that [[Sony BMG]] had reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who had purchased the affected CDs.<ref>{{cite news |url=https://www.nytimes.com/2005/12/30/technology/sony-bmg-tentatively-settles-suits-on-spyware.html |title=Sony BMG Tentatively Settles Suits on Spyware |agency=Associated Press |newspaper=The New York Times |date=December 30, 2005 |access-date=November 22, 2006 |archive-date=May 29, 2015 |archive-url=https://web.archive.org/web/20150529195004/http://www.nytimes.com/2005/12/30/technology/sony-bmg-tentatively-settles-suits-on-spyware.html |url-status=live }}</ref> According to the proposed settlement, those who had purchased an XCP CD would be paid $7.50 per purchased recording and provided the opportunity to download either a free album or three additional albums from a limited list of recordings if they elected to forgo the cash incentive. District judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006. <!-- cited reference on SONYSUIT.COM no longer available --> |
||
The settlement |
The settlement was designed to compensate those whose computers were infected but were not otherwise damaged. Those who had incurred damages not addressed in the class-action suit were free to opt out of the settlement and pursue their own litigation. |
||
⚫ | A fairness hearing was held on May 22, 2006, in New York. Claims were required to be submitted by December 31, 2006. Class members who wished to be excluded from the settlement were required to have filed before May 1, 2006. Those who remained in the settlement could attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney. |
||
A fairness hearing was held on May 22, 2006 at 9:15 am at the [[Daniel Patrick Moynihan]] United States Courthouse for the Southern District of New York. |
|||
⚫ | Claims |
||
=== Other actions === |
=== Other actions === |
||
In Italy, ALCEI (an association similar to [[Electronic Frontier Foundation|EFF]]) also reported the rootkit to the Financial Police, asking for an investigation under various computer crime allegations, along with a technical analysis of the rootkit.<ref> |
In Italy, {{ill|ALCEI|it}} (an association similar to [[Electronic Frontier Foundation|EFF]]) also reported the rootkit to the Financial Police, asking for an investigation under various computer crime allegations, along with a technical analysis of the rootkit.<ref>{{cite news |url=http://www.theinquirer.net/?article=27508 |title=Crist's office joins Sony BMG spyware probe |website=The Inquirer |date=November 7, 2005 |access-date=November 22, 2006 |url-status=unfit |archive-url=https://web.archive.org/web/20060204174316/http://www.theinquirer.net/?article=27508 |archive-date=February 4, 2006 }}</ref><ref>{{Cite press release |title=Legal proceedings in Italy by ALCEI against Sony for a 'criminal' offense |url=https://www.alcei.org/?p=22 |date=November 4, 2005 |access-date=May 13, 2020 |archive-date=August 7, 2020 |archive-url=https://web.archive.org/web/20200807001304/https://www.alcei.org/?p=22 |url-status=live }}</ref> |
||
The |
The [[United States Department of Justice|U.S. Department of Justice]] made no comment on whether it would take any criminal action against Sony. However, Stewart Baker of the [[United States Department of Homeland Security|Department of Homeland Security]] publicly admonished Sony, stating, "it's your intellectual property—it's not your computer."<ref>Menta, Richard. [http://www.mp3newswire.net/stories/5002/admonish.html "Bush Administration to Sony: It's your intellectual property – it's not your computer"] {{Webarchive|url=https://web.archive.org/web/20051229031842/http://www.mp3newswire.net/stories/5002/admonish.html |date=December 29, 2005 }}. ''MP3 Newswire''. November 12, 2005.</ref> |
||
On November 21, the EFF announced that it was also pursuing a lawsuit over both [[Extended Copy Protection|XCP]] and the |
On November 21, the EFF announced that it was also pursuing a lawsuit over both [[Extended Copy Protection|XCP]] and the SunnComm [[MediaMax]] DRM technology. The EFF lawsuit also involved issues concerning the Sony BMG [[end user license agreement|end-user license agreement]]. |
||
It was reported on December 24, 2005 that |
It was reported on December 24, 2005, that Florida attorney general [[Charlie Crist]] was investigating Sony BMG spyware.<ref>[http://www.sptimes.com/2005/12/24/State/Crist_s_office_joins_.shtml "Crist's office joins Sony BMG spyware probe"] {{Webarchive|url=https://web.archive.org/web/20060114103858/http://www.sptimes.com/2005/12/24/State/Crist_s_office_joins_.shtml |date=January 14, 2006 }}, ''St. Petersburg Times Online,'' December 24, 2005. Retrieved November 22, 2006.</ref> |
||
On January 30, 2007, the U.S. [[Federal Trade Commission]] (FTC) announced a settlement with Sony BMG on charges that |
On January 30, 2007, the U.S. [[Federal Trade Commission]] (FTC) announced a settlement with Sony BMG on charges that the CD copy protection had violated federal law<ref name=FTCsettlement>{{cite web |
||
| url=http://www.ftc.gov/opa/2007/01/sony.htm |
| url=http://www.ftc.gov/opa/2007/01/sony.htm |
||
| date=January 30, 2007 |
| date=January 30, 2007 |
||
| title=Sony BMG Settles FTC Charges |
| title=Sony BMG Settles FTC Charges |
||
| publisher=Federal Trade Commission |
| publisher=Federal Trade Commission |
||
| |
| access-date=2007-06-20 |
||
| archive-date=February 10, 2007 |
|||
⚫ | }}</ref>—Section 5(a) of the [[Federal Trade Commission Act]], 15 USC 45(a)—by engaging in unfair and deceptive business practices.<ref>{{cite web|url=http://www.ftc.gov/os/caselist/0623019/0623019cmp070629.pdf|title=DOCKET NO. C-4195: COMPLAINT; In the Matter of SONY BMG MUSIC ENTERTAINMENT, a general partnership.| |
||
| archive-url=https://web.archive.org/web/20070210000032/http://ftc.gov/opa/2007/01/sony.htm |
|||
| url-status=live |
|||
⚫ | }}</ref>—Section 5(a) of the [[Federal Trade Commission Act]], 15 USC 45(a)—by engaging in unfair and deceptive business practices.<ref>{{cite web|url=http://www.ftc.gov/os/caselist/0623019/0623019cmp070629.pdf|title=DOCKET NO. C-4195: COMPLAINT; In the Matter of SONY BMG MUSIC ENTERTAINMENT, a general partnership.|access-date=2012-01-08|date=June 29, 2007|archive-date=October 19, 2011|archive-url=https://web.archive.org/web/20111019085827/http://ftc.gov/os/caselist/0623019/0623019cmp070629.pdf|url-status=live}}</ref> The settlement required Sony BMG to reimburse consumers up to $150 to repair damage that resulted directly from its attempts to remove the software installed without their consent.<ref name=FTCsettlement/> The settlement also required them to provide clear and prominent disclosure on the packaging of future CDs of any limits on copying or restrictions on the use of playback devices, and the company was prohibited from installing content-protection software without obtaining consumers' authorization.<ref name=FTCsettlement/> FTC chairwoman [[Deborah Platt Majoras]] added: "Installations of secret software that create security risks are intrusive and unlawful. Consumers' computers belong to them, and companies must adequately disclose unexpected limitations on the customer use of their products so consumers can make informed decisions regarding whether to purchase and install that content."<ref>{{cite web |
||
|url = http://www.consumeraffairs.com/news04/2007/01/ftc_sony_bmg.html |
|url = http://www.consumeraffairs.com/news04/2007/01/ftc_sony_bmg.html |
||
|date = January 31, 2007 |
|date = January 31, 2007 |
||
|title = Sony BMG Settles FTC "Rootkit" Charges |
|title = Sony BMG Settles FTC "Rootkit" Charges |
||
|publisher = ConsumerAffairs.Com |
|publisher = ConsumerAffairs.Com |
||
| |
|access-date = 2007-06-20 |
||
| |
|url-status = dead |
||
| |
|archive-url = https://web.archive.org/web/20070929111043/http://www.consumeraffairs.com/news04/2007/01/ftc_sony_bmg.html |
||
| |
|archive-date = September 29, 2007 |
||
|df = |
|||
}}</ref><ref>{{cite web |
}}</ref><ref>{{cite web |
||
|url = http://www.contentprotectedmusic.com/english/titles.html |
|url = http://www.contentprotectedmusic.com/english/titles.html |
||
|archive-url = https://web.archive.org/web/20081006125515/http://www.contentprotectedmusic.com/english/titles.html |
|archive-url = https://web.archive.org/web/20081006125515/http://www.contentprotectedmusic.com/english/titles.html |
||
| |
|url-status = dead |
||
|archive-date = 2008-10-06 |
|archive-date = 2008-10-06 |
||
|date = 2005 |
|date = 2005 |
||
|title = |
|title = CD's Containing XCP Content Protection Technology |
||
|publisher = Sony BMG Music Entertainment |
|publisher = Sony BMG Music Entertainment |
||
| |
|access-date = 2012-04-17 |
||
}}</ref> |
}}</ref> |
||
=== Copyright infringement === |
=== Copyright infringement === |
||
{{main|Extended Copy Protection#Copyright violations}} |
{{main|Extended Copy Protection#Copyright violations}} |
||
Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of [[free and open-source software]] |
Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of [[free and open-source software]] that was used in the program,<ref>{{cite web |title=Proof that F4I violates the GPL - Programming stuff |url=http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F55-Proof-that-F4I-violates-the-GPL.html |url-status=dead |archive-url=https://web.archive.org/web/20131017225417/http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F55-Proof-that-F4I-violates-the-GPL.html |archive-date=October 17, 2013 |access-date=April 10, 2013 |website=www.the-interweb.com}}</ref><ref>{{Cite web|url=https://www.hack.fi/~muzzy/sony-drm/|archive-url=https://web.archive.org/web/20051124032239/http://hack.fi/~muzzy/sony-drm/|url-status=dead|title=Sony's XCP DRM|archive-date=November 24, 2005|website=www.hack.fi}}</ref> including the [[LAME]] [[MP3]] encoder,<ref>{{cite web |title=Is Sony in violation of the LGPL? - Part II - Programming stuff |url=http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F52-Is-Sony-in-violation-of-the-LGPL-Part-II.html |url-status=dead |archive-url=https://web.archive.org/web/20130602154328/http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F52-Is-Sony-in-violation-of-the-LGPL-Part-II.html |archive-date=June 2, 2013 |access-date=April 10, 2013 |website=www.the-interweb.com}}</ref> [[mpglib]],<ref>{{cite web |title=Breakthrough after breakthrough in the F4I case - Programming stuff |url=http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F54-Breakthrough-after-breakthrough-in-the-F4I-case.html |url-status=dead |archive-url=https://web.archive.org/web/20131017225421/http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F54-Breakthrough-after-breakthrough-in-the-F4I-case.html |archive-date=October 17, 2013 |access-date=April 10, 2013 |website=www.the-interweb.com}}</ref> [[FAAC]],<ref>{{cite web |title=Two new F4I license infringements found - Programming stuff |url=http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F56-Two-new-F4I-license-infringements-found.html |url-status=dead |archive-url=https://web.archive.org/web/20131017225419/http://www.the-interweb.com/serendipity/index.php?%2Farchives%2F56-Two-new-F4I-license-infringements-found.html |archive-date=October 17, 2013 |access-date=April 10, 2013 |website=www.the-interweb.com}}</ref> id3lib,<ref>{{Cite web |url=http://the-interweb.com/bdump/misc/id3lib.png |title= ECD Player Control Functions Window screenshot |access-date=2013-04-10 |archive-url=https://web.archive.org/web/20131018041148/http://the-interweb.com/bdump/misc/id3lib.png |archive-date=2013-10-18 |url-status=dead }}</ref> [[mpg123]] and the [[VLC media player]].<ref>{{cite web |last=Hocevar |first=Sam |author-link=Sam Hocevar |title=Sam Hocevar's .plan |url=http://sam.zoy.org/blog/2005-11-21-suspicious-activity-indeed |url-status=dead |archive-url=https://web.archive.org/web/20130615032120/http://sam.zoy.org/blog/2005-11-21-suspicious-activity-indeed |archive-date=June 15, 2013 |access-date=April 10, 2013 |website=sam.zoy.org}}</ref> |
||
In January 2006, the developers of LAME posted an open letter stating that they expected "appropriate action" by Sony BMG, but that the developers had no plans to investigate or take action over the apparent violation of LAME's source |
In January 2006, the developers of LAME posted an open letter stating that they expected "appropriate action" by Sony BMG, but that the developers had no plans to investigate or take action over the apparent violation of LAME's source-code license.<ref>{{cite web|url=https://lame.sourceforge.io/open_letter_sony_bmg.html|title=LAME Ain't an MP3 Encoder|website=lame.sourceforge.net|access-date=May 13, 2020|archive-date=September 3, 2020|archive-url=https://web.archive.org/web/20200903110030/https://lame.sourceforge.io/open_letter_sony_bmg.html|url-status=live}}</ref> |
||
== Company and press reports == |
== Company and press reports == |
||
Russinovich's report was |
Russinovich's report was discussed on popular blogs almost immediately following its release.<ref>{{cite web |
||
|url=http://blog.wfmu.org/freeform/2005/11/sony_cds_caught.html |
|url=http://blog.wfmu.org/freeform/2005/11/sony_cds_caught.html |
||
|title=Sony CD's caught installing extremely well-hidden and sketchy DRM software |
|title=Sony CD's caught installing extremely well-hidden and sketchy DRM software |
||
|publisher=WFMU blog |
|publisher=WFMU blog |
||
|date=2005-11-01 |
|date=2005-11-01 |
||
|access-date=December 16, 2014 |
|||
|archive-date=December 16, 2014 |
|||
|archive-url=https://web.archive.org/web/20141216234739/http://blog.wfmu.org/freeform/2005/11/sony_cds_caught.html |
|||
|url-status=live |
|||
}}</ref> |
|||
[[NPR]] was one of the first major news outlets to report on the scandal on November 4, 2005. |
[[NPR]] was one of the first major news outlets to report on the scandal on November 4, 2005. [[Thomas Hesse]], Sony BMG's president of global digital business, said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"<ref>{{cite web |
||
|url=https://www.npr.org/templates/story/story.php?storyId=4989260 |
|url=https://www.npr.org/templates/story/story.php?storyId=4989260 |
||
|title=Sony Music CDs Under Fire from Privacy Advocates |
|title=Sony Music CDs Under Fire from Privacy Advocates |
||
|publisher=NPR |
|publisher=NPR |
||
|date=2005-11-04 |
|date=2005-11-04 |
||
| |
|access-date=2011-06-20 |
||
|archive-date=December 6, 2013 |
|||
|archive-url=https://web.archive.org/web/20131206200830/http://www.npr.org/templates/story/story.php?storyId=4989260 |
|||
⚫ | In November 7, 2005 article, vnunet.com |
||
|url-status=live |
|||
}}</ref> |
|||
⚫ | In a November 7, 2005 article, [[Incisive Media|vnunet.com]] summarized Russinovich's findings<ref>{{cite news |url=http://www.vnunet.com/vnunet/news/2145617/sony-cd-rootkit-spell-doom |title=vnunet.com analysis: Sony CD rootkit could spell doom |website=vnunet.com |archive-url=https://web.archive.org/web/20051125213927/http://www.vnunet.com/vnunet/news/2145617/sony-cd-rootkit-spell-doom |archive-date=November 25, 2005 }}</ref> and urged consumers to temporarily avoid purchasing Sony BMG music CDs. The following day, ''[[The Boston Globe]]'' classified the software as [[spyware]], and Computer Associates' {{Proper name|eTrust}} Security Management unit VP Steve Curry confirmed that the rootkit communicates personal information from consumers' computers (the CD being played and the user's [[IP address]]) to Sony BMG.<ref>{{cite news |last=Bray |first=Hiawatha |url=https://www.boston.com/business/technology/articles/2005/11/08/security_firm_sony_cds_secretly_install_spyware/ |title=Security firm: Sony CDs secretly install spyware |newspaper=The Boston Globe |date=November 8, 2005 |access-date=November 22, 2006 |archive-date=February 4, 2007 |archive-url=https://web.archive.org/web/20070204133139/http://www.boston.com/business/technology/articles/2005/11/08/security_firm_sony_cds_secretly_install_spyware/ |url-status=live }}</ref> The methods used by the software to avoid detection were likened to those used by data thieves. |
||
⚫ | On November 8, 2005, [[Computer Associates]] |
||
⚫ | On November 8, 2005, [[Computer Associates]] classified Sony BMG's software as spyware and provided tools for its removal.<ref>{{cite news |url=http://www.zdnet.com/blog/spyware/ca-targets-sony-drm-as-spyware/698 |title=CA Targets Sony DRM as Spyware |first=Suzi |last=Turner |publisher=[[ZDNet]] |date=2005-11-08 |access-date=2010-08-19 |archive-date=October 12, 2012 |archive-url=https://web.archive.org/web/20121012014819/http://www.zdnet.com/blog/spyware/ca-targets-sony-drm-as-spyware/698 |url-status=dead }}</ref> Russinovich said: "This is a step they should have taken immediately."<ref>{{cite news |url=http://news.bbc.co.uk/1/hi/technology/4434852.stm |title=Microsoft to remove Sony CD code; Sony's controversial anti-piracy CD software has been labelled as spyware by Microsoft. |work=BBC News |date=November 14, 2005 |access-date=November 22, 2006 |archive-date=December 16, 2006 |archive-url=https://web.archive.org/web/20061216110906/http://news.bbc.co.uk/1/hi/technology/4434852.stm |url-status=live }}</ref> |
||
⚫ | The first virus |
||
⚫ | The first virus to exploit Sony BMG's stealth technology to make malicious files invisible to both the user and antivirus programs surfaced on November 10, 2005.<ref>{{cite news |last1=Sanders |first1=Tom |last2=Thompson |first2=Iain |url=http://www.vnunet.com/vnunet/news/2145874/virus-writers-exploit-sony-drm |title=Virus writers exploit Sony DRM; Sony doomsday scenario becomes reality |website=vnunet.com |date=2005-11-10 |access-date=2006-11-22 |archive-url=https://web.archive.org/web/20051216114100/http://www.vnunet.com/vnunet/news/2145874/virus-writers-exploit-sony-drm |archive-date=December 16, 2005 }}</ref> One day later, ''[[Yahoo! News]]'' announced that Sony BMG had suspended further distribution of the controversial technology.{{Citation needed|date=July 2024|reason=Unable to locate referenced article}} |
||
According to [[ZDNet News]]: |
|||
⚫ | "The latest risk is from an uninstaller program distributed by [[SunnComm]] Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used."<ref>Halderman, J. Alex [http://www.freedom-to-tinker.com/?p=931 |
||
⚫ | [[ZDNet News]] wrote: "The latest risk is from an uninstaller program distributed by [[SunnComm]] Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used."<ref>Halderman, J. Alex [http://www.freedom-to-tinker.com/?p=931 "Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole"] {{Webarchive|url=https://web.archive.org/web/20051127084435/http://www.freedom-to-tinker.com/?p=931 |date=November 27, 2005 }}, ''Freedom to Tinker,'' November 17, 2005. Retrieved November 22, 2006.</ref> |
||
⚫ | |||
⚫ | |||
⚫ | Sony BMG in Australia |
||
⚫ | Sony BMG in Australia issued a press release indicating that no Sony BMG titles manufactured in Australia contained copy protection.<ref>{{cite web |url=http://www.sonybmg.com.au/news/details.do?newsId=20030829002668 |archive-url=https://web.archive.org/web/20060515010155/http://www.sonybmg.com.au/news/details.do?newsId=20030829002668 |url-status=dead |archive-date=15 May 2006 |title=No Copy Protection on Australian Sony BMG CDs |access-date=18 January 2007 }}</ref> |
||
==See also== |
|||
* [[Defective by Design]] |
|||
* [[List of compact discs sold with Extended Copy Protection]] |
|||
* [[List of compact discs sold with MediaMax CD-3]] |
|||
* ''[[Spore (2008 video game)#DRM controversy|Spore]]'' – 2008 video game |
|||
==References== |
==References== |
||
Line 170: | Line 163: | ||
==Sources== |
==Sources== |
||
* [https://www.npr.org/templates/story/story.php?storyId=4989260 "Sony Music CDs Under Fire from Privacy Advocates"], [[National Public Radio]], 2005-11-04 |
* [https://www.npr.org/templates/story/story.php?storyId=4989260 "Sony Music CDs Under Fire from Privacy Advocates"], [[National Public Radio]], 2005-11-04 |
||
* [[Brian Bergstein|Bergstein, Brian]] (2005-11-18). [ |
* [[Brian Bergstein|Bergstein, Brian]] (2005-11-18). [https://www.seattlepi.com/business/1310AP_Music_Copy_Protection.html "Copy protection an experiment in progress"]{{dead link|date=July 2024|bot=medic}}{{cbignore|bot=medic}}. ''Seattlepi.com''. |
||
* Halderman, J. Alex, and Felten, Edward. |
* Halderman, J. Alex, and Felten, Edward. https://wayback.archive-it.org/all/20120712181539/http://citp.princeton.edu/pub/sonydrm-ext.pdf ([[Portable Document Format|PDF]] format), ''Center for Information Technology Policy,'' Department of Computer Science, Princeton University, 2006-02-14. |
||
* [[n:Sony's DRM protected CDs install Windows rootkits|Wikinews: Sony's DRM protected CDs install Windows rootkits]] |
* [[n:Sony's DRM protected CDs install Windows rootkits|Wikinews: Sony's DRM protected CDs install Windows rootkits]] |
||
* Gartner: [http://www.gartner.com/DisplayDocument?doc_cd=136331 Sony BMG DRM a Public-Relations and Technology Failure] |
* Gartner: [https://web.archive.org/web/20051231000035/http://www.gartner.com/DisplayDocument?doc_cd=136331 Sony BMG DRM a Public-Relations and Technology Failure] |
||
* [ |
* [https://www.mp3newswire.net/stories/5002/admonish.html Bush Administration to Sony: It's your intellectual property -- it's not your computer] - 2005-11-12 [[MP3 Newswire]] article |
||
==External links== |
==External links== |
||
{{wikinews|Sony faces class action lawsuits for DRM}} |
{{wikinews|Sony faces class action lawsuits for DRM}} |
||
* [ |
* [https://ssrn.com/abstract=1072229 Academic article examining the market, legal, and technological factors that motivated Sony BMG's DRM strategy] |
||
* [https://web.archive.org/web/20090228180307/http://sonybmg.com/mediamax/titles.html List of titles affected by MediaMax] |
* [https://web.archive.org/web/20090228180307/http://sonybmg.com/mediamax/titles.html List of titles affected by MediaMax] |
||
* [https://web.archive.org/web/20081224153240/http://cp.sonybmg.com/xcp/english/titles.html List of titles affected by XCP] |
* [https://web.archive.org/web/20081224153240/http://cp.sonybmg.com/xcp/english/titles.html List of titles affected by XCP] |
||
* [https://web.archive.org/web/20061212230348/http://www.sonybmgcdtechsettlement.com/CDList.htm List of titles included in settlement] |
* [https://web.archive.org/web/20061212230348/http://www.sonybmgcdtechsettlement.com/CDList.htm List of titles included in settlement] |
||
* [ |
* [https://www.sonysuit.com/ SonySuit.Com - Tracking The Sony BMG XCP and SunComm Lawsuits] |
||
* [https://web.archive.org/web/20051116094050/http://www.boingboing.net/2005/11/14/sony_anticustomer_te.html "Sony anti-customer technology roundup and time-line"], ''Boing Boing.'' |
* [https://web.archive.org/web/20051116094050/http://www.boingboing.net/2005/11/14/sony_anticustomer_te.html "Sony anti-customer technology roundup and time-line"], ''Boing Boing.'' |
||
* [ |
* [https://www.groklaw.net/staticpages/index.php?page=20051122010323323 In-depth analysis and references], [[Groklaw]] |
||
*[http://www.networkworld.com/article/2998251/malware-cybercrime/sony-bmg-rootkit-scandal-10-years-later.html Revisiting Sony BMG Rootkit Scandal 10 years later] |
*[https://web.archive.org/web/20151028220435/http://www.networkworld.com/article/2998251/malware-cybercrime/sony-bmg-rootkit-scandal-10-years-later.html Revisiting Sony BMG Rootkit Scandal 10 years later] |
||
{{Digital rights management software}} |
|||
{{DEFAULTSORT:Sony Bmg Cd Copy Protection Scandal}} |
|||
{{Hacking in the 2000s}} |
|||
[[Category:2005 scandals]] |
[[Category:2005 scandals]] |
||
[[Category:Digital rights management]] |
[[Category:Digital rights management]] |
Latest revision as of 20:00, 25 August 2024
In 2005 it was revealed that the implementation of copy protection measures on about 22 million CDs distributed by Sony BMG installed one of two pieces of software that provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Neither program could easily be uninstalled, and they created vulnerabilities that were exploited by unrelated malware. One of the programs would install and "phone home" with reports on the user's private listening habits, even if the user refused its end-user license agreement (EULA), while the other was not mentioned in the EULA at all. Both programs contained code from several pieces of copylefted free software in an apparent infringement of copyright, and configured the operating system to hide the software's existence, leading to both programs being classified as rootkits.
Sony BMG initially denied that the rootkits were harmful. It then released an uninstaller for one of the programs that merely made the program's files invisible while also installing additional software that could not be easily removed, collected an email address from the user and introduced further security vulnerabilities.
Following public outcry, government investigations and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs and the suspension of CD copy-protection efforts in early 2007.
Background
[edit]In August 2000, statements by Sony Pictures Entertainment U.S. senior vice president Steve Heckler foreshadowed the events of late 2005. Heckler told attendees at the Americas Conference on Information Systems: "The industry will take whatever steps it needs to protect itself and protect its revenue streams ... It will not lose that revenue stream, no matter what ... Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC ... These strategies are being aggressively pursued because there is simply too much at stake."[1]
In Europe, BMG created a minor scandal in 2001 when it released Natalie Imbruglia's second album White Lilies Island without warning labels stating that the CD contained copy protection.[2][3] The CDs were eventually replaced.[2][3] BMG and Sony both released copy-protected versions of certain releases in certain markets in late 2001,[4][5] and a late 2002 report indicated that all BMG CDs sold in Europe would contain some form of copy protection.[6]
Copy-protection software
[edit]The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs[7] marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG's recorded music divisions. About two million of those CDs,[7] spanning 52 titles, contained First 4 Internet (F4I)'s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted the EULA, which made no mention of the software. The remaining 20 million CDs,[7] spanning 50 titles,[8] contained SunnComm's MediaMax CD-3, which was installed on either Microsoft Windows or macOS systems after the user was presented with the EULA, regardless of whether the user accepted it. However, macOS prompted the user for confirmation when the software attempted to modify the OS, whereas Windows did not.
XCP rootkit
[edit]The scandal began on October 31, 2005, when Winternals researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I's XCP software that he determined had been recently installed on his computer by a Sony BMG music CD. Russinovich compared the software to a rootkit because of its surreptitious installation and efforts to hide its existence. He noted that the EULA does not mention the software, and he charged that the software is illegitimate and that digital rights management had "gone too far".[9]
Anti-virus firm F-Secure concurred: "Although the software isn't directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide. The DRM software will cause many similar false alarms with all AV software that detect rootkits. ... Thus it is very inappropriate for commercial software to use these techniques."[10] After public pressure, Symantec[11] and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced that it would include detection and removal capabilities in its security patches.[12]
Russinovich discovered numerous problems with XCP:
- It creates security holes that can be exploited by malicious software such as worms or viruses.
- It constantly runs in the background and excessively consumes system resources, slowing down the user's computer, regardless of whether a protected CD is playing.
- It employs unsafe procedures to start and stop, which could lead to system crashes.
- It has no uninstaller, and is installed in such a way that inexpert attempts to uninstall it can cause the operating system to fail to recognize existing drives.
Soon after Russinovich's first post, several trojans and worms exploiting XCP's security holes appeared.[13] Some even used the vulnerabilities to cheat in online games.[14]
Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers,[15] but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy.[16] Russinovich noted that the removal program merely unmasked the hidden files installed by the rootkit but did not actually remove the rootkit. He also reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found that it was necessary to provide an e-mail address (which the Sony BMG Privacy Policy implied was added to various bulk e-mail lists) and to install an ActiveX control containing backdoor methods (marked as "safe for scripting" and thus prone to exploits).[17][18] Microsoft later issued a killbit for the ActiveX control.
On November 18, 2005, Sony BMG provided a "new and improved" removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers.
Legal and financial problems
[edit]Product recall
[edit]On November 15, 2005, vnunet.com announced[19] that Sony BMG was backing out of its copy-protection software, recalling unsold CDs from all stores and allowing consumers to exchange affected CDs for versions without the software. The Electronic Frontier Foundation compiled a partial list of CDs with XCP.[20] Sony BMG maintained that "there were no security risks associated with the anti-piracy technology" despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. It said that XCP uses rootkit technology to hide certain files from the user and that the technique is a security threat to users. They also said that one of the uninstallation options provided by Sony BMG introduces further vulnerabilities. US-CERT advised: "Do not install software from sources that you do not expect to contain software, such as an audio CD."[21]
Sony BMG announced that it had instructed retailers to remove any unsold music discs containing the software from their shelves.[22] Internet-security expert Dan Kaminsky estimated that XCP was in use on more than 500,000 networks.[23]
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD according to SonyBMG's XCP FAQ.[24]
On November 18, 2005, Reuters reported that Sony BMG would exchange affected unsecure CDs for new unprotected discs as well as unprotected MP3 files.[25] As a part of the swap program, consumers could mail their XCP-protected CDs to Sony BMG and receive an unprotected disc via return mail.
On November 29, investigators for New York attorney general Eliot Spitzer found that, despite the recall of November 15, Sony BMG CDs with XCP were still for sale at some New York City music retail outlets. Spitzer said: "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year, [and] I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony."[26]
The next day, Massachusetts attorney general Tom Reilly announced that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15.[27] He advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.
Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And MediaMax Content Protection"[28] with online claim filing and links to software updates and uninstallers. The deadline for submitting a claim was June 30, 2007. The website offered an explanation of the events as well as a list of all affected CDs.[29]
Texas state action
[edit]On November 21, 2005, Texas attorney general Greg Abbott sued Sony BMG.[30] The suit was the first filed by a U.S. state and was also the first filed under the state's 2005 spyware law. It alleged that the company surreptitiously installed the spyware on millions of CDs.
On December 21, 2005, Abbott added new allegations to the lawsuit,[31] claiming that MediaMax violated the state's spyware and deceptive trade practices laws because the MediaMax software would be installed on a computer even if the user declined the license agreement authorizing the action. Abbott stated: "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music", and "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes." In addition to violations of the Consumer Protection Against Computer Spyware Act of 2005, which allowed for civil penalties of $100,000 for each violation of the law, the alleged violations added in the updated lawsuit carried maximum penalties of $20,000 per violation.[32][33] Sony was ordered to pay $750,000 in legal fees to Texas, accept customer returns of affected CDs, place a conspicuous detailed notice on its homepage, make "keyword buys" to alert consumers by advertising with Google, Yahoo! and MSN, pay up to $150 per damaged computer and agree to other remedies. Sony BMG also had to agree that it would not bring any claim that the legal settlement in any way constitutes the approval of the court.[34]
New York and California class-action suits
[edit]Class-action suits were filed against Sony BMG in New York and California.[35]
On December 30, 2005, the New York Times reported that Sony BMG had reached a tentative settlement of the lawsuits, proposing two ways of compensating consumers who had purchased the affected CDs.[36] According to the proposed settlement, those who had purchased an XCP CD would be paid $7.50 per purchased recording and provided the opportunity to download either a free album or three additional albums from a limited list of recordings if they elected to forgo the cash incentive. District judge Naomi Reice Buchwald entered an order tentatively approving the settlement on January 6, 2006.
The settlement was designed to compensate those whose computers were infected but were not otherwise damaged. Those who had incurred damages not addressed in the class-action suit were free to opt out of the settlement and pursue their own litigation.
A fairness hearing was held on May 22, 2006, in New York. Claims were required to be submitted by December 31, 2006. Class members who wished to be excluded from the settlement were required to have filed before May 1, 2006. Those who remained in the settlement could attend the fairness hearing at their own expense and speak on their own behalf or be represented by an attorney.
Other actions
[edit]In Italy, ALCEI (an association similar to EFF) also reported the rootkit to the Financial Police, asking for an investigation under various computer crime allegations, along with a technical analysis of the rootkit.[37][38]
The U.S. Department of Justice made no comment on whether it would take any criminal action against Sony. However, Stewart Baker of the Department of Homeland Security publicly admonished Sony, stating, "it's your intellectual property—it's not your computer."[39]
On November 21, the EFF announced that it was also pursuing a lawsuit over both XCP and the SunnComm MediaMax DRM technology. The EFF lawsuit also involved issues concerning the Sony BMG end-user license agreement.
It was reported on December 24, 2005, that Florida attorney general Charlie Crist was investigating Sony BMG spyware.[40]
On January 30, 2007, the U.S. Federal Trade Commission (FTC) announced a settlement with Sony BMG on charges that the CD copy protection had violated federal law[41]—Section 5(a) of the Federal Trade Commission Act, 15 USC 45(a)—by engaging in unfair and deceptive business practices.[42] The settlement required Sony BMG to reimburse consumers up to $150 to repair damage that resulted directly from its attempts to remove the software installed without their consent.[41] The settlement also required them to provide clear and prominent disclosure on the packaging of future CDs of any limits on copying or restrictions on the use of playback devices, and the company was prohibited from installing content-protection software without obtaining consumers' authorization.[41] FTC chairwoman Deborah Platt Majoras added: "Installations of secret software that create security risks are intrusive and unlawful. Consumers' computers belong to them, and companies must adequately disclose unexpected limitations on the customer use of their products so consumers can make informed decisions regarding whether to purchase and install that content."[43][44]
Copyright infringement
[edit]Researchers found that Sony BMG and the makers of XCP also apparently infringed copyright by failing to adhere to the licensing requirements of various pieces of free and open-source software that was used in the program,[45][46] including the LAME MP3 encoder,[47] mpglib,[48] FAAC,[49] id3lib,[50] mpg123 and the VLC media player.[51]
In January 2006, the developers of LAME posted an open letter stating that they expected "appropriate action" by Sony BMG, but that the developers had no plans to investigate or take action over the apparent violation of LAME's source-code license.[52]
Company and press reports
[edit]Russinovich's report was discussed on popular blogs almost immediately following its release.[53]
NPR was one of the first major news outlets to report on the scandal on November 4, 2005. Thomas Hesse, Sony BMG's president of global digital business, said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"[54]
In a November 7, 2005 article, vnunet.com summarized Russinovich's findings[55] and urged consumers to temporarily avoid purchasing Sony BMG music CDs. The following day, The Boston Globe classified the software as spyware, and Computer Associates' eTrust Security Management unit VP Steve Curry confirmed that the rootkit communicates personal information from consumers' computers (the CD being played and the user's IP address) to Sony BMG.[56] The methods used by the software to avoid detection were likened to those used by data thieves.
On November 8, 2005, Computer Associates classified Sony BMG's software as spyware and provided tools for its removal.[57] Russinovich said: "This is a step they should have taken immediately."[58]
The first virus to exploit Sony BMG's stealth technology to make malicious files invisible to both the user and antivirus programs surfaced on November 10, 2005.[59] One day later, Yahoo! News announced that Sony BMG had suspended further distribution of the controversial technology.[citation needed]
ZDNet News wrote: "The latest risk is from an uninstaller program distributed by SunnComm Technologies, a company that provides copy protection on other Sony BMG releases." The uninstall program obeys commands sent to it allowing others "to take control of PCs where the uninstaller has been used."[60]
On December 6, 2005, Sony BMG revealed that 5.7 million CDs spanning 27 titles were shipped with MediaMax 5 software. The company announced the availability of a new software patch to prevent a potential security breach in consumers' computers.
Sony BMG in Australia issued a press release indicating that no Sony BMG titles manufactured in Australia contained copy protection.[61]
References
[edit]- ^ Anastasi, Michael A. "Sony Exec: We Will Beat Napster" Archived March 18, 2009, at the Wayback Machine, New Yorkers For Fair Use, August 17, 2000. Retrieved November 13, 2006.
- ^ a b Smith, Tony (November 19, 2001). "BMG to replace anti-rip Natalie Imbruglia CDs". The Register. Archived from the original on February 17, 2010. Retrieved August 24, 2009.
- ^ a b Borland, John (November 19, 2001). "Customers put kibosh on anti-copy CD". CNET. Archived from the original on June 17, 2011. Retrieved August 24, 2009.
- ^ Fox, Barry (October 2, 2001). "NSync CD is copy protection 'experiment'". New Scientist. Archived from the original on May 31, 2015. Retrieved August 24, 2009.
- ^ Rohde, Laura (September 27, 2001). "Sony: Downbeat for a new online music battle". IDG. Archived from the original on May 28, 2008. Retrieved September 26, 2009.
On Tuesday, Sony confirmed that it had incorporated copy-protection software in promotional CD copies of the Michael Jackson single 'You Rock My World'.
- ^ Lettice, John (November 6, 2002). "'No more music CDs without copy protection', claims BMG unit". The Register. Archived from the original on August 10, 2017. Retrieved August 24, 2009.
- ^ a b c "Sony BMG Litigation Info". July 1, 2011. Archived from the original on April 1, 2013. Retrieved April 10, 2013.
- ^ "Anti-Piracy CD Problems Vex Sony" Archived June 21, 2006, at the Wayback Machine, BBC News. Retrieved November 22, 2006.
- ^ Russinovich, Mark (October 31, 2005). "Sony, Rootkits and Digital Rights Management Gone Too Far". Mark's Blog. Microsoft MSDN. Archived from the original on March 17, 2015. Retrieved July 29, 2009.
- ^ Larvala, Samuli. "F-Secure Rootkit Information : XCP DRM Software", F-secure Computer Rootkit Information Pages, November 29, 2005. Retrieved November 1, 2006. Archived January 14, 2007, at the Wayback Machine
- ^ "SecurityRisk.First4DRM" Archived August 19, 2006, at the Wayback Machine, Symantec Security Response, November 2005. Retrieved November 22, 2006.
- ^ "Sony's DRM Rootkit: The Real Story" Archived August 30, 2006, at the Wayback Machine, Schneier On Security, November 17, 2005. Retrieved November 22, 2006.
- ^ "Viruses use Sony anti-piracy CDs" Archived March 6, 2016, at the Wayback Machine, BBC News, 2005-11-11.
- ^ "World of Warcraft hackers using Sony BMG rootkit". The Register. Archived from the original on July 2, 2017. Retrieved August 10, 2017.
- ^ "Information about XCP protected CDs". October 17, 2007. Archived from the original on October 17, 2007. Retrieved June 20, 2011.
- ^ "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" Archived May 6, 2010, at the Wayback Machine, Mark's Blog, November 4, 2005. Retrieved November 22, 2006.
- ^ Nikki, Matti. "Muzzy's research about Sony's XCP DRM system" Archived November 24, 2005, at the Wayback Machine Retrieved June 21, 2014.
- ^ Gilbert, Alorie. "Attack targets Sony 'rootkit' fix". CNET. Archived from the original on September 14, 2019. Retrieved May 13, 2020.
- ^ vunet.com (November 15, 2005). "Sony backs out of rootkit anti-piracy scheme". Archived from the original on November 24, 2005.
- ^ "Updated Sony BMG DRM Spotter's Guide | Electronic Frontier Foundation". Eff.org. November 8, 2005. Archived from the original on March 14, 2011. Retrieved October 22, 2011.
- ^ "First 4 Internet XCP DRM Vulnerabilities", US-CERT Activity Archive, November 15, 2005. Retrieved November 22, 2006. Archived September 27, 2007, at the Wayback Machine
- ^ Taylor, Paul. "Sony BMG bows to pressure" Archived November 24, 2005, at the Wayback Machine, Financial Times, November 17, 2005. Retrieved November 22, 2006.
- ^ "More pain for Sony over CD code" Archived December 20, 2006, at the Wayback Machine, BBC News, November 17, 2005. Retrieved November 22, 2006.
- ^ "SonyBMG's XCP FAQ". Archived from the original on January 30, 2009.
- ^ "Business News & Financial News | Reuters". Retrieved November 19, 2005.[dead link ]
- ^ Hesseldahl, Arik. " Spitzer Gets on Sony BMG's Case " Archived 2005-12-01 at the Wayback Machine, BusinessWeek Online, November 29, 2005. Retrieved November 22, 2006.
- ^ "Office of the Attorney General". Ago.state.ma.us. Archived from the original on December 28, 2005. Retrieved August 22, 2010.
- ^ "Information Web Site for the Sony BMG CD Technologies Settlement". December 21, 2006. Archived from the original on December 21, 2006. Retrieved June 20, 2011.
- ^ "CD's Containing XCP Content Protection Technology". Archived from the original on October 12, 2007. Retrieved December 24, 2008.
- ^ "Texas Attorney General". Oag.state.tx.us. November 21, 2005. Archived from the original on July 25, 2010. Retrieved August 22, 2010.
- ^ "Texas Attorney General". Oag.state.tx.us. Archived from the original on June 19, 2006. Retrieved August 22, 2010.
- ^ "AG throws more allegations at Sony BMG". dallas.bizjournals.com. December 21, 2005. Archived from the original on March 14, 2007. Retrieved June 20, 2011.
- ^ "Attorney General ups the ante in lawsuit against Sony BMG". sanantonio.bizjournals.com. December 22, 2005. Archived from the original on June 14, 2006. Retrieved June 20, 2011.
- ^ "No.GV505065" (PDF). texasattorneygeneral.gov. Archived (PDF) from the original on May 28, 2014. Retrieved December 19, 2006.
- ^ "Sony sued over copy-protected CDs; Sony BMG is facing three lawsuits over its controversial anti-piracy software". BBC News. November 10, 2005. Archived from the original on May 30, 2009. Retrieved November 22, 2006.
- ^ "Sony BMG Tentatively Settles Suits on Spyware". The New York Times. Associated Press. December 30, 2005. Archived from the original on May 29, 2015. Retrieved November 22, 2006.
- ^ "Crist's office joins Sony BMG spyware probe". The Inquirer. November 7, 2005. Archived from the original on February 4, 2006. Retrieved November 22, 2006.
- ^ "Legal proceedings in Italy by ALCEI against Sony for a 'criminal' offense" (Press release). November 4, 2005. Archived from the original on August 7, 2020. Retrieved May 13, 2020.
- ^ Menta, Richard. "Bush Administration to Sony: It's your intellectual property – it's not your computer" Archived December 29, 2005, at the Wayback Machine. MP3 Newswire. November 12, 2005.
- ^ "Crist's office joins Sony BMG spyware probe" Archived January 14, 2006, at the Wayback Machine, St. Petersburg Times Online, December 24, 2005. Retrieved November 22, 2006.
- ^ a b c "Sony BMG Settles FTC Charges". Federal Trade Commission. January 30, 2007. Archived from the original on February 10, 2007. Retrieved June 20, 2007.
- ^ "DOCKET NO. C-4195: COMPLAINT; In the Matter of SONY BMG MUSIC ENTERTAINMENT, a general partnership" (PDF). June 29, 2007. Archived (PDF) from the original on October 19, 2011. Retrieved January 8, 2012.
- ^ "Sony BMG Settles FTC "Rootkit" Charges". ConsumerAffairs.Com. January 31, 2007. Archived from the original on September 29, 2007. Retrieved June 20, 2007.
- ^ "CD's Containing XCP Content Protection Technology". Sony BMG Music Entertainment. 2005. Archived from the original on October 6, 2008. Retrieved April 17, 2012.
- ^ "Proof that F4I violates the GPL - Programming stuff". www.the-interweb.com. Archived from the original on October 17, 2013. Retrieved April 10, 2013.
- ^ "Sony's XCP DRM". www.hack.fi. Archived from the original on November 24, 2005.
- ^ "Is Sony in violation of the LGPL? - Part II - Programming stuff". www.the-interweb.com. Archived from the original on June 2, 2013. Retrieved April 10, 2013.
- ^ "Breakthrough after breakthrough in the F4I case - Programming stuff". www.the-interweb.com. Archived from the original on October 17, 2013. Retrieved April 10, 2013.
- ^ "Two new F4I license infringements found - Programming stuff". www.the-interweb.com. Archived from the original on October 17, 2013. Retrieved April 10, 2013.
- ^ "ECD Player Control Functions Window screenshot". Archived from the original on October 18, 2013. Retrieved April 10, 2013.
- ^ Hocevar, Sam. "Sam Hocevar's .plan". sam.zoy.org. Archived from the original on June 15, 2013. Retrieved April 10, 2013.
- ^ "LAME Ain't an MP3 Encoder". lame.sourceforge.net. Archived from the original on September 3, 2020. Retrieved May 13, 2020.
- ^ "Sony CD's caught installing extremely well-hidden and sketchy DRM software". WFMU blog. November 1, 2005. Archived from the original on December 16, 2014. Retrieved December 16, 2014.
- ^ "Sony Music CDs Under Fire from Privacy Advocates". NPR. November 4, 2005. Archived from the original on December 6, 2013. Retrieved June 20, 2011.
- ^ "vnunet.com analysis: Sony CD rootkit could spell doom". vnunet.com. Archived from the original on November 25, 2005.
- ^ Bray, Hiawatha (November 8, 2005). "Security firm: Sony CDs secretly install spyware". The Boston Globe. Archived from the original on February 4, 2007. Retrieved November 22, 2006.
- ^ Turner, Suzi (November 8, 2005). "CA Targets Sony DRM as Spyware". ZDNet. Archived from the original on October 12, 2012. Retrieved August 19, 2010.
- ^ "Microsoft to remove Sony CD code; Sony's controversial anti-piracy CD software has been labelled as spyware by Microsoft". BBC News. November 14, 2005. Archived from the original on December 16, 2006. Retrieved November 22, 2006.
- ^ Sanders, Tom; Thompson, Iain (November 10, 2005). "Virus writers exploit Sony DRM; Sony doomsday scenario becomes reality". vnunet.com. Archived from the original on December 16, 2005. Retrieved November 22, 2006.
- ^ Halderman, J. Alex "Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole" Archived November 27, 2005, at the Wayback Machine, Freedom to Tinker, November 17, 2005. Retrieved November 22, 2006.
- ^ "No Copy Protection on Australian Sony BMG CDs". Archived from the original on May 15, 2006. Retrieved January 18, 2007.
Sources
[edit]- "Sony Music CDs Under Fire from Privacy Advocates", National Public Radio, 2005-11-04
- Bergstein, Brian (2005-11-18). "Copy protection an experiment in progress"[dead link ]. Seattlepi.com.
- Halderman, J. Alex, and Felten, Edward. https://wayback.archive-it.org/all/20120712181539/http://citp.princeton.edu/pub/sonydrm-ext.pdf (PDF format), Center for Information Technology Policy, Department of Computer Science, Princeton University, 2006-02-14.
- Wikinews: Sony's DRM protected CDs install Windows rootkits
- Gartner: Sony BMG DRM a Public-Relations and Technology Failure
- Bush Administration to Sony: It's your intellectual property -- it's not your computer - 2005-11-12 MP3 Newswire article
External links
[edit]- Academic article examining the market, legal, and technological factors that motivated Sony BMG's DRM strategy
- List of titles affected by MediaMax
- List of titles affected by XCP
- List of titles included in settlement
- SonySuit.Com - Tracking The Sony BMG XCP and SunComm Lawsuits
- "Sony anti-customer technology roundup and time-line", Boing Boing.
- In-depth analysis and references, Groklaw
- Revisiting Sony BMG Rootkit Scandal 10 years later