Sony-BMG Doesn't Trust You
Sony-BMG may have hijacked
your computer and you dont even know it. The major record label has been releasing
CDs that include XCP, a content-protection scheme that installs software on your computer
without asking you. Whats worse, XCP leaves you vulnerable to Trojan-horse programs
that exploit Sonys software. The Trojan arrives via e-mail, and often requires the
user to open a file that the more security-conscious of us wouldnt think of doing.
But if you do open it, XCP helps it to hide in your computer.
Mark Russinovich first discovered XCP on his own computer;
those with an interest in his trials in discovering and identifying XCP can read more about it. In short, XCP hides files with certain extensions
(those of Sonys content-protection software) so that they remain invisible to the
average user -- even one sophisticated enough to go looking for files in the
computers registry. This means that viruses that use that extension will also be
invisible to the user. If Im a virus maker, I just need to add this extension to my
file names and theyll be invisible to the computer user. If youre curious
about which Sony discs include XCP, the Electronic Frontier Foundation has compiled a list.
If you dont use your computer for playing CDs, then
you dont have to worry about this latest round of content protection. Unlike other
content-protection schemes in the past, XCP doesnt seem to affect a conventional CD
players playback of the discs. Dont be too complacent, though. If the outcry
over XCP brings about a change in Sonys attempt at content protection, the next idea
just might affect you, too.
Once it became clear that Russinovichs story of
discovery was spreading like wildfire, Sony temporarily stopped shipping XCP CDs. Of
course, that does nothing to stop people from buying the thousands of XCP CDs already in
stores. Nor does it do anything for those whove already bought the discs. Just as I
was about to submit this column, I got word that Sony intends to implement a replacement
policy for XCP CDs -- but, of course, youll need to have been paying attention to
this developing story to discover the details. Sony has also issued a "fix" for
XCP-infected computers, but security experts have already pointed out that the fix may be
more problematic than the original problem.
It is unfortunate that record companies feel they must
treat their customers as potential criminals. If Sony-BMG thought that their customers
were honest people with integrity, then there would be no need for them to add
content-protection software to their discs. Therefore, they must think that at least some
of their customers are criminally minded. But if they thought that only a small percentage
of users are so inclined, then it wouldnt be cost-effective to buy the software and
put it on the discs. Im left thinking that Sony must not think too highly of its
average customer. Too bad they just cant produce a product that people will want to
buy at a reasonable price, which might be the best content-protection scheme.
Sony-BMGs actions here are immoral. First, by not
alerting users to the installation of XCP, they violate users right to control what
is on their computers. At the very least, this is an act of deception. Putting an XCP CD
in your computer doesnt produce a screen that says something like, "Were
about to install content-protection software on your computer. Do you agree?" If it
did, it would at least be left up to the user to decide whether or not to accept it.
Second, by not providing a clear way to uninstall XCP, Sony
has further hijacked their own customers computers. By using system resources and
masking files on your computer, XCP takes away your ability to use your property the way
you want to use it. When XCP is secretly installed on your computer, some of its files are
labeled "Essential Systems Tools" -- another act of deception that suggests to
all but the most knowledgeable users that they should leave those files alone.
Third, the implementation of XCP shows a lack of respect
for customers. Such actions show that Sony does not value users time and property in
a way similar to how they would wish to be treated. The fact that removing XCP can itself
seriously cripple your computer (see Russinovichs essay) shows just how little the
software developers and Sony care about their customers. Any time a customer spends
uninstalling XCP is time they could have spent doing something else.
As if all this werent bad enough, you should read the
end-users license agreement that goes along with these CDs. Obviously, you own the
CD and can do what you want with it. But when you install an XCP CD on your computer, you
get a 3000-word agreement in which Sony states that you must delete the digital music
files if the physical CD is broken, if you move out of the country, or if you file for
bankruptcy. Thats just for starters; you can see a more detailed analysis of the end users
agreement by the Electronic Frontier Foundation.
I dont usually use my computer to play CDs, but this
action on Sony-BMGs part has made me unwilling to purchase any CDs from
Sonys labels. I have a hard time supporting a company that treats its users so
poorly. This is unfortunate, as there are many Sony albums -- including one XCP release --
that I wanted to buy.
Luckily, there are a great number of independent labels
that use no content-protection malware, and that cater to any musical taste you might wish
to explore. Here are three examples: Chesky Records has released some great jazz records
in recent months; MA Recordings offers a wide variety of musical styles, and
Ive been pleased with everything Ive bought from them; and Six Degree Records
has a nice selection of world-pop music. Next time youre looking for new music, why
not try an artist from such a label? Theyll likely appreciate your business more
than Sony-BMG does, and treat you accordingly.
Eric D. Hetherington