Inside the Spyware Scandal -- Part 1
When Sony BMG hid a "rootkit" on their CDs last year, they spied on you and let hackers in. What were they thinking?
By Wade Roush
Tuesday, May 16, 2006
This article -- the cover story in Technology Review's May/June 2006 print issue -- has been divided into three parts for presentation online. This is part 1; part 2 will appear on Wednesday, May 17, and part 3 on Thursday, May 18.
John Guarino is the owner of TecAngels, a two-man computer consultancy in Manhattan. Give Guarino your ailing Windows PC, and in two or three hours he'll return it to you in perfect health. Often, he can solve his customers' problems over the phone.
But last summer, Guarino came across a problem he couldn't fix. In the process of flushing out the spyware and viruses infecting his customers' computers, he began to find the same mysterious intruders in machine after machine. They were strangely named files lurking deep inside the "registry" where Windows stores settings and instructions that control all of a computer's hardware and software.
To Guarino, the files looked like a rootkit -- software that tricks an operating system into overlooking worms, viruses, and any other files a hacker might want to conceal inside a user's computer. The files didn't seem to be causing damage, and Guarino's antivirus software didn't identify them as threats. But they had appeared on people's hard drives uninvited -- the conventional definition of "malware" -- so Guarino removed them.
But the files didn't go quietly. After Guarino deleted them, the CD drives on his customers' computers would stop working. The usual solution -- reinstalling the software that drives the disc players -- didn't correct the problem. Guarino couldn't explain this odd effect, and his customers weren't paying him to spend hours researching it; they just wanted their computers back. So he would usually resort to the nuclear option: reinstall the operating system from scratch.
After six or seven of these encounters, Guarino was growing weary. Then, on September 30, he discovered the mysterious files on his own PC. "That's what really pissed me off," Guarino says. "I was like, 'I can't believe it. I have the latest firewall, the latest antivirus software, three or four antispyware programs. How did this get here?'"
Like any good investigator, Guarino backtracked. He knew that the files hadn't been there the last time he had scanned his computer. He tried to reconstruct everything he had done with his machine over the previous few days -- what programs he had installed, what e-mails he had received, what websites he had visited.
Then he remembered that he had purchased a music CD the day before and had played it on the computer. It was a Sony BMG Music Entertainment album called Touch, by the rhythm-and-blues singer Amerie. Unlike most CDs, this disc couldn't be played using common media-player software such as iTunes, RealPlayer, or Windows Media Player. To hear the CD, purchasers had to install the customized Sony BMG player included on the disc. Guarino had done this.
Now he took a closer look at the CD's jewel box. One phrase popped out at him: "Content Enhanced and Protected." Evidently, the disc carried some form of digital rights management (DRM) software -- a program designed to control copying and thus discourage piracy.
Finally, the pieces came together. The mystery files resembled a rootkit; the usual purpose of a rootkit is to hide something; a copy protection program was the kind of thing its creators might wish to hide from users; and removing this particular rootkit disabled the CD drive. Guarino could only conclude that the malware's source was Sony BMG itself.
"That's when I gave up," Guarino says. He could fight malware one machine at a time. But if the world's second-largest record company wanted to install secret software on its customers' computers, he would never win.
Before putting the problem aside, Guarino did one very important thing. He e-mailed his logs to F-Secure, a computer security firm in Helsinki, Finland, whose software he had used to detect the files. Though F-Secure's malware watchers had not previously encountered the rootkit, they were quickly able to confirm Guarino's suspicions. Over the next two weeks, they came to another, much more troubling realization: the rootkit could hide other files as -easily as it hid Sony BMG's copy protection software. Every computer that had ever been used to play a copy-protected Sony BMG disc was now, in effect, an open receptacle for worms, viruses, and other malware.
On October 17, F-Secure contacted Sony. Two weeks later, respected security expert Mark Russinovich found the rootkit on his own computer and publicized his findings on his widely read blog. He also discovered that other software installed along with the copy protection program secretly contacted Sony BMG via the Internet every time a PC user played a copy-protected disc. And over the next several months, what had begun as a curiosity in Guarino's little shop escalated into a full-blown scandal, complete with backroom negotiations, public exposés, heated denials, angry boycotts, vengeful lawsuits, and rueful apologies.
Though its original purpose was to hide software that prevented listeners from making more than three copies of their music, Sony BMG's rootkit became the most public symbol to date of the perceived excesses of DRM tech-nology -- and of the growing suspicion media companies seem to harbor toward their own customers. The scandal is still having repercussions. It has reignited a dispute in the public sphere over the ways consumers should be allowed to use copyrighted digital information and, conversely, just how far copyright holders can go to secure their intellectual property against piracy. (See "Who Should Own Ideas?" a TR special package published in June 2005.)
Taken to extremes, experts say, digital rights management not only curtails people's right to make "fair use" of copyrighted material, which is guaranteed by U.S. copyright law, but can even create new technological hazards. "When you build computer systems where you're not protecting the user, but something from the user, you have very bad security," says Bruce Schneier, a luminary in the field of computer security and chief technical officer of Counterpane Internet Security in Mountain View, CA. "That's my biggest fear -- this notion that the user is the enemy."
The story of the Sony BMG rootkit fiasco is about more than bad corporate judgment or the ongoing struggle over the rights of consumers to do what they want with the things they own. It is also about fear and the excesses it can arouse. When media companies apply such powerful, secret tools to content protection, it suggests that their nervousness over piracy has turned to panic. Although Sony BMG insists that the rootkit was deployed unintentionally, the episode persuaded many observers that the music industry had come to see deception as an indispensable component of digital rights management. It should be no surprise when customers who feel they are being treated like thieves stop buying things. If there is one message in Sony BMG's experience for other companies entering the digital world, it is that distrust engenders distrust.
Demand for digital "content" (a feeble but convenient jargon word for everything from poetry to podcasts) is greater than ever. Sales of downloadable music worldwide nearly tripled between 2004 and 2005, from $380 million to $1.1 billion, and now represent about 6 percent of all music sales. As of March 2004, Apple's iTunes music store was selling songs at a pace of about 2.5 million per week. According to the U.K. version of Macworld magazine, it now sells three million songs every day.
One might expect content producers and distributors to be thrilled by digital's takeoff. But in reality, they are often preoccupied with the ever present threat of rampant copying. And for good reason: in a one-month period in 2005, 3.8 million U.S. households downloaded music using the free peer-to-peer file-sharing services WinMX and Limewire, while only 1.7 million households purchased files from iTunes, according to market research firm NPD Group. The Recording Industry Association of America puts the lost retail revenues from digital music piracy at $4.2 billion per year, and it has fought illegal downloads aggressively: in February, it announced that it had launched 750 new lawsuits against users of peer-to-peer file-sharing networks, bringing the total since 2003 to more than 18,000.
Preceding almost every illegal download, however, is a much more innocent act: ripping compressed computer files, such as MP3s, from a legitimately purchased CD. Ripping and burning CDs for personal use is perfectly legal in the United States. But Thomas Hesse, president of global digital business for Sony BMG, says it accounts for two-thirds of all piracy. "The casual piracy, the schoolyard piracy, is a huge issue for us," he told the Reuters news service last year.
So recording companies like Sony BMG are naturally attracted to technologies that promise to thwart wayward fans. Enter digital rights management, an industry that emerged in the late 1990s to help publishers and studios maintain control over the contents of DVDs, software, and the like. For DRM companies and their clients, "control" means barring customers from opening digital files unless they have paid to do so. It means preventing the copying, printing, backing up, or replication of a work except when expressly permitted by the work's license agreement.
For years the recording industry didn't need this level of control, since consumer-grade CD players (introduced in 1982 by Philips and Sony) were designed exclusively to play music, not to export it in digital form. But by 1996, when PC manufacturers began to include CD-ROM drives as a standard feature in home computers, the threat of "casual piracy" had emerged; and when it debuted in 1999, Napster, the first popular Internet music-sharing system, made good on that threat. Recording companies began to lobby in Washington for greater legal penalties against those caught sharing files -- and also began looking for ways to make copying and sharing more daunting for the average user.
This isn't a straightforward matter. Protected discs must include DRM software to limit copying; yet at the same time, they must be playable on ordinary CD players. One way to meet both needs is to make CDs more like CD-ROMs, which often contain multiple "sessions" similar to the cuts on old vinyl LPs. The first session of a multi-session CD, starting at the center of the disc, contains music, and the outer sessions contain software. Normal CD players read only the first session and ignore the rest, while a Windows PC with its "autorun" feature turned on looks first for programs in the outer sessions that it can execute. (Luckily for DRM developers, autorun is activated by default in Windows XP, and most users never change this setting.)
When Sony BMG undertook the industry's first large rollout of copy-protected CDs in 2005, it used the multisession method. On 52 Sony BMG albums released between January and November, the outer sessions included a Windows copy protection program called XCP (eXtended Copy Protection), which Sony licensed from a U.K. company called First 4 Internet, and a dual Macintosh/Windows program called MediaMax, from Phoenix, AZ–based SunnComm. This wasn't the first time a label had attempted to sell CDs with anticopying software; Arista Records, a Sony BMG subsidi-ary, marketed a disc carrying MediaMax in late 2003, and rival Macrovision's DRM software appeared on thousands of CDs from other labels beginning in 2002. What was unusual about the new Sony BMG discs, however, was the technique First 4 Internet had chosen to make XCP invisible.