Complain about a product or service

Sony Slammed for Hidden CD Software

By Martin H. Bosworth
ConsumerAffairs.com

November 9, 2005

Sony • Sony: Dust Voids PlayStation 3 Warranty • Sony BMG Settles FTC "Rootkit" Charges • Sony BMG Settles Root-Kit Suits for $4.25 Million •: Sony BMG Settles California Case • PlayStation 3 Takes the Field • PlayStation 3 Brings Big Bucks on eBay • Court Approves Sony BMG CD Settlement • Sony Reaches Tentative Settlement in Spyware Cases • New Charges Against Sony's Use of Stealth Software • New York Joins Sony CD Investigation • Recalled Sony CDs Still On Sale • Consumer Group Sues Sony BMG • Texas Sues Sony for Violating Spyware Law • Sony Withdraws CDs With Copy-Protection Software • Sony Slammed for Hidden CD Software • Sony Loses Playstation Suit • Digital Camera Buyers Give Kodak, Sony High Marks • Sony Agrees to Stop Payola Payments to Radio Stations • Sony Playstation 2 Defective, Class Action Charges --- Complaints • Playstation 2 • Playstation 1 • Cameras, Camcorders • Computers • Computer Monitors • Computer Rebates • Home Electronics Rebates • TVs • WebTV

It's been a bad few weeks for Sony BMG Music. First was the revelation that their copy-proof compact discs contained software that could hide files on any computer the disc was played on, and could cripple the entire machine if a user tried to remove it. Even a quickly-issued "patch" to the software didn't soothe buyers' outrage.

Now the entertainment giant is facing a potential class-action lawsuit in California for violation of a state law that forbids "inducing" the installation of spyware or similar utilities on a personal computer in order to use a particular application.

San Francisco lawyer Robert Green said he is investigating the possibility of a lawsuit against Sony. "We're still investigating the case and talking to different people about what happened to them," Green said.

Green has been involved in consumer lawsuits accusing Palm Inc. of selling defective Treo cell phones and accusing Trilegiant of deceptive marketing practices.

Sony's Hidden Surprise

The issue first came to light when Mark Russinovich, a software designer and Windows expert, found evidence of a "rootkit" on one of his systems. Rootkits are tools designed to camouflage changes to a computer system made after a hacker or spyware vendor has compromised it.

Russinovich investigated the rootkit and traced it back to a company called First 4, which recently struck a deal with Sony to provide digital rights management (DRM) for its CD music releases. DRM controls the usage of a CD and is often used to block it from being copied onto a computer or to make multiple copies.

There's no mention of the rootkit in the end-user license agreement (EULA) that a buyer agrees to when they play the disc, and attempting to remove it can cripple Windows computers, which may require a full reformat and reinstall of the computer's hard drive.

Russinovich had recently bought a new CD by the Van Zant brothers, "Get Right with the Man," which contained a special media player required to play the disc on his computer. By installing the player, he had unknowingly installed the rootkit as well.

Russinovich posted the findings on his Web site's blog on Oct.31st, provoking a flurry of criticism and complaints against Sony.

One blogger said that "[t]he most frustrating thing about this is the way in which it punishes the people who've actually chosen to buy the product."

Another critic pointed out that because rootkits are tools used by hackers, installing one on a machine can leave it vulnerable to access from outside sources. "The purpose of a "rootkit" is to open up one or more access points to administrative ("root") control, letting [hackers] do anything they want with your machine," they said.

The Fix Is In

Sony and First 4 hastily offered a "patch" to the software, allowing angry buyers to view the files hidden by the rootkit.

In an interview with BBC News, First 4's chief executive, Mathew Gilat-Smith, claimed that the Van Zant CD explicitly stated that it was copy-protected on the packaging, and that users were informed that the CD required special software to play.

Thomas Hesse, president of Sony's global digital entertainment division, was rather flippant when discussing the complaints. In an interview with NPR, he said "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

The supposed "patch" does not actually allow a user to remove the rootkit. It only enables users to see the previously hidden files.

In order to actually remove the files, users have to visit a special Sony Web site. In addition, users of Web browsers such as Mozilla Firefox or Opera are denied from accessing the site, as it requires special "ActiveX" controls found only in Microsoft Internet Explorer.

ActiveX is derided by experts in the anti-spyware industry for easily enabling hackers and malware creators to get access to a user's machine through Internet Explorer.

Bizarro World

Sony and First 4 insist that the hidden software does not empower hackers to take advantage of vulnerable computers, but a strange twist in another case involving unauthorized software installation may prove otherwise.

Blizzard Entertainment, makers of the popular online roleplaying game "World of Warcraft," recently came under fire for installing a program called "The Warden" on players' machines, in order to verify that they weren't attempting to cheat or hack the game. The program can enable access to anything that's on a user's computer while playing the game, including personal files, spreadsheets, and so on.

Several enterprising World of Warcraft hackers found they could use the Sony rootkit to cloak their activities from any sort of monitoring, including Blizzard's own program.

In addition, any discussion of how to circumvent the Sony rootkit can possibly be interpreted as a violation of copyright law. The Digital Millenium Copyright Act (DMCA), passed to prevent illegal content piracy, specifically forbids any attempt "to `circumvent a technological measure' means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner."

To sum up ...

• A piece of software designed to prevent illegal copying of a CD can effectively open that computer up to attacks from hackers, and any attempt to remove it can cripple the machine.

• Further, hackers can use the software to cloak their own activities, and any discussion of how to remove it can be potentially punished with civil or criminal penalties.

• In order to get help from Sony to remove it, you have to use a set of Web browser applications that are magnets for viruses, spyware, and Trojan horses.

As one furious commenter on Amazon.com's message board put it, "All of this was bad enough but this new method takes the copy protection madness to a whole new level…[y]ou'd never pay anyone to install malware on your computer system, would you? But that's exactly what happens when you buy this CD."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.