Muzzy's rant and whine about Sony's XCP DRM

This page is separated from my research page, since I figured it'd be wiser to keep opinions and facts in separate pages. This page is extremely opinion filled. If you think the research page has content that is a little bit biased, mail me and I'll see what I can do to fix the balance. I've also written a short summary about the XCP DRM system and its problems.

What's the real story?

So, all over media this copy protection scheme has gotten heaps of negative attention. However, the problem with the whole rootkit deal is that the consumer is losing his practical ability to maintain control over his own computer system. Security companies typically respond when a virus writer or other such party takes control of computer systems without the right to do so, but there's no reaction when a large company does the same. It would appear that everyone in a position to do something about it has been pondering if these multi-national corporations have the right to perform this sort of consumer rights violation, and apparently there's been no real conclusions on this. The public outcry got so loud and real security problems surfaced that it was possible to tackle these issues on their own merit, without having to take a stance on whether Sony BMG was acting within bounds of what they're rightfully allowed to do.

US-CERT has reacted, but only to discuss the actual security issues, such as the uninstaller vulnerabilities. They also give some generic recommendations on how to prevent installation of "this type of" rootkit. However, their choice of words is quite careful not to take a stance on the rootkit itself, and they give generic recommendations that don't apply in this case -- such as "Read the EULA", which wouldn't have helped much since the EULA in question doesn't tell it'll be impossible to uninstall nor does it tell of any other significant features. The Bush administration gave Sony BMG a kind of warning, saying "it's your intellectual property -- it's not your computer", but that's it. They're getting away with the whole incident, with only some PR damage that they've turned around to look like as if the whole problem was just a security flaw, something that happens a lot nowadays. Even with the above quote, nobody's really tackling the issue of whether large corporations are really allowed to hijack computers of unsuspecting consumers. Had a smaller company done it, they'd be in deep trouble already.

This is a dangerous situation, because if this case continues without change, the installation of rootkit will practically be kind of accepted. The only problems that are paid attention to, are the practical security problems that have resulted from bad programming practices used in the XCP DRM system. The user will thus no longer be in control of what his computer is doing, large corporations will be deciding that instead. And as all of this, i.e. technological measures, will be protected by the law, these multi-national corporations are free to rewrite how the law practically works. The copyright law should be the thing that defines what's ok to do with copyrighted works and what's not, but that is now being handed to media corporations to decide by themselves.

Liability issues

All the blame is being pushed on First4Internet in this incident, for developing the software. This is again because nobody's tackling the real problem, the fact that there was rootkit bundled with the CDs. There are braindead security problems in F4I's protection system, issues with reliability and stability, but these aren't obviously intentional. It's a lot easier to accept that in these regards, F4I has been blatantly stupid and inexperienced, rather than malicious in its actions. Copyright infringement issues are slightly different, which make this case interesting.

Can Sony BMG avoid all of these issues just because they had the DRM made for them in a third party company? This would be a lovely scam to practice in the future if it's shown to work: Just push all the dirty work to be done by small companies, and let them disappear in bankruptcy when problems arise and move to use the next small company. For this reason alone, authorities should investigate the ties between Sony BMG and First 4 Internet. Sony is claiming that F4I is strictly third party, and they only bought a protection system made by them. Evidence however shows that F4I made a custom product for Sony, which makes one wonder how much Sony knew of what was going on. Most definitely they knew of the rootkit functionality and what it did, they most definitely knew they were making modifications to the consumers' computers to change their behaviour and take over control from them. They definitely chose not to tell the users that this software couldn't be removed, and they forgot to tell that it phones home.

Additionally on copyright infringement, it's very common nowadays to hear of lawcases where media companies are suing parents whose children were downloading music or movies. Same applies to situations where someone's roommate is responsible, the owner of the internet connection gets sued. Sony however seems to think that it's different for them, even though they've been found guilty to distributing the infringing copies of the works based on open source software. How is this any different? Why should they be free from responsibility?

Here's a quote from "Gilgamesh" from Ars Technica forums, which illustrates a legal standpoint for why Sony BMG could be liable for the copyright infringement as well, and this point should probably be carefully explored by some lawyer types out there:

If First4Internet was responsible for the development of Sony BMG's DRM (the rootkit), then they are primarily liable for any infringement that may have occurred. However, even if Sony didn't have a hand in development of the software, they were responsible for its distribution, which opens them up to potential third-party liability from contributory infringement under the new Grokster standard. See MGM Studios Inc. v. Grokster, Ltd., 125 S. Ct. 2764 (2005); see also Karen M. Kramer, Metro-Goldwyn-Mayer Studios v. Grokster.The Supreme Court.s Balancing Act Between the Risks of Third-Party Liability for Copyright Infringement and Rewards of Innovation, 22 Santa Clara Computer & High Tech. L. J. 169 (2005). According to the Supreme Court in Grokster, third-party liability may be found via a theory of inducement to infringe, upon showing .clear expression or other affirmative steps taken to foster infringement.. If the new Grokster standard is used to impart liability against Sony, the irony of the situation quickly reaches epic proportions.

The real issue with liability, however, is that Sony BMG is actually taking over computer systems that don't belong to them. They did this deliberately and knew very well what they were doing. Unfortunately, security companies seem to be afraid of tackling this issue, it's not good for business to make enemies of large corporations. Doing this, the security companies are only working for their own security, rather than that of their users. The big problem is laws like DMCA and in Europe, the EUCD, which make it illegal to circumvent these copy protection systems, no matter how malicious they are. The laws don't tend to define what these copy protection systems are allowed to do, but since nobody wants to touch the issue probably under fear of having to fight DMCA related lawsuits, the creators of these "protection" systems are getting away with what they're doing. Even though the law doesn't define what's legal for DRM to do, it creates a strong chilling effect towards stopping the DRM from doing what it's doing even if the DRM system appears to be illegal. It's said that two wrongs don't make right, and that's definitely the logic here -- even if the DRM system is blatantly illegal in what it does, it still won't be OK to stop it from performing its illegal actions.

This kind of DRM systems should be declared illegal, and laws preventing security companies from protecting their users should be overturned. The media companies tend to complain that DRM is required for their business, but that only applies to the new business models they're planning in which they will take away rights from users, then sell them back to them. Back in the old days, companies used to sell people what they wanted to have, but the current trend is to see what's popular and then claim exclusive right to sell it. What's the price of your human rights?

Ties between Sony and First 4 Internet

Earlier in my rant, I presented the scam scheme in which smaller companies are used to do the dirty work, and these companies can then be made disappear in bankruptcy without any worries. I called to investigate the ties between Sony BMG and F4I, and I got a mail about it, which pointed me to read the comments in Mark's original post about the rootkit. Yeah, there's Michael Tandy, doing some detective work and looking up public records about First4Internet.

First4Internet, eh?... let's see... according to public records, they were incorporated 24/11/1999. In 2004 they had a turnover of 709,941 and operating expenses of 1,301,546 -- meaning an operating loss of 591,605. In the last five years they have, on average, lost 541,067 a year. For 2004, their credit rating is "HIGH RISK" (complete with capitalisation). Meanwhile, the four directors share annual renumeration of 224,413 between them (average 56,103 each).

One of the directors, Nicholas Bingham, (appointed in 2002) was director of "Sony pictures home entertainment Ltd." from 1989 to 1997, and director of "Sony pictures television production UK Ltd." from 1996 to 2000, and director of "Sony digital radio europe Ltd." from 1994 to 2000.

A cynic might say Sony selected this inept copy protection technology because it was supplied by one of thier cronies. The reason this is a bad business practice can be seen by the software's many failings.

So, obviously something is going on. Sony BMG decided to use services of a "HIGH RISK" company to do a custom job for it, and one of their own guys was there directing the situation. I'm well aware of the risks of doing non-deductive backwards logic, but this fits just too well. I don't understand enough about business, nor do I have the knowledge Sony BMG had when it made its decisions, so I cannot know if there's any other explanation for making the choices they did. For now, I'm willing to stick to abductive logic and claim it likely that DRM could've been developed in-house, but they chose to take over a small company and do it there instead, to escape legal problems related to taking over consumer systems.

What do YOU think?


Updated 2005-11-19 Matti Nikki <muzzy@iki.fi>