The Sony DRM Debacle

The Sony DRM Debacle

David Bender

CSSE

University of Wisconsin, Platteville

Abstract

In the fall of 2005, it was revealed that Sony-BMG had released roughly 4.7 million music CDs with flawed copy protection systems, XCP and Media Max. These copy protection systems caused Sony-BMG a giant headache between privacy advocates and security experts that ultimately lead to a public uproar resulting in a class-action law suit and the recall of millions of discs. One of the major issues related to this is ethics and software engineering, including where should companies draw the lines between protecting their rights vs. infringing on the rights of their customers. This paper will go into details on the copy protection systems in question regarding how they work, what their flaws were, a couple of the easily found workarounds, and the ethical questions of Sony-BMG's actions.

Introduction

There are many ethical issues in the battle for digital rights, such as is it right to download music without compensating the artists and recording labels to how far recording labels should be allowed to go within the bounds of ethics to protect their rights.

In the fall of 2005 Sony decided to test the bounds of ethics in an attempt to secure roughly 4.7 million audio CDs with copy protection systems that wound up being inherently flawed. [2]

Not only did Sony infringe upon the rights of their customers by limiting fair use of the CDs purchased, they also introduced security flaws and vulnerabilities into their customer’s computers. This caused an outcry amongst customers and advocates which ultimately lead to a class action lawsuit against Sony-BMG. [4]

Goals of DRM

The primary goals of a Digital Rights Management (DRM) system are to protect and strengthen the business models for the record label and those of the DRM vendor. While the DRM vendor and the record label have the same broad goals, each has their own goals that may not coincide with each other’s. This can cause conflict between the Vendor and the Record Labels, including fostering an environment where full disclosure between the two might not occur. [2]

Record Label Goals

The overall purpose of the record labels seeking out DRM protection is to increase profit. Contrary to what is commonly believed, it isn’t actually about the artists, it’s about maintaining the record label’s business model. In light of this, there are two primary ways that DRM does this. [2]

One way is by increasing sales of CDs. While the overall purpose of DRM to the record labels isn’t preventing copying, it is a means to their goals of protecting their business models. DRM increases CD sales by limiting disc-to-disc copying, and limiting copying from a CD locally to a computer, which then limits distribution of the DRM protected material on the internet. [2]

Another way the record labels can increase profit using DRM is by getting their software onto as many computers as possible. They can do this by selling advertising that will be displayed to whoever is using the computer that the DRM software has been installed to. The record labels can also gather and sell information about users to the highest bidder. [2]

DRM Vendor Goals

The DRM Vendors have different goals in mind, as would be expected from a company in a different business than the record labels.

One of the primary goals the DRM vendors have is to maximize the price for their software by creating value for the record label. The more the record label can profit by using the software from a given DRM vendor, the higher price that record label will be willing to pay for the DRM software. In the process of providing more value and therefore garnering a higher price from the record labels, the vendors also increase the likelihood of their product becoming the product that the record labels use. [2]

The other primary goal of the DRM vendors is simply to survive. Smaller companies often need to take more risk in order to survive. This can cause some conflict between a small vendor and a large client; a large company can and often needs to take less risk to keep business as is, while a smaller company like the DRM vendors need to take more risk just to survive. The DRM vendors can increase their likelihood of surviving by maximizing their installed base. In order to do this, a DRM vendor needs to get a major recording label as a client, and then they must beat out the other DRM vendors and become the primary DRM used. [2]

CD DRM Systems

CD DRM systems must fit several criteria to be a viable solution to the DRM “problem.” If a DRM system doesn’t match all of the criteria, it won’t last long as a DRM system and would unlikely become the choice of the record labels. [2]

A DRM protected CD must play on ordinary CD players without any modification. If a DRM CD will not play in Bob’s car stereo or Suzy’s portable CD player, those CDs would likely sell very well in the CD stores. Nobody would like to buy a CD that won’t play in CD players. [2]

A DRM protected CD must have restricted readability by computers. This means the DRM must prevent copying on the computer without the permission of the DRM software or the record label, and the DRM must provide access to the DRM protected material on the CD. This protects the CD from being copied, yet allows the user to still access the material on the computer.[2]

DRM software must also be installed somehow. If the DRM software is not installed on the computer the CD is going to be used on, then the point of the DRM is thrown out the window. To achieve this autorun on windows computers is used, while the DRM software must be explicitly run by a user on a Mac computer. [2]

Finally, DRM software must recognize DRM protected discs. If the DRM software doesn’t detect all DRM protected CDs, it can’t control the use of them. [2]

XCP

XCP Relies on the autorun feature of the Windows operating system for initial install. Commands in autrun.inf on the CD are executed which then installs the XCP software onto the PC. The Autorun feature is often used to display splash screens and initiate the installation process of programs to Windows computers.

For XCP to be installed on a Mac computer, a user must manually run the installer. Most users have no desire to do this, so XCP is essentially ineffective on Mac computers.

XCP protected discs contain two sessions: one music session and a second session with the DRM content data. This allows regular CD players to play the CD, as standard CD players will only read the first session on a multi-session disc. The autorun.inf file is located within this second data section. See figure 1 for an example of a two session disc. Notice the line visible on the CD; this is a blank, unwritten section of the disc between the music session and the data session. [2]

Figure 1: A two session CD [6]

When a user inserts a XCP protected CD into a Windows computer for the very first time, an End User License Agreement (EULA) is displayed. The user is required to agree to the EULA before they can listen to the protected CD on their computer. Once the user agrees to the EULA, the XCP software is installed. Once the software is installed, the CD can now be played on the computer. If the user declines the EULA, the CD is immediately ejected. [2]

XCP Also uses a temporary protection auto-loaded during CD insertion, though it is not installed. This temporary protection uses a blacklist of applications known for burning/ripping of CDs and loads a window displaying any of those blacklisted applications that are currently running. The program will not allow the process to continue until all listed applications are closed. See figure 2 for an example of what this program looks like when Exact Audio Copy is running in the background and the cd Nothing Is Sound by the band “Switchfoot” has been inserted. [2]

Figure 2: XCP’s temporary protection on CD insertion [2]

MediaMax

MediaMax also utilizes the autorun feature of Windows operating systems to install onto a computer, as well as using a multi session disc to contain both music and the DRM software on a single disc.

MediaMax’s temporary protection is much more invasive than XCP’s temporary protection. MediaMax immediately installs the full protection software onto the computer, even if the user declines the EULA. It then temporarily activates the protection software until the EULA is responded to either way. If the user agrees to the EULA, then the MediaMax protection is permanently enabled. [2]

Avoiding Copy Protection

There are four primary ways of defeating both XCP and MediaMax DRM software. In the author’s opinion this does not break the DMCA laws, as these are all four reasonably available and legal activities for any person to undertake.

Mark up the Data

One way to prevent both XCP and MediaMax from being installed is to simply take a black permanent marker and mark over the data section of the two-session discs. Simply mark up the data on the outside of the line that denotes the space between the audio and the data sections. See figure 1 for example of the separator. [2]

Hold Shift-key down during insertion

Another way is to temporarily disable autorun on a Windows system by holding in the shift-key during the insertion of the DRM protected disc. This disables autorun for this insertion only, and keeps the DRM software from installing. [2]

Disable Auto-Run

One more way of keeping the DRM software from being installed is by permanently disabling autorun on a Windows system. This keeps all CDs from taking advantage of the autorun, which then prevents all DRM software discs from installing their software as well. [2] See figures 3 and 4 for the process of disabling autorun on a windows xp computer.

Figure 3: Step1 of disabling Autorun on a Windows XP computer

Figure 4: Step 2 for disabling autorun on a Windows XP computer

Alternative Operating Systems

Finally a person can avoid the DRM software by using alternative operating systems to the Windows operating system. There are two reasons that various operating systems can avoid XCP and MediaMax DRM software.

Nearly all non-Windows operating systems do not have autorun as a feature. Neither Linux nor MacOS will use the autorun.inf found on XCP and MediaMax CDs. In the case of Mac, the program must manually be installed.

The second reason is that there are not versions of XCP or MediaMax for other operating systems. While there are versions for Mac computers, there are no versions of XCP or MediaMax that work with any Linux operating systems. In this case, no Linux user need ever worry about having XCP or MediaMax affecting their computers.

[2]

Vulnerabilities

Both XCP and MediaMax DRM systems introduce vulnerabilities to a user’s computer once installed. In both cases this introduces an ethical question of not harming a user’s computer. XCP and MediaMax both introduce their own separate security vulnerabilities. If a user happens to insert different CDs, one protected by XCP and one protected by MediaMax, they are hit twice with different vulnerabilities.

XCP Vulnerabilities

XCP is installed and ran invisibly. It’s undetected by both virus and spyware-detecting software. It hides itself and its processes. It hides itself by replacing system files and using these replaced files to hide anything and everything on a computer that starts with $sys$. This includes files, directories, even processes.

This introduces a major susceptibility to viruses and spyware abuse. While it doesn’t make it any easier for these malicious programs to be installed, it provides a masking ability to hide from antivirus and antispyware programs. Not only will XCP hide itself using the $sys$, it will hide anything on a system with a name starting with $sys$. [2]

MediaMax Vulnerabilities

MediaMax’s vulnerabilities stem from its running any time a CD is installed; it also sets permissions so that any user can modify its code. This means that any software or even any person can modify and install malicious code into MediaMax’s files and folders, and the MediaMax software will run that malicious code the next time a MediaMax cd is inserted into the computer.[3]

Even the patch to rectify this problem iniated the attack code installed in the MediaMax directories. [3]

Spyware-like Activities

An area of ethical questions also with XCP and MediaMax is their spyware like activities. Contrary to what the vendors said, both XCP and MediaMax report user activities and statistics to either Sony-BMG or to the vendors themselves. Both XCP and MediaMax also retrieve images or ads from remote servers and display them to users. The info retrieved from XCP and MediaMax could contain IP addresses, Date and Times that the CDs were used, and even the author and title of the album listened to. [2]

Software Engineering Code of Ethics

The following is the short version of the ACM/IEEE-CS Joint Task Force on Software Engineering Ethics and Professional Practices: [1]

Software engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:

1. PUBLIC - Software engineers shall act consistently with the public interest.

1. CLIENT AND EMPLOYER - Software engineers shall act in a manner that is in the best interests of their client and employer and consistent with the public interest.

1. PRODUCT - Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.

1. JUDGMENT - Software engineers shall maintain integrity and independence in their professional judgment.
2. MANAGEMENT - Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance.

1. PROFESSION - Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.

1. COLLEAGUES - Software engineers shall be fair to and supportive of their colleagues.

1. SELF - Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.

Ethical Issues

There were several ethical issues the author found with what Sony-BMG and their DRM vendors did that conflict with the Software Engineering Code of Ethics.

Installing software without explicit user permission should never be done. It is the user’s computer, and should not be altered without permission.

Users were left vulnerable to malware such as spyware or antivirus software that they would not have either been vulnerable to before, or would have been able to detect and remove with relative ease.

Even after uninstalling the software, users were in many cases still left open to vulnerabilities. In the case of MediaMax, the patch to fix the vulnerabilities activated malicious code taking advantage of the vulnerabilities.

Spyware tactics were used. If a program has to be automatically installed and hidden from a user so that they won’t remove it because they won’t want it running on their system, there may be a problem with the software installed.

The DRM software installed limits fair use of the material purchased on the CDs. While there are no explicit and predefined laws for what is fair use, there are general guidelines and none of them limit the number of copies one can make, so long as the use of those copies fits within what is allowed in the guidelines. [5] If one wanted to make 10 copies of a CD for their own backup, so long as they didn’t sell or give it to other people, there should be nothing stopping him or her from doing so.

Lawsuit

Class Action Lawsuit

There was a class action lawsuit brought against Sony-BMG by the Electronic Frontier Foundation (EFF). The lawsuit had several demands of Sony that needed to be addressed if found guilty.

1. Stop production of CDs with the bad DRM.
2. Replace the DRM’d versions of CDs to those who bought them.
3. Do step 2 quickly.
4. In the cases of XCP, users were to also get money.
5. Sony needed to ensure independent security testing pre-launch of any future DRM software.
6. Agree to quickly respond in the future to any security flaws discovered in DRM released on Sony-BMG CDs.

[4]