The Sony BMG Rootkit Fiasco

When Mark Russinovich posted "Sony, Rootkits and Digital Rights Management Gone Too Far," he helped trigged a firestorm of subsequent criticism about Sony BMG Music Entertainment’s use of the First4Internet’s digital rights protection software on some of its music CDs. It was bad enough that one of the planet’s largest entertainment companies was perceived as hacking users’ computers with "rootkits" in the name of copy protection, but then the EFF posted an analysis of the license agreement associated with the CDs (see "Now the Legalese Rootkit: Sony-BMG’s EULA"). Things got worse when real hackers started exploiting the DRM software (see "First Trojan Using Sony DRM Spotted"). Then the question posed by the EFF’s "Are You Infected by Sony-BMG’s Rootkit?" posting became a bit more urgent. And the lawsuits started (see "Sony Sued For Rootkit Copy Protection"). Sony BMG suspended production (see "Sony Halts Production of ‘Rootkit’ CDs"), but said it would continue using DRM software from SunnComm (see "Sony Shipping Spyware from SunnComm, Too"). Among others, Microsoft said it will try to eradicate the hard-to-kill DRM software (see "Microsoft Will Wipe Sony’s ‘Rootkit’").

What would drive Sony BMG to such a course of action? Blame that slippery new genie, digital media, which seems to want information to not only be free, but infinitely mutable into new works as well. Once it’s granted a few wishes, it’s hard to get it back in the bottle, and the one wish it won’t grant is that the bottle had never been opened in the first place.

Faced with rampant file sharing that is based on CDs, music companies now want to nip the rip in the bud: put DRM software on customers’ PCs that will control how they use a CD’s digital tracks. Of course, it would be better from their perspective if such controls were built in to the operating system, but, if not, a little deep digital surgery can add lacking functionality.

The potential result for consumers is multiple DRM modifications to their PCs that may conflict with each other, open security holes, deny legitimate use, and have other negative side effects.

In the hullabaloo over the technical aspects of the Sony BMG DRM fiasco, it’s important not to lose sight of this: your CD is now licensed. First sale rights are gone, fair use is gone, and the license reigns supreme.

Pity the poor music librarian, who was already struggling to figure out how to deal with digital audio reserves. Between DRM-protected tracks from services such as iTunes and DRM-protected CDs that modify their PCs, they "live in interesting times."

While the Sony BMG fiasco has certain serio-comic aspects to it, rest assured that music (and other entertainment companies) will eventually iron out the most obvious kinks in the context of operating systems that are designed for intrinsic DRM support and, after some bumps in the road, a new era of DRM-protected digital multimedia will dawn.

That is, it will dawn unless musicians, other digital media creators, and consumers do something about it first.

5 thoughts on “The Sony BMG Rootkit Fiasco”

  1. Although there’s much I don’t understand, you’ve helped a lot. I’ve linked to this rather than try to explain. Read Sony’s apology from yesterday.

  2. At least two class action lawsuits have been filed on behalf of Sony BMG Music Entertainment customers who were infected with the First 4 Internet Rootkit. Users who were infected do not have to wait for a class action to make its way through the courts, they can sue on their own in Small Claims Court.

    For more information about the Sony BMG lawsuits, and about filing a lawsuit in your local Small Claims Court, visit

  3. $ony has destroyed any trust I had for their product. I am not overreacting, either. I tried to play the Santana “All that I am” album on my PC while working on a project for work, and the autorun feature came up. I don’t install things on my machine until I am sure of them, so I opted for “Do not Install” and went about my business.
    I have since discovered that a program is instantiating every time I boot and is sending information to $ony. However, I did not elect to install the software and have banished the CD to the car CD player. Why does $ony want to collect data on my computer usage AFTER I elected NOT to install their software or use their CD on my computer? And, after I read information that stated that no data gets transmitted anywhere?
    Why did they lie to me?
    Now I get to spend countless hours blasting my hardrive back to the stoneage and then reinstall all of my software and recover my data. Will $ony pay me for my time? Or are they too concerned with their profit$ to give a crap about their customers?
    They will never sell me anything again, not BMG, Arista or any electronics. If it is only made by $ony, I can live without it.
    If there is a class action suit going in VA, count me in.

  4. The story continues in this excerpt from my review of a recent Sony BMG rootkit overview article, which follows (from Current Cites 16, no. 11 (2005).

    Geist, Michael. "Sony’s Long-Term Rootkit CD Woes" BBC News (21 November 2005)( – In this article, Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, overviews the Sony BMG “rootkit” fiasco. . . . The IT industry ramped up efforts to eradicate the rootkit (e.g., see "Microsoft Will Wipe Sony’s ‘Rootkit’"), and Sony BMG offered a First4Internet uninstaller. Unfortunately, the Sony BMG uninstaller created new security holes (see "Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs"). And the uninstaller for the SunnComm MediaMax RRM system also opened security holes (see "Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole"). To top it off, Sony BMG’s rootkit may be violating some copyrights (see "Does Sony’s Copy Protection Infringe Copyrights?"), and Sony BMG may have known about security issues before in advance of the Russinovich disclosure (see "Sony BMG’s Costly Silence"). Believe it or not, there’s more to the story. Geist’s recap is the best I’ve seen so far. . . . (If you want to see if you have bought a rootkit CD, check out the Sony BMG list.)

  5. Dear Charles,

    Let’s be fair. Users cannot expect to get music for free online for the rest of eternity. As a lawyer and composer/producer myself, I can assure you that it takes a lot of money and effort to produce a serious album. Every sensible person knows this. And we do not steal the money or get the equipment and services for free. Composers and producers are not slaves, but even slaves were at least fed and lodged by their masters. Emerson’s law of compensation thus dictates that the fools who, today, insist on getting away with theft will, tomorow, have to pay a price in one way or another. If composers and producers are over-exploited, society will have to pay a price, just as it does when any other aspect of nature is abused (eg. rainforests, fisheries, etc.). What that price will be is presently unknown. DRM -and the laws governing it- should strive for an equitable technical and legal balance between the rights of composers/producers and users. Justice for all, n’est-ce pas?

    Best regards,

    Michael A. Iacono, B.A., B.C.L., LL.M.

Comments are closed.