In part two of a two-part rant, Jim Cofer discusses the Sony DRM fiasco and its long-term implications for DRM within the music industry in general. Hopefully, this article will be far more coherent than part one, which was just some assorted rambling.
Karma’s a bitch, ain’t it? It seems the bad news just won’t stop for Sony Music these days – and given their almost maniacal hated and distrust of their own customers, it’s not hard to see why karma’s so busy dumping on them lately. Just about every website on the planet – including this one; see my news for 11/01 – covered the initial news about the “rootkit” that Sony included on 20-50 audio CDs for sale in the United States. Here’s a brief recap in case you missed some of the finer points of the story:
- On Halloween, Mark Russinovich – one of the most skilled Windows users in the entire world – posted a story about the rootkit on his blog. Rootkits are essentially a cloaking technology that allows someone to silently install a program on your system. The files installed by the rootkit will be completely to invisible to the user, his or her administrator… and even to Windows itself! Almost like a wiretap, a rootkit intercepts certain native Windows API calls (stuff deep within the Windows operating system; think of it as Window’s “nervous system”) and forwards the calls on as if nothing unusual is installed. Unless (of course) that API call is something the rootkit creator wants to prevent Windows from doing. In this particular case, the rootkit is there to prevent people from playing the CD via any other player except the restricted one included on the audio CD. What makes the Sony case so despicable is that their rootkit (and related copy prevention software) offers no uninstall routine, can easily destroy your Windows installation if tampered with, and appears to be badly written piece of junk cobbled together from many different technologies. But perhaps the worst thing about the rootkit is that it leaves an infected Windows computer wide open to future exploits; this is because any file subsequently copied to your system’s hard drive prefixed with “$sys$” in the file name will now be hidden on the user’s system. All an enterprising virus writer has to do is name his virus $sys$virus.exe and the file will be invisible to the user, Windows and the user’s antivirus software!
- Many news outlets picked up on the story in the following days. In response to the bad press, Sony at first admits nothing, then implements a hideously complex uninstall procedure. Well, sort of. At first, Sony’s “uninstaller” simply removes the cloaking… but does nothing to remove the actual dangerous files themselves. And rather than doing the right thing and put the information front and center on their website, Sony buries it in the FAQ. A user wanting to uninstall the program has to track down the FAQ in question, which leads to form one must fill out so that the uninstall information can be emailed to them (and of course, you have to give your email address to Sony in the process). The email contained yet another link to the patch – which is a a 3.5MB file that apparently does nothing other than run the following command: net stop “network control manager”. In other words, no files are deleted and nothing is “patched” – the cloaking service is simply stopped. Russinovich also discovers at this time that the Sony CD player “phones home” each and every time the user plays a CD – something Sony vehemently denies.
- On November 4th, the president of Sony BMG’s global digital business division Thomas Hesse pissed off millions of computer users, displayed the total moral bankruptcy of the Big Music cartel and revealed the utter disdain the music industry holds for its customers by saying the following in an interview for NPR News: “Most people, I think, don’t even know what a rootkit is, so why should they care about it?
- On November 9th, Sony issued an actual patch for the rootkit. Again, the uninstall information is buried in Sony’s site and again the affected user has to jump through hoops to uninstall the offending software. The new patch is pretty interesting: the user once again has to fill out a form and wait for a link to arrive via email. Once the user clicks on the email link, he or she is prompted to download an ActiveX control. Why an ActiveX control instead of the more common executable file? Because the uninstaller creates a hash – a numerical pattern based on the hardware in your system. Mark Russinovich determined that each email is individually tailored for each infected system, so that if the user sends the email from one system and tries to run the uninstaller on another… the patch won’t work. This is additional “phone home” behavior, which Sony is still denying at this point.
- Some time around November 12th, the first viruses taking advantage of the $sys$ exploit appear. An estimated 500,000 computers are “infected” with the rootkit, easily making this the largest computer infection of all time. And it could have been far worse: makers of antivirus and antispyware programs dilly-dallied for a couple of weeks before deciding this the rootkit was, indeed, bad and including it in their updated definitions. Also around this time, Sony announced that they will stop selling the infected discs.
- On or around November 16th, Sony announced that it would cease production of the rootkit CDs permanently, recall any infected CDs remaining in stores, and send any affected customers “rootkit-free” replacement CDs. Even though Sony is offering free DRM-free MP3 downloads of the albums to affected customers waiting for their replacement CDs, the general consensus amongst the geek set is “too little too late”.
- On this past Friday, some delicious news appeared: it’s almost certain that First4Internet – the UK company that created the copy protection system on the rootkit CDs – used large portions of the open-source LAME encoder in their software. LAME is released under the Limited General Public License (LGPL) – and the terms of the LAME license mean that any software author that uses any of the GPL code in his or her project must publish their code publicly. Which means that – check your Irony Meters, folks – First4Internet (and, by extension, Sony) might be guilty of copyright infringement in their crusade to stamp out… copyright infringement! Delicious!
So… what does this all mean? It’s hard to say exactly, but one thing is clear: digital rights management (DRM) simply doesn’t work. People have been ripping CDs to their hard drives for almost a decade now – an eternity in IT years – but Big Music still hasn’t come up with an effective way to protect their precious, precious content. They want to be able to dictate whether or not you can copy music to your iPod or other device. They want to be able to dictate whether or not you can make your own mix CDs. And they want you to pay more money every time you use an iPod or make your own CD. But yet in a decade – the amount of time it took us to go from Windows 95 to Windows XP and from standard definition TV to high definition TV – Big Music still hasn’t figured out an effective way to control their content.
Given Sony’s latest debacle, Big Music’s greatest fear is that they’ll never be able to implement a DRM scheme. And rightly so. But one has to wonder what Sony’s balance sheet will look like after the dust from this scandal has settled. First, Sony will have to eat the cost of recalling 4.7 million CDs from stores and 2.1 million CDs from consumers. That’s almost 7 million CDs that will take up space in a landfill, all because Sony decided to take its marketing cues from its legal department instead of people that know music. Secondly, there are several class action suits forming in the US and elsewhere (like Italy) because of this boneheaded move, and that’s not even mentioning the legal actions that several state attorneys general are considering now. Thirdly, one has to consider the cost of the negative publicity Sony now faces. I don’t think that consumers will stop buying CDs from their favorite artists just because they’re on one of Sony’s many labels, but you can certainly bet that many tech-savvy folks will seriously consider buying the disc from iTunes or just downloading it from a BitTorrent or P2P site rather than get a virus by doing the “right thing” and buying the actual CD from a store. And honestly, who can blame them? When one can get a virus by putting an official music CD into their computer, who can honestly blame them for taking their chances elsewhere? I’ve never gotten a virus from any music I downloaded, which is more than I can say about Sony CDs.
In the end, one has to wonder if it was all worth it for Sony. How much money could they possibly “lose” from piracy to justify the recall, the lawsuits, the lost sales and the bad press? Surely they couldn’t have lost that much money. But even if they end up claiming that they did, in fact, lose more money to piracy off those 20-50 CD titles than they lost from this fiasco, I’m not sure that I’ll believe them. Simple macroeconomic theory says that, if given an ultimatum of paying for something they used to get for free, a huge chunk of people will simply do without. And that should trouble Big Music even more than piracy itself. What if Sony came up with the perfect DRM system? What if they came up with CDs that couldn’t be copied? Personally, I’d just stop listening to Shakira. My life won’t be any less richer for it, I suppose. And Big Music would lose its favorite scapegoat. Like a Third-World dictator always blaming America for his own country’s economic woes, Big Music would no longer would they be able to hide behind the spectre of “piracy” any time one of their albums tanks.
Another thing I learned in macroeconomics is that black markets exist for a reason. At the end of the day, most people want to do the right thing. But if people are buying your product from the back stalls at flea markets or doing the digital equivalent by using a P2p network, one of two things must be happening. Either your product is in short supply, or it’s priced too high. I don’t think anyone will say that music is in short supply, so that means that music is simply too expensive. But rather than adapt to and embrace the Internet, Big Music sees it as its sworn enemy. Part of this is because selling music online means selling individual tracks instead of albums. And trust me, Big Music is far happier selling 2 million Britney Spears CDs at $12.99 (almost $26 million) than selling 5 million digital copies of the one good track on the album for $4.9 million. But guess what? People are sick of doing this. Customers want to be able to spend 99¢ for that one good song precisely because they’re sick of paying $12.99 for the same thing.
But Big Music’s fear of the Internet goes even deeper than just dollars and cents. It’s afraid of the Internet and has stuck its head in the sand for years when it comes to digital distribution. That’s something which it can continue to do if it wants to, but that will be at it’s own peril.
UPDATE: Yep, I knew it would happen. Texas is officially the first state to sue Sony over the XCP discs, according to court papers filed on Monday November 21st.
UPDATE: It looks like the EFF is now suing Sony! They are not only suing Sony for the XCP debacle, but are also targeting SunnComm MediaMax, another type of DRM that Sony has used on 20 million compact discs. According to the EFF, MediaMax “installs files on the users’ computers even if they click ‘no’ on the EULA, and it does not include a way to fully uninstall the program”. MediaMax also “transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits – even though the EULA states that the software will not be used to collect personal information and SunnComm’s website says ‘no information is ever collected about you or your computer’. The EFF also says that users had to provide multiple requests for an uninstaller “but they first had to provide more personally identifying information”. The EFF also determined that “SunnComm’s uninstaller creates significant security risks for users, as the XCP uninstaller did.” Sony is so busted!
UPDATE: Kudos to Amazon.com for doing the right thing and offering refunds or replacements to anyone that purchased a Sony XCP CD from the online giant. This refund is as “no questions asked” as they come – purchasers get a refunds or replacement whether the disc has been opened or not and Amazon has also waived the 30-day limit on refunds for these discs. Amazon is doing this solely on its own and has no agreement with Sony to return the crippled discs to the manufacturer.
UPDATE: Plain ol’ Scotch tape placed on the outer edge of these discs can apparently defeat the XCP protection entirely. More proof – as if we needed any – that DRM CDs simply do not work.
UPDATE: As you might know, Sony didn’t write (or, more accurately, steal) the software published on their CDs. That was done by a British company called First4Internet. However, because Sony distributed the software they are also open to liability… due to the standard the US Supreme Court set earlier this year in… (are you sitting down?) MGM Studios Inc. v. Grokster, Ltd. My God, people – it’s as if Sony has started a chain of events that have caused the very fabric of spacetime to rip! Irony is piling on top of irony piling on top of irony on top of yet another irony… until the spacetime itself warps and takes us back to 1980 where there aren’t any CDs. And not only has this story hit the mainstream media, it’s even hit the comics too!