November 07, 2005
Is Sony's DRM Spyware?
By Eric Goldman
Sony's DRM software generated lots of discussion and new information since my last post on the subject. The discussion (especially the many great comments I got in response to my previous post) has prompted me to change some of my thoughts—in particular, my statement that the DRM software isn’t spyware.
1) Sony's technological implementation of DRM exhibited some ineptitude, but Sony is being held to a rigorous standard because of DRM
ZDNet called Sony’s DRM “ineptware”—-software that doesn’t have a malicious intent but nevertheless can have a pernicious effect. For example, the software may make a computer unstable or slow. And the unnecessarily intrusive use of a rootkit “smokescreen” allows bad actors to hide behind the smokescreen.
However, Sony (and its upstream vendor First4Internet) hardly has cornered the market on inept software designs that lead to undesirable outcomes. There's plenty of brain-dead software implementations out there. Why beat up on Sony?
I continue to believe that the underlying problem is DRM. Many technologists and consumer advocates harbor a deep animus towards DRM, so Sony's technology failings are being held to a heightened standard.
I understand why there's so much antipathy towards DRM, but I don't think we should overreact to Sony's failings. In particular, sloppy software design isn't "spyware" or "malware," or else those terms become far too overinclusive and thus meaningless.
2) Most of Sony's failures to disclose are probably legally inconsequential, but the implied affirmative representation that the software could be uninstalled may be problematic
In my previous post, I said that Sony's EULA adequately obtained consent to install its software. I still stand by that statement, for the most part, but the issue is more nuanced than my statement might indicate. Specifically, there are 2 separate disclosure issues-—Sony’s affirmative disclosures and Sony’s failure to disclose--and they should be addressed separately.
Except for the “phone-home” aspect (discussed below), I’m not particularly troubled by Sony’s failures to disclose the details of its software. In general, vendors aren’t obligated to make every affirmative disclosure that every consumers might find interesting. In this situation, I think many disclosures desired by the technologists aren’t legally compelled or expected. Sony and its vendor have made dozens or hundreds of design choices to implement the software. Consumers don’t need to know those choices, would not change their behavior if the choices were disclosed affirmatively, and would be overwhelmed by complete disclosure.
In contrast, I’ve become less comfortable with Sony’s disclosures regarding the difficulties uninstalling its software. The difference is that Sony made some affirmative statements that implied the software could be uninstalled. If Sony created the false impression that the software could be uninstalled when it couldn't (or could be uninstalled only by breaking the OS), then Sony may have created some problems for itself.
3) If Sony's DRM software reports information back to a central server, this looks like spyware and could be legally problematic
Of the various problems with Sony’s technological implementation, I am most troubled by the allegations that Sony's software "phones home"; i.e., reports some information about each user back to a central server, including the combination of an IP address and a record of each album the user plays.
In my previous post, I said that Sony’s software wasn’t spyware. However, if the software is reporting back information about each user’s behavior, and that reporting back feature wasn't disclosed, then I agree with Suzi that surreptitious and undisclosed monitoring and reporting back of user activity sounds like spyware.
Further, if the reports are true, the software’s behavior could be a prima facie violation of the Computer Fraud & Abuse Act (18 USC 1030(a)(2)), which applies to an actor who:
"intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains...information from any protected computer…"
Every computer connected to the Internet is a protected computer. The software allegedly obtains information (at minimum, the album being played). The phone-home “feature” may exceed the authorization given by the user; I don't think that mere consent to installing the software acts as consent to the reporting back of information. If the reports are true, I don’t envy the position of Sony’s defense counsel.
UPDATE: Declan reports that the class action lawyers are circling.
UPDATE 2: Several anti-spyware software vendors have classified Sony's software as spyware.
"continue to believe that the underlying problem is DRM. Many technologists and consumer advocates harbor a deep animus towards DRM, so Sony's technology failings are being held to a heightened standard."
This isn't the first time you've expressed this sentiment and initially I was inclined to agree. It certainly not something that can be dismissed out of hand since many technologists, myself included, are very fond of DRM. However, I think that its at best a secondary issue. Most of the discussion I've seen has barely mentioned the DRM and hasn't touched on any of the usual hot button issues associated with the DRM controversy. If you want to understand the anger coming out of the technology community over this, I think you need to focus on the rootkit (and the inability to remove software that had proven itself harmful to the system).
The following link (which I expect you are aware) describes the initial discovery of the rootkit.
Note that a substantial amount of effort was expended before it was discovered that it had any relationship to the DRM software and that the DRM aspects are hardly touched upon (and the author, in fact, expresses an ambivilant rather than openly hostile view). Up to this point, rootkits were not considered to have any legitimate purpose (and one might say that that view hasn't changed). What makes this worthy of note is not that its DRM software, but rather that the rootkit was installed as part of otherwise legitimate software package by a company with (at least until now) a good reputation. I'll touch upon the implications of that in a moment.
The core issue here is a users control over thier computer. Technologists, legitimately or not, are loathe to give up any control. A functioning rootkit makes it impossible for a user to have total control over his system. Diagnostics both manual and automatic, virus scanners and other security utilities, and any number of other forms of computer maintenance rely on the the system faithfully reporting its configuration. This is precisely what the rootkit is designed to prevent.
Another post from the same blog as above. I want to highlight a particular section:
Besides demonstrating the ineptitude of the First 4 Internet programmers, this flaw highlights my message that rootkits create reliability risks in addition to security risks. Because the software package that installed the rootkit is hidden when Windows is running (in this case Sony’s DRM software), and even if exposed not clearly identified, if an application triggers one of Aries.sys’s bugs a user would have no way of associating the driver responsible for the resulting crash with any software package they have installed on their system. The user would therefore be unable to conclusively diagnose the cause of the crash, check to see if they have the most recent version of the driver or of uninstalling the driver."
The problem here is not the result of a bug or sloppy coding but is inherent in the functioning of the software as designed. The only way to properly diagnose a system with a rootkit installed is to first disable the rootkit. This something that the people developing the software
obviously are going to be working to prevent since otherwise the rootkit isn't going be of any use to them.
I think the other major issue that is causing concern is the question "how can I as a user prevent rootkits from getting on my system?". Because while I would be reluctant to install the DRM package, I might be convinced in some circumstances. The rootkit, however, is a deal breaker. And the trouble is, absent a useful disclosure, there isn't any way to avoid it (nor is it easy, by design, to determine if one has been installed).
From the first article:
"Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug."
I think this is the crux of the matter. Up until this point the main to avoid malicious software (and a rootkit qualifies, if not legally, in the eyes of the technology community) was to deal only with trusted sources. There are few realistic alternative besides trusted sources to managing computer security. If the EULA is considered sufficient disclosure for what was installed then I am left with the conclusion that I must, for the security of my computer, assume that any DRM scheme will install software designed to compromise my system unless I am giving specific notice to the contrary. And I must look very carefully at any software that is likely to include such software and ask myself very carefully if I can live without it. That is a very troubling notion to deal with and it has very little to do with the politics of DRM.
Posted by: Kevin Sours at November 7, 2005 09:12 PM
Kevin, you make a lot of good points. However, I wonder--how many other "legitimate" software programs install rootkits, and what would be the response if those other programs involved something other than DRM? Or, if Sony installed DRM software that had all of the same consequences as this install but without using a rootkit--would the objections be the same?
I think it's a complex but potent combination of concerns driving the gripes against Sony--frustration with EULAs, users' lack of meaningful power to control their desktops, sloppy and intrusive software design and a DRM kicker. But given that all of the foregoing elements (other than DRM) are ubiquitous, I'm pointing the finger at DRM as the differentiator.
Thanks for the thoughtful and detailed comments. Eric.
Posted by: Eric Goldman at November 7, 2005 09:47 PM
I can understand where you are coming from. I also believe that you need to read the following article:
After installing a lot of other software packages I have not found any others that install root kits, other than malicious software, or software that has been modified with either a Trojan or with the rootkit in the exe file. I happen to be a desk side IT guy and studying to get my BS in information security. To be honest these types of illegal operations really scare the crap out of me. The biggest concern as posted in the article by Mark Russinovich for me is that I will have one of my users have this software install and then have problems which will cause them to loose productivity. After doing some more research on this, and with the help of a couple of friends, I have found that after installing the "legal" rootkit other software packages or malware software can be installed and hidden by this rootkit. I have read a post for World of Warcraft that basically had players writing how they could use this software to get around different security software packages in place to stop people from cheating. Here is the link that I read the information from:
One of my biggest concerns is that someone will use this software and then incorporate a virus or worm with it and now you have a completely silent killer/spy agent out there that no one knows about. There could be trillions of dollars worth of data stolen and or peoples lives compromised because of this. I think that Sony isn't just negligent. I believe that because they are the ones distributing a rootkit that they have full liability and need to be held accountable for sending out a software that is not only considered spyware by Kaspersky, an anti-virus software manufacturer, but as per the ZDNET article can cause damage to the system. Since this software does require either an expert in windows, and to a point in CD writing/functionality that it should be considered a virus or some kind of malware. I believe that we need to send a definite message to large companies that like Sony that they are not above the law when it comes to situations like this, even in an EULA.
Posted by: Jeff Aplegate at November 8, 2005 10:47 AM
Okay, I'm an applications developer on an internals or security guy, so my knowledge is not comprehensive. However, I don't believe that there have been any previous legitimate software installs to incorporate a rootkit. My understanding is that detection of a rootkit is taken as evidence that the system has been compromised. I think that the outcry we've seen is inevitable regardless of what kind of software that is being concealed (though I won't go so far as to claim that the fact that is DRM doesn't make it a bit louder).
Posted by: Kevin Sours at November 8, 2005 04:41 PM
The problem with the Sony software is not that it had DRM, but that it was a rootkit. A rootkit takes over an OS functions in such a way that it hides the attackers tracks. It is commonly used after a break-in on a server, to hide the fact that the break-in occured.
So Sony's DRM was not a normal application, which installs with the user's permission, does what it says, and is uninstallable.
They lied about what it was doing, altered Windows in a dangerous way, and also send information back whenever their CDs are played.
In my way of thinking, that is clearly computer trespass, and illegal. Some call it spyware, but it goes way beyond spyware, it is an attack on the consumer's computer, plain and simple.
So your comments justifying this leave me wondering how much you know about computer security?
Posted by: anonymous at November 9, 2005 05:15 PM
Just wanted to add a couple points to the discussion:
A rootkit is a piece of software that alters core OS functions in order to hide files, running programs and registry keys. There are a few examples of legitimate software, like anti-virus programs (to protect themselves against viruses that try to disable antivirus protection) and virtual CD drives that employ some rootkit-like techniques. But before Sony XCP DRM, I have never seen any 'legitimate' software that contains a full-blown rootkit.
Unlike regular application software, where a bug will only terminate the application, a rootkit alters the core OS. Any bug in a rootkit can cause the dreaded blue screen of death. Unfortunately, XCP is buggy. If you had done a google for 'aries.sys' (the rootkit part of XCP) before the media storm, you would have found a lot of forum posts by people complaining about bluescreens and trying to figure out where it came from. It seems XP Media Center is particularly prone to crashes caused by aries.sys, and the situation for the latest beta of the next version of Windows - Vista - is even worse. "breaks Vista spectacularly", was the comment from F-secure, an anti-virus company.
Combine this with a less than up-front EULA, Sony officially claiming that there is no problem, the fact that detective work was needed to discover where the software came from, the contorted process required to get the uninstall tool, and the fact that XCP is more about putting pressure on Apple in a business dispute than about stopping illegal copying...
Oh, and no mention in the software itself or any accompanying help-files on how to contact Sony in order to uninstall XCP. That information was given to journalists in a press release, but is not included on the music CDs.
*That* is why Mark and others are blowing a gasket. Not because of DRM. He is still updating his blog with more information, btw. http://www.sysinternals.com/blog/
Yeah, you have the "information wants to be free" crowd joining in, but that's really a side issue.
Posted by: LarsG at November 9, 2005 06:53 PM
As a media duplicator we were dragged into this...
This is actually Round 2. Sony took it upon themselves too create the "key" in an attempt too protect their share of a market place. When we first saw the code, 9 months ago, Sony told us it was "copy right protection code". An effort at weeding out the pirates. Once we discovered the "uninstalled" portion, we had a feeling they crossed the line.
Being on the lower end of the food chain, what can you do? It's SONY... Like they don't have money too tie-up our court system. They simply stay the course of addressing "illegal copies"
protecting market share. Once every quarter they make announcements of un-covering the source of lost revenue, showing the industry is not doing anything.
What we fail too understand is the belief by bringing them (Sony) to court this will change.
Review the whole board, Sony is more concerned about China. Do not underestimate the lengths they will go too protect what "Sony thinks" is theirs. Do not buy Sony products until they change the code. Sorry that would be too hard.
Posted by: John Feeney at November 14, 2005 11:44 AM
I just wonder what would eventually happen if Mark had not discovered this issue and made the announcement.
In August, way before Mark, this had been discovered but did not have the media attention it got this time. (http://castlecops.com/print-1-130470.html).
If it had not gotten the attention it got with Mark, those trojans out today might not have been discovered.
In a way, I think Sony should thank Mark for raising the rootkit issue or Sony could have even more problems had the problem been discovered after millions of computers had been infected and billions of dollars lost because they failed to fully disclose what their software was actually doing.
Posted by: csouza at November 14, 2005 09:50 PM
As others have mentioned, Sony's (or rather, First4's) software isn't just "ineptware," suggesting some sloppily written application and nothing more.
It is potentially dangerous "sneakware," employing a rootkit. This is serious stuff, and Sony deserves all the backlash it is currently receiving for it. The software developers were not just ineptly writing something that functions as a rootkit. They were not just unknowingly sloppy when they wrote software that cannot be uninstalled by any normal means. They were not simply amateurish coders when they created software that installs a rootkit but makes no mention of that fact in the user agreement.
The best part of this entire saga is how it so thoroughly blew up in Sony's face, to the point of their now recalling the offending CDs. And then, even better than that is the news that the product incorporates technology based on LAME (the MP3 encoder) which is in violation of LAME's licensing agreement. So Sony's DRM product, which is intended to protect copyrighted material, violates copyrights itself. What irony!
Posted by: GuillermoR at November 15, 2005 03:26 PM