June 24, 2024

SonyBMG "Protection" is Spyware

Mark Russinovich has yet another great post on the now-notorious SonyBMG/First4Internet CD “copy protection” software. His conclusion: “Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.”

Here’s how the uninstall process works:

  • The user somehow finds the obscure web page from which he can request the uninstaller.
  • The user fills out and submits a form requesting the uninstaller. The form requests information that is not necessary to perform the uninstallation.
  • The vendor sends the user an email asking them to install a patch, and then to visit another page if he still wants to uninstall the software.
  • The user is directed to install and run yet more software – an ActiveX control – on his computer.
  • The user has to fill out and submit yet another form, which asks unnecessarily for still more information.
  • The vendor sends the user an email containing a cryptic web link.
  • The user clicks on that web link. This will perform the uninstall, but only if the user is running on the same computer on which he performed the previous steps, and only if it is used within one week.

None of these steps is necessary. It would be perfectly feasible to provide for download a simple uninstaller that works on any computer that can run the original software. Indeed, it would have been easier for the vendor to do this.

In all the discussion of the SonyBMG software, I’ve been avoiding the S-word. But now it’s clear that this software crosses the line. It’s spyware.

Let’s review the evidence:

  • The software comes with a EULA which, at the very least, misleads users about what the software does.
  • The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
  • Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.
  • No uninstaller is provided with the software, or even on the vendor’s website, despite indications to the contrary in the EULA.
  • The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
  • The vendor makes misleading statements to the press about the software.

This is the kind of behavior we’ve come to expect from spyware vendors. Experience teaches that it’s typical of small DRM companies too. But why isn’t SonyBMG backing away from this? Doesn’t SonyBMG aspire to at least a modest level of corporate citizenship?

There are three possibilities. Maybe SonyBMG is so out of touch that they don’t even realize they are in the wrong. Or maybe SonyBMG realizes its mistake but has decided to stonewall in the hope that the press and the public will lose interest before the company has to admit error. Or maybe SonyBMG realizes that its customers have good reason to be angry, but the company thinks it is strategically necessary to defend its practices anyway. The last possibility is the most interesting; I may write about it tomorrow.

Outside the SonyBMG executive suite, a consensus has developed that this software is dangerous, and forces are mobilizing against it. Virus researchers are analyzing malware now in circulation that exploits the software’s rootkit functionality. Class-action lawsuits have been filed in California and New York, and a government investigation seems likely in Italy. Computer Associates has labeled the software as spyware, and modified its PestPatrol spyware detector to look for the software. Organizations such as Rutgers University are even warning their people not to play SonyBMG CDs in their computers.


  1. Ans to 6: Yes.

  2. 1) I am an investor in Sunncomm & MediaMax so I am biased towards their product.

    2) I love music and am concerned about how these companies copy protect the music I purchase so I follow what is going in the CD copy protection world pretty closely.

    3) I have tried numerous spyware programs with the latest and greatest signatures loaded and none of them have found MediaMax to be a spyware threat, that is right… NONE of them (I have MediaMax V5 installed in my PC).

    4) According to Halderman MediaMax is spyware, how many spyware programs have the “Designed for windows” certificatin?


    5) Sunncomm’s DRM allows people to do more with their music then ever before, you can encode wma files right to your PC and never have to open the MediaMax interface again. You can make legal CDR copies of the music, and whenever apple decides to license their “Fair-Play” DRM Ipod users will be able to encode the music to their hard drives too. People CAN do what they want with the digital information; they just do it in a structured and legal way. There is nothing wrong with this IMO.

    6) Lastly, Halderman stated that Sunncomm’s product is spyware based on the fact that there is no uninstall feature – There is no uninstall feature for Windows Media DRM – is this spyware too? There are also references to MediaMax phoning home, so do a lot of programs. When you install various programs they have banner ads built in to the program. They phone home to get updated banners, MusicMatch Jukebox does this if you don’t buy the full version of the software – is this spyware too?

  3. Ed’s restraint is admirable; it took quite a lot to get him to use the S-word but now he has done it. Isn’t it also time to use the B-word? Not just aimed at SonyBMG, but aimed more broadly at the Sony Corporation. According to their most recent public quarterly financial statement, the Sony Corporation is comprised of five operating segments. The top segment, Electronics (Audio, Video, TV, Information & Communications, Semiconductors and Components) accounts for 65% of Sony’s income. The next two segments, Games & Pictures add another 20% of Sony’s income. The last of the five segments, “Other”, is where the SonyBMG operating results are rolled up. “Other” makes up 5% of Sony’s income and is declining. If the Sony Corporation has more respect for consumers than their less than 5% component SonyBMG, it is time for the Sony Corporation to make sure their customers know that. A consumer boycott of Sony Electronics, Games and Picture products as the holiday sales season approaches might even be enough to cause the Sony Corporation to get the attention of SonyBMG.

  4. “Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.”

    Is this not a felony violation of various computer crime laws? Why is Sony not being persued under such criminal statutes? Certainly, if a private individual was caught doing this to one of Sony’s computers, there would be at least an arrest.

  5. I’ve been following this ongoing desaster and it makes me very uneasy thinking this could very well be a test ballon for the mechanisms to be implemented into BD+ and the Trusted Computing Platform.

  6. We need an examination of the legal issues posed by the DMCA in this case. The DMCA need to be amended if – as it appears – the DMCA makes it illegal to remove this kind of junk from my computer.

    We need an examination of the legal issues posed by EULA’s: SOny’s EULA (I believe) makes it illegal for you to explore and remove their DRM junk, no matter how nasty it is to you. EULAs need to be reined in.

  7. “… if you ask me, [Microsoft] should be more concerned about preventing rootkits from being installed in the OS from a CD without notice.”

    Not true: Sony uses social engineering; it does not exploit an OS vulnerability.

    The Sony spyware does *not* “install … without notice”. It will only install on an admin account, and only then if the user clicks through the EULA and launches an installer program.

    So for once Microsoft’s OS is not to blame. (However, I think Microsoft themselves have to shoulder a certain amount of blame, because: first, there is evidence that they have known about this software for quite some time; and secondly, even now the news is out in the open, they have still said little and done less.)

    Contary to Riley’s assumption, this software does not exploit an OS vulnerability to install itself. Rather Sony has been making use of social engineering to trick people into installing the software on their machines. People have been willing to click through, because they – naively – assumed they could trust Sony. They’ll know not to now.

  8. I also wonder about security and anti-virus companies that are adding this DRM software to their list of programs to prevent and remove. What implications are there for that under the DMCA? Will hackers now be able to use ‘content’ packaged with ‘DRM software’ to legally install programs that can later be used malicously?

    As part of the fix for the recent Trojan that uses the Sony DRM to cloak itself, Sophos’ patch will also disable the DRM software itself. Computer Associates has already added this to their products. There is also an article out that Microsoft is considering adding it to their own security product (although if you ask me, they should be more concerned about preventing rootkits from being installed in the OS from a CD without notice).

  9. It’s obvious to me the reason why they make you jump through these hoops to uninstall the software. It’s because they designed this procedure weeks or months ago, and at the time the assumption was that most people who would try to do it were people who were interested in pirating the music. Their model was that people would have used the CD and found they couldn’t rip and share the songs, so they want to remove the technology that is stopping them. By making this difficult and asking a lot of intrusive, personal questions, Sony expected that people who had guilty consciences and knew what they were doing was wrong would not be willing to go through all that. If they had just supplied an uninstaller that was freely available for everyone, Sony would expect that pirates would go ahead and use it, and Sony wouldn’t have received any benefit from its DRM.

    This may be obvious but I think it is worth stating because I haven’t seen it elsewhere. Part of the design of a DRM system has to be that it can’t be too easy to remove, and you have to try to scare people off who are removing it for illegitimate reasons. That’s what Sony has done here.

  10. We should not allow our collective anger at Sony BMG’s stonewalling to prevent us from appreciating its humorous aspects, such as Sony Global Digital president Thomas Hesse’s statement, “Most people, I think, don’t even know what a rootkit is, so why should they care about it?” My immediate thought was, “Most people don’t know what radon is, so why should they care if it’s accumulating in their basements?”

  11. Brian Srivastava says

    And now it would seem, not only is the rootkit spyware, but it makes installing trojans that much easier!


    For once in my life I’m thinking that litigious society the people in the US have to live with my actually have its uses.

  12. I’m kind of curious about the implications of web sites offering instructions (disable autorun, hold down shift key, instructions for removal….) for disabling or working around the Sony protections. I thought the DMCA had strict provisions against trafficking in tools and procedures for circumventing a protection device.

    Just one of those things that make me go, “hmmmm….”

  13. Grant Gould says

    As the IT person at a small company (in the streaming music business, no less!), I have banned Sony CDs from any office machine whose Autorun has not been disabled.

    I agree that Sony has probably made a strategic decision that this sort of invasive software is what they need in order to fight the DRM war. Their multistage uninstallation process reminds me too much of the elaborate hoops set up for users who play too many out-of-region DVDs — it has the look of an intentional “speedbump” set up to prevent naive users from too easily or causally getting what they want.