Mark Russinovich has yet another great post on the now-notorious SonyBMG/First4Internet CD “copy protection” software. His conclusion: “Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.”
Here’s how the uninstall process works:
- The user somehow finds the obscure web page from which he can request the uninstaller.
- The user fills out and submits a form requesting the uninstaller. The form requests information that is not necessary to perform the uninstallation.
- The vendor sends the user an email asking them to install a patch, and then to visit another page if he still wants to uninstall the software.
- The user is directed to install and run yet more software – an ActiveX control – on his computer.
- The user has to fill out and submit yet another form, which asks unnecessarily for still more information.
- The vendor sends the user an email containing a cryptic web link.
- The user clicks on that web link. This will perform the uninstall, but only if the user is running on the same computer on which he performed the previous steps, and only if it is used within one week.
None of these steps is necessary. It would be perfectly feasible to provide for download a simple uninstaller that works on any computer that can run the original software. Indeed, it would have been easier for the vendor to do this.
In all the discussion of the SonyBMG software, I’ve been avoiding the S-word. But now it’s clear that this software crosses the line. It’s spyware.
Let’s review the evidence:
- The software comes with a EULA which, at the very least, misleads users about what the software does.
- The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
- Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.
- No uninstaller is provided with the software, or even on the vendor’s website, despite indications to the contrary in the EULA.
- The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
- The vendor makes misleading statements to the press about the software.
This is the kind of behavior we’ve come to expect from spyware vendors. Experience teaches that it’s typical of small DRM companies too. But why isn’t SonyBMG backing away from this? Doesn’t SonyBMG aspire to at least a modest level of corporate citizenship?
There are three possibilities. Maybe SonyBMG is so out of touch that they don’t even realize they are in the wrong. Or maybe SonyBMG realizes its mistake but has decided to stonewall in the hope that the press and the public will lose interest before the company has to admit error. Or maybe SonyBMG realizes that its customers have good reason to be angry, but the company thinks it is strategically necessary to defend its practices anyway. The last possibility is the most interesting; I may write about it tomorrow.
Outside the SonyBMG executive suite, a consensus has developed that this software is dangerous, and forces are mobilizing against it. Virus researchers are analyzing malware now in circulation that exploits the software’s rootkit functionality. Class-action lawsuits have been filed in California and New York, and a government investigation seems likely in Italy. Computer Associates has labeled the software as spyware, and modified its PestPatrol spyware detector to look for the software. Organizations such as Rutgers University are even warning their people not to play SonyBMG CDs in their computers.