Wednesday, May 25, 2022

A Brief History: The Sony BMG Copy Protection Scandal

During what some (certainly I) call the Napster era, high-speed internet access had entered nearly every home in the U.S.A. File-sharing became not only widespread, but a source of utter terror for record companies. CD burners were also standard equipment, which meant you didn't have to own even a digital copy of a file to share it. In fact, record companies were realizing that no one ever needed to pay for music again. And to be fair, the consumers had been realizing it first.

In 2000, Sony vice-president Steve Heckler spoke at the Americas Conference on Information Systems, saying: "The industry will take whatever steps it needs to protect itself and protect its revenue streams [...] It will not lose that revenue stream, no matter what [...] Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source – we will block it at your cable company. We will block it at your phone company. We will block it at your ISP. We will firewall it at your PC [...] These strategies are being aggressively pursued because there is simply too much at stake." In 2001, Sony made their first faux pas in the copy protection field, releasing copies of Natalie Imbruglia's second album White Lilies Island with copy protection not warned of.

Copy protection was not uncommon by 2005: many record companies had started to encode the CDs to be more difficult to rip to your computer; partly to prevent sharing, and partly in the hopes of gaining both physical and digital sales. Artists such as Weird Al fired back at this sort of greediness by actually adding extra content for those who inserted the disc in their computers. And still, for every copy protection measure, someone created a new plugin or application that was smart enough to get around the protection.

So, enter Sony BMG, a merger formed in 2004, who in 2005 were ready to make good on the promise Heckler made in 2000. Without a word to consumers or artists, Sony BMG launched a copy protection measure on 22 million CDs that they released. That alone wasn't the issue: as stated, many companies were enacting similar measures. What was different this time, however, was that their protection didn't just make the CD harder to encrypt. No, this protection went so far as to download software immediately onto the user's computer that invited in malware. 

Desktop computers in the '00s were in nearly every household. By then, the majority of folks had high-speed internet, a set of decent desk speakers, and no reason at all not to make the computer one of their primary household entertainment devices. There were plenty of completely innocent reasons to insert CDs and even DVDs into your disc drive. I myself had a desktop computer before I had a CD player with speakers. My primary way of listening to music was through headphones or a powerful set of desktop speakers, either one connected to my computer. So if I got a new CD, it was immediately going into my disc drive. 

You were really in trouble if you inserted these Sony BMG discs into your computer. The first thing that would happen was that you were offered a new music player. That "music player" would then install one of two programs onto your computer that would modify your operating system to interfere with your computer's ability to copy CDs in general. The program would be installed on Windows operating systems even if you declined it, and it could not be uninstalled. While it was surely a pain to be unable to copy CDs, that's not the worst this software had to offer. The next thing to happen was that with one of the programs would come a "feature" that sent private listening data back to Sony BMG. One of the two protection software programs explained what it was doing in the end-user license agreement, while the other program did the exact same thing, but without even telling you what it was up to in the end-user license agreement.

These programs created vulnerabilities in the systems of those who inadvertently downloaded them. The programs have been classified since their initial time of release as "rootkits." Usually, a rootkit is intended to be malicious (not in the way Sony BMG intended to be malicious). A rootkit enables access to a computer or an area of that computer's software that is not typically allowed. Sony was using this rootkit to disable a user's ability to copy the CD. But if you put a cat flap in your front door, nothing is stopping other animals from coming through. Hackers were able to exploit the newfound vulnerabilities. Malware was now able to attack the computers of those "infected" without having to jump through the normal hoops, because the cat flap for gaining unauthorized access to a person's computer was already there. 

Creator of the program RootKit Revealer, Mark Russinovich discovered the rootkit Sony installed on one of his computers. He posted about it on his blog on October 31st, 2005, stating that digital rights management had gone "too far." He found numerous problems with the XCP software, from what I've already mentioned to the fact that the program would constantly run in the background, slowing down a user's computer whether or not a CD was being played. The XCP rootkit also stopped and started using unsafe means that could cause the computer to crash. Attempts to remove the rootkit could even cause the computer to stop recognizing existing drives. Following the blog post, more worms and viruses were created to exploit the newly discovered vulnerabilities.

Sony BMG initially denied that their software was a rootkit, but suddenly, there was a public knowledge of rootkits, and a scandal surrounding Sony BMG's use of such software. Sony released patches in an attempt to help users uninstall the rootkits, but somehow, those patches opened computers up to even more vulnerabilities. The patch made the rootkit files visible, but installed even more files that couldn't be removed and this time, collected the user's email address also. 

The public was absolutely outraged by Sony's behavior. Many of the affected CDs were recalled with the promise of being replaced by CDs without the software. Sony BMG continued to deny allegations that their anti-piracy software was dangerous, even after more reports about the malware and viruses it opened the door for. Retailers who were asked to pull the CDs and ship them back for credit were in many cases not doing so. Being that it was after Thanksgiving by that time, the issue raged on as shopping increased for the Christmas season. Only about 10% of the recalled CDs ever made it back.

Class-action lawsuits were filed throughout the United States and around the world. Making matters even worse for Sony BMG: they had failed to follow licensing laws themselves when using the open-source software in the program. LAME MP3 encoder was the primary software, and its developers stated that they hoped Sony BMG would take appropriate action. 

By 2007, Sony BMG decided to completely get out of the copyright protection game. But the damage was done for many.

A great number of artists' works were wrapped up in this scandal. Natasha Bedingfield's Unwritten was among those affected, and it sold over one-million copies in her home country of the United Kingdom, and saw plenty of sales in the U.S. also. Though the U.K. version of the CD was released through an RCA subsidiary, the U.S. version was released through Epic, one of Sony's subsidiaries. The album sold 34,000 copies in the U.S. during its' first week of release. Many compilation albums were also released with this rootkit software, including some by older artists like Burt Bacharach, Pete Seeger, Frank Sinatra, Louis Armstrong, and Billie Holiday, with some by slightly newer artists like Cyndi Lauper also affected. Neil Diamond's 26th studio album Twelve Songs, Rosanne Cash's King's Record Shop, Ricky Martin's Life, and George Jones' duet album My Very Special Guests were all affected albums. To me, these titles show that a wide range of age groups and musical tastes were all hit with this. There are almost too many affected albums to name, but of course we can't forget one of the bands who became most vocal about the situation: Switchfoot. 

Switchfoot's fifth studio album Nothing is Sound sold half a million copies in the first month of its release. It debuted at number three on the Billboard albums chart, and was their first release after the monstrously successful The Beautiful Letdown. It was only their second studio album with Sony. As soon as the problem was discovered, the band were upset on behalf of their fans. Bassist Tim Foreman posted on the group's forums with a way to get around the protection, but the post soon disappeared mysteriously, with many believing Sony had threatened legal action against Foreman or the band. Strangely, many British copies of the album under EMI suffered from a similar copy protection problem, although that situation was handled much more gracefully. The scandal left such a bad taste in the mouths of the band that they were only too happy to get out of their contract with Sony, which they were able to do after Oh! Gravity, the third in their contractually obligated three albums on the label. They then formed their own label, "lowercase people," which was distributed by Atlantic. Lead singer and songwriter Jon Foreman felt as though the situation tainted their album, which was already considered to be one of their darkest works.

I have a copy of Nothing is Sound that I purchased used not too long ago. Updates to computers between 2005 and the present day have since made the type of vulnerability that the CDs initially created much more difficult to end up with accidentally. Aside from that, my copy doesn't seem to have the correct barcode on it to make it one of those affected (the barcode ends in XCP on affected CDs). Yet still, when I tried to rip the CD to my digital music library for use in my radio shows, I couldn't touch the tracks. Obviously I'm not making an effort to find a way around the copy protection but whatever they put on those CDs was certainly effective. 

I think by this point, most artists are just happy to have their music out there. Royalties are gained from streams and Youtube views. But I don't know if record companies will ever fully be over the new technology that the internet beckoned in so many years ago. It took a lot of time and situations such as this scandal to get them even close to over it. 

No comments:

Post a Comment