Sony BMG halts "rootkit" CDs

Music giant responds to litigation by vowing to halt production of CDs containing controversial antipiracy technology abused by viruses, World of Warcraft cheaters.


World of Warcraft

After nearly two weeks of stinging criticism and the filing of at least one class-action lawsuit, Sony BMG Music Entertainment promised today to temporarily stop making CDs loaded with controversial copy-protection technology.

One effect of installing the company's XCP content protection software on a computer was that files with certain character combinations in their names were essentially invisible to the computer. This opened the door to virus writers who wanted to hide their work from antivirus software, as well as World of Warcraft hackers who wanted to hide their programs from that game's Warden anticheat program.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," Sony BMG said in a statement today. "We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology."

The world's second-largest music label was using software created by First 4 Internet and designed to prevent a user from copying a CD more than twice. All of the major labels use copy-protection, digital rights management software, but Sony was using a particular type, called XCP, that used a "rootkit," a watchdog program that hides itself deep in the core of the operating system once a CD is loaded onto a computer.

Sony had loaded XCP onto about 20 of its CDs, including My Morning Jacket's Z, Trey Anastasio's Shine, Celine Dion's On ne Change Pas, Neil Diamond's 12 Songs, Amerie's Touch, Pete Seeger's The Essential Pete Seeger, and Ricky Martin's Life. Partial lists of CDs are at Slashdot and the Electronic Frontier Foundation.

First uncovered by programmer and blogger Mark Russinovich on October 31, the use of the rootkit set off a firestorm of criticism. That heat reached its peak yesterday, when a class-action lawsuit filed against the label by a Southern California attorney emerged.

The suit, filed last week in Los Angeles Superior Court on behalf of all California consumers "who purchased or acquired one of the rootkit-installed CDs," claims Sony BMG broke three state laws. It asks the court to force Sony to stop selling any more CDs containing the rootkit, and it seeks compensation for damage already incurred by users.

Sony has since released a patch that makes its software visible again. Sony has also sent the rootkit-cloaking information to antivirus software companies so they know to look for it.

The company has also said it has abandoned the rootkit strategy--but not, of course, the use of other forms of DRM copy protection.

"We also intend to reexamine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said today.

Got a news tip or want to contact us directly? Email

  •   View Comments (0)
    Join the conversation
    There are no comments about this story