February 28 2005 The Sony BMG DRM Debacle

February 28, 2005 The Sony BMG DRM Debacle Corynne Mc. Sherry, Staff Attorney 1

February 28, 2005 Overview: What was the problem? • In a nutshell: Sony BMG Music Entertainment included flawed ‘copy-protection’ software in millions of music CDs sold to the public. • DRM software had serious security holes: § XCP had a ‘rootkit’ and hid systems files § Media. Max allowed privilege escalation attack • Software also ‘phoned home, ’ invaded consumer privacy without disclosure 2

February 28, 2005 Background: Who is Sony BMG? • Sony BMG is the world's second largest music company, responsible for about 25% of sales. Prominent labels include Arista Records, Columbia Records, Epic Records, RCA Victor Group. 3

February 28, 2005 Background: What Were They Thinking? • Labels are concerned about unlimited CD copying § Seeking more rights than provided by law • DRM is not designed to stop all “piracy” § Can’t stop peer-to-peer/darknet § Can’t stop commercial operations • Proponents call it a “speedbump” to “casual piracy, ” keeping “honest people honest” 4

February 28, 2005 Background: Your Legal Rights to Copy CDs • Fair use to copy to computer • Fair use to copy to MP 3 player • Audio Home Recording Act allows noncommercial copies by consumers onto CD-Audio discs • DRM provides tighter restrictions than copyright law 5

February 28, 2005 DRM Is Problematic By Nature • Active protection* only works if DRM software is running to interfere with reading standard CD format • Software must have greater rights than user or it is easy to defeat or remove • But users do not want software that restricts their uses; often try to remove or disable * passive protection, which exploits differences in how computers and CD players read discs, is generally considered insufficient. 6

February 28, 2005 First 4 Internet’s XCP • 4. 7 million made; 2. 1 million shipped • Written with intent to conceal itself from users (like a “rootkit”) § Hides files from the user, intercepts calls to CD drive • Extremely difficult to remove without damage § Improper removal can break CD drive • Communicated listening habits to a sonymusic. com server 7

February 28, 2005 Sunn. Comm’s Media. Max • 20 million total; about 5. 7 million with MM 5. • Installed some files (over 12 MB), including DRM, even if user clicks ‘I disagree’ • MM 5 allowed privilege escalation attacks § Sunn. Comm folder permission open to “Everyone” § Attacker could set booby-trap for next CD play • Communicated listening habits to a Sunn. Comm server 8

February 28, 2005 Sony BMG’s EULA • Both installs included 3000 -word End User License Agreement • Highlights § Lose rights to digital copy if lose physical CD § Lose rights upon bankruptcy § Can’t leave country with digital copy (i. e. , the on your MP 3 player) § Sony can use software to “enforce its rights” § Prohibits reverse engineering § $5 limit on damages; must sue in NY 9

February 28, 2005 Privacy Concerns • Software sends a unique identifier to an external web server that can be used to identify which CDs are being played • Also provides standard web browser info to server • Can be used to send content to player software, customized by the songs • Was not disclosed to users in EULA or otherwise; website FAQ had denials. 10

February 28, 2005 Sony DRM Spotting 11

February 28, 2005 What is Spyware? • Anti-Spyware Coalition describes spyware as technologies deployed without appropriate user consent and/or implemented in ways that impair user control over: 1) material changes that affect a user's experience, privacy, or system security; 2) use of the user's system resources, including what programs are installed on the user's computer; and/or 3) collection, use, and distribution of a user's personal or other sensitive information. • Computer Associates defines spyware as, "Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior. " 12

February 28, 2005 Sony BMG’s XCP Response • Oct. 4: F-Secure informs Sony BMG privately • Oct. 31: Mark Russinovich blogs about rootkit • Nov. 4: Sony BMG Exec. Thomas Hesse, says “Most people, I think, don't even know what a rootkit is, so why should they care about it? ” • Nov. 8: Sony BMG writes XCP “is not malicious and does not compromise security. ” • After multiple lawsuits filed and intense public pressure (incl. EFF open letter) Sony changes tune 13

February 28, 2005 Sony BMG’s Media. Max Response • Nov. 14: EFF open letter pushes on Media. Max • Nov. 30: EFF informs Sony BMG privately about vulnerability detected by i. SEC Partners (EFF had requested examination of software) • Dec. 6: Joint announcement; patch released • Dec. 7: Security flaw found in patch • Dec. 8: New patch issued. 14

February 28, 2005 The Law: Overview • Many class action lawsuits filed; Texas AG files civil action; other AGs (NY, MA, IL) and FTC investigating. • Legal issues include: § § Anti-Spyware Laws Anti-Hacking Laws Unfair Business Practices Laws False Advertising Laws 15

February 28, 2005 10 States Have Anti-Spyware Laws • E. g. California’s Consumer Protection Against Computer Spyware Act: § Prohibits preventing “an authorized user's reasonable efforts to block the installation of, or to disable, software, by presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds. ” § Authorized user excludes persons that have “obtained authorization to use the computer solely through the use of an end user license agreement. ” 16

February 28, 2005 Federal Anti-Hacking Laws • Computer Fraud and Abuse Act § “intentionally access protected computers, ” and as a result of such conduct, cause damage; § By means of such conduct further an intended fraud; or § Cause a threat to public health or safety, medical computer, administration of justice 17

February 28, 2005 State Anti-Hacking Laws • California Penal Code 502: § forbids any person knowingly introducing “any computer contaminant into any computer, computer system, or computer network. ” § computer contaminant: “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. ” 18

February 28, 2005 Unfair Business Practices • Many states have laws against unfair business practices. California’s forbids companies from engaging in unfair competition, which is defined as “any unlawful, unfair or fraudulent business act or practice. . ” • Unlawful: Any violation of law, federal or state, civil or criminal, can be trigger • Unfair: Can include privacy violations • Fraudulent: Addresses misrepresentations 19

February 28, 2005 DMCA Issues • Digital Millennium Copyright Act generally prohibits circumventing copy protection systems • Some speculated that security research into Sony BMG’s DRM software could violate DMCA • In response to EFF’s open letter, Sony BMG said it would not use DMCA against “legitimate security researchers. ” • Alex Halderman and Ed Felten sought an exemption that would allow DRM circumvention for spyware and security holes through DMCA rulemaking process. 20

February 28, 2005 Why Such Problems With DRM? • As Prof. Ed Felten points out, * DRM is likely to act like spyware because both face similar problems: § Installing software users do not want § Stopping removal or disabling • Plus inherent security risks in operating software at high rights level *See http: //www. freedom-to-tinker. com/ 21

February 28, 2005 A Skeptic’s View of DRM • DRM is ineffective at stopping “piracy. ” • Fair use must be preserved • DRM must not impede innovation, competition and consumer choice • DRM technology mandates are bad policy • Anti-circumvention rules impede innovation and security research 22

February 28, 2005 What’s the Big Deal? • Many software programs have bugs and security holes • Key differences: § Installed without user authorization or knowledge § No notice of ‘phone home’ feature § XCP rootkit was deliberate design decision § Different expectations for CD-Audio 23

February 28, 2005 Media. Max Hack • Discovered by i. SEC Partners (at EFF request) • The Sunn. Comm Shared directory uses an ACL allows low rights users (i. e. , "Everyone" in Windows parlance) to overwrite the contents, such as MMX. EXE, the Media. Max program. • An attacker can overwrite MMX. EXE with code of her choice, and the next time a Media. Max disc is played, her attack code will be executed as an Admin • Attack vectors only limited by creativity of malware writers. 24

February 28, 2005 Why EFF Got Involved • To protect people who purchased these defective discs and to prevent this from re-occurring • A watchdog was needed to ensure the settlement was fair, reasonable and adequately addressed all the issues • Bring our expertise in DRM issues to bear 25

February 28, 2005 The Settlement: EFF’S Goals • • Close the spigot: Stop production of more flawed CDs. Get people non-DRM'd/non-EULA'd versions of their music. Get this relief to people quickly. Get people some free music, or a choice of some money for their trouble. Ensure adequate notice--of flaws and compensation. Ensure independent security testing and pre-launch EULA review of any future DRM Ensure quick, reliable process for handling future security problems--with independent experts and judicial enforcement 26

February 28, 2005 IF YOU BOUGHT: YOU ARE ELIGIBLE FOR: XCP 1. An identical CD that does not contain DRM 2. A clean MP 3 version of the music on that CD. 3. For every CD you return: • a cash payment of $7. 50, plus one free download from a list of approximately 200 album titles in the Sony BMG catalogue; • OR three free downloads (same list) MEDIAMAX 5. 0 MEDIAMAX 3. 0 1. A clean MP 3 version of the music on that CD 2. One additional download. A clean MP 3 version of the music on that CD 27

February 28, 2005 Settlement doesn’t include: • Damage to a computer or network resulting from interactions between XCP or Media. Max and user’s computer (e. g. , damage to hard drive); • Damage related to reasonable efforts to remove XCP or Media. Max; or • Copyright, trademark or other IP claims (e. g. GPL claims which can only be brought by code rightholders). • Another option: Opting Out (by May 1). 28

February 28, 2005 EULA PROVISIONS • Replacement CDs/downloads won’t have EULA • For old disks: Sony BMG agrees not to enforce provisions forbidding fair use, resale of CDs, and full use of CDs if user fails to instaall update or go bankrupt. • Future EULA: Independent EULA reviewer 29

February 28, 2005 What about the future? • If Sony uses DRM in the future, it must: § Adequately disclose DRM BEFORE sale § Have DRM independently tested for security flaws BEFORE release § Ensure the DRM doesn’t install without explicit permission § Provide ready access to uninstaller § If security flaw found after release-notify/fix/disclose 30