Sony struggles to regain trust

There are signs Sony BMG Music Entertainment Inc. is trying to salvage its reputation following revelations it used rootkit-based digital rights management (DRM) software to prevent CD copying.

The president of Sony BMG's global digital business, Thomas Hesse recently told the BBC the company will "diligently re-evaluate" its antipiracy methods. And the company was quick to acknowledge a security hole in the Phoenix-based SunnComm Technologies Inc.'s MediaMax Version 5 content protection software used in many of its CDs.

But Corynne McSherry, staff attorney for the San Francisco-based Electronic Frontier Foundation (EFF), which fights to protect civil liberties in cyberspace, said Sony's redemption is still a long way off.

The EFF is among those taking legal action against Sony over the software it has been using -- specifically SunnComm's MediaMax and U.K-based First 4 Internet Ltd.'s Extended Copy Protection, also known as XCP.

"Sony does deserve credit for recalling CDs, it was the right thing to do," McSherry said. "And when we brought the MediaMax flaw to their attention they moved quickly to develop a patch. When a problem was found with the patch, they moved quickly to fix it. It would have been better to have put the patch together more carefully so another wouldn't be necessary, but they're trying to take steps. The uninstaller was a good step, as well."

But she said the company hasn't yet done what's necessary to regain public trust. For starters, the company's efforts to re-evaluate its practices appear to be based more on the damage to its reputation than a genuine desire to do the right thing. McSherry noted that some of Sony's artists are angry over its antipiracy practices.

"They didn't realize what was happening and what the implications would be," she said. "Now the artists are upset because people are angry with them because their CDs have caused trouble. And they're putting pressure on the labels and trying to disavow DRM software as a result."

Among those railing against Sony is the band My Morning Jacket, which responded to fan anger over copy-protected Sony BMG CDs by sending out DRM-free copies of its album "Z." According to an article in Rolling Stone magazine, the group started burning unrestricted CDs after fans complained they couldn't transfer songs from the album to their iPods. The band's manager, Mike Martinovich, told the magazine that Sony BMG should drop DRM on CDs entirely.

More on Sony BMG Sony rootkit uninstaller causes bigger threat Trojans target Sony DRM and Windows Sony takes second stab at DRM patch

Picker said the fact that consumers don't want the technology "doesn't tell us anything" about whether it is in the joint interests of consumers and producers.

He added, "Consumers may gain more from a DRM world than they would from whatever alternative world emerges without DRM." Those subject to restrictions rarely want them, Picker said. "But restrictions are frequently welfare maximizing; the fact that one party would like to get rid of the restrictions tells me little (nothing, probably) about whether the restriction is in the joint interest of the parties to the transaction."

Additionally, Sony BMG hasn't addressed what McSherry describes as "ridiculous provisions" in its End User Licensing Agreement (EULA).

"This is a problem that hasn't gotten enough attention," she said. "The EULAs are long and complicated and people aren't as likely to read them carefully as a result and they miss clauses that are offensive."

One clause sets a liability limit of $5. "So if Sony is found liable, it can only be for $5, so the user can't get back what they paid for the CD," she said. "Another clause says you can't take the music you put on your computer with you out of the country. If you move out of the country, you have to delete all your music."

Other provisions, outlined on the EFF Web site, say, among other things:

• Users must delete all music from their laptops if their homes are burglarized because "the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD."
• Users can't keep their music on any computers at work because the EULA only gives them the right to put copies on a "personal home computer system owned by you."
• Users must install any and all updates, or else lose the music on their computer. The EULA immediately terminates if users fail to install any update.
• Sony BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against users, at any time, without notice. The company disclaims any liability if this "self help" crashes the computer or exposes the user to security risks.

McSherry points out another problem: Even if the EULA is declined, the MediaMax program is still installed. "That's offensive, not to mention illegal," she said. "California's antispyware law prohibits that kind of behavior."

When MediaMax is installed, she said, "when you play a CD, it phones home to Sony via SunnComm, letting Sony know the CD is being played. Then Sony will send you ads. So when you install this software you're putting adware on your computer. It's not appropriate, especially if you're not disclosing that's what the software can do. The fact that it phones home at all concerns us because it's a privacy issue."

McSherry said the EFF worries that it's just a matter of time before other companies are caught using technology in this fashion. She hopes the damage Sony has suffered will help others see the light.

"Sony and all the other record labels really need to be thinking about whether [antipiracy] software is worth it," she said.