Mark Russinovich, a software designer in Austin, Texas, wasn't too surprised to find something ghoulish lurking in his hard drive when he ran a routine virus check on Halloween. When he discovered it was a "rootkit" - a kind of software commonly used by viruses, spyware, and other "malware" to mask themselves among normal files - he chalked it up to the usual aggravating tricksters.
But when Mr. Russinovich, chief software architect for Winternals Software, did a thorough investigation he was shocked to find the source of the rootkit: a commercially produced music CD from Sony BMG. Not only that, but when he manually tried to erase the program, it disabled his computer's CD drive.
Russinovich posted his findings, in excruciating detail, on his weblog at sysinternals.com. His Van Zant album had automatically installed the rootkit to hide custom antipiracy software when he played the CD on his computer. The blogosphere erupted with invective. They accused Sony of using "hacker ware" and programming computers to spy on their owners - and possibly opening a "backdoor" for hackers on consumers' machines.
Sony's software was designed by British copyright protection firm First 4 Internet, which acknowledges a "theoretical" security risk posed by the rootkit. According to First 4 Internet CEO Matthew Gilliat-Smith, the rootkit application could create a secret backdoor for hackers. Sony has hastily posted a "patch" program to reveal the rootkit, but some say it doesn't go far enough.
"It definitely hit a nerve with a lot of people," says Russinovich. "I think part of it is the encroachment on our everyday lives, people being afraid that we're losing our right to privacy, our right to control our own property."
The discovery highlights the music industry's growing concern, even desperation, in the face of increasing competition from digital music sources and loss of income from piracy.
"These companies are trying to - in their effort to reduce copying - erode users' control over their own computers," says Ed Felton, a professor of computer science and public affairs at Princeton University in New Jersey. "I think we may continue to see problems like this. There are other companies that offer other kinds of copy-protection technologies, and there is a danger that they will stray across the line as well, or maybe even already have."
Part of Sony's antipirating strategy is that some of its music will play only with media software included on the CD. When a user inserts the CD, he or she is asked to consent to an "end user licensing agreement," for a Digital Rights Management (DRM) application. If the user agrees, the rootkit automatically installs and hides (or "cloaks") a suite of DRM software.
While the Sony digital consent form mentions the DRM application, it does not specifically mention a rootkit, says Jason Schultz, a staff attorney at the Electronic Frontier Foundation, a digital rights advocacy group. Rootkits are most often pernicious, designed to protect a program from being detected by conventional antivirus programs. In fact, New York-based management software company Computer Associates classifies the Sony rootkit as a Trojan "pest," a piece of software with a hidden intent.
But as far as Sony and First 4 Internet are concerned, the controversy is much ado about nothing.
"I think this whole issue is about intent," says Mr. Gilliat-Smith. "There's no question there was no intent to create a hypothetical security breach here. We've reacted very quickly to provide a solution." Meanwhile, armies of Internet denizens have been poring over Sony's DRM code and heaping disdain on it.
"[The DRM software] hides with generic file names, and then monitors your activity - in terms of what you type on your keyboard, what e-mails you send, websites you look at, websites you run and what windows you have open on your screen," Mr. Schultz claims. The program uses this information to keep track of how many times a user has replicated a Sony media track. The protected CDs cannot be copied more than three times. After that, the program prohibits any further duplication.
"To some extent, it also 'phones home' to Sony over the Internet and uploads some of this information about your activity to them," Schultz continues, "potentially even identifying information such as your name, e-mail address and location on the Internet."
As it turns out, the way the antipiracy software is designed makes it easy to defeat. Just hold down the "shift" key when you insert a CD to play it.
"The reality is that this isn't going to stop any kind of so-called piracy," says Schultz. "All this technology does is inhibit you from making the same kind of personal, fair-use music you've always made. The real pirates are going to easily circumvent this technology. The bootleggers won't even blink."
In response to a flood of criticism, Sony and First 4 Internet reacted with information-age speed. The software patch was up and running on the Web by Nov. 2. But the patch serves only to locate the hidden software. Bloggers and computer experts are still steamed: The patch does nothing to help the user remove the rootkit, they say, and may in fact aggravate the problem.
For his part, Russinovich wonders why Sony wasn't more careful in the first place. He cites a National Public Radio interview with Sony's president of Global Digital Business, Thomas Hesse, in which he said that "most people, I think, don't even know what a rootkit is, so why should they care about it?"
"That quote nicely summarizes the problem," Russinovich says.