Presentation is loading. Please wait.

Presentation is loading. Please wait.

February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney.

Published byMadison Hudson Modified over 9 years ago

Similar presentations

Presentation on theme: "February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney."— Presentation transcript:

1 February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney

2 February 28, 2005 2 Overview: What was the problem? In a nutshell: Sony BMG Music Entertainment included flawed ‘copy-protection’ software in millions of music CDs sold to the public. DRM software had serious security holes:  XCP had a ‘rootkit’ and hid systems files  MediaMax allowed privilege escalation attack Software also ‘phoned home,’ invaded consumer privacy without disclosure

3 February 28, 2005 3 Background: Who is Sony BMG? Sony BMG is the world's second largest music company, responsible for about 25% of sales. Prominent labels include Arista Records, Columbia Records, Epic Records, RCA Records, RCA Victor Group.

4 February 28, 2005 4 Background: What Were They Thinking? Labels are concerned about unlimited CD copying  Seeking more rights than provided by law DRM is not designed to stop all “piracy”  Can’t stop peer-to-peer/darknet  Can’t stop commercial operations Proponents call it a “speedbump” to “casual piracy,” keeping “honest people honest”

5 February 28, 2005 5 Background: Your Legal Rights to Copy CDs Fair use to copy to computer Fair use to copy to MP3 player Audio Home Recording Act allows non- commercial copies by consumers onto CD-Audio discs DRM provides tighter restrictions than copyright law

6 February 28, 2005 6 DRM Is Problematic By Nature Active protection* only works if DRM software is running to interfere with reading standard CD format Software must have greater rights than user or it is easy to defeat or remove But users do not want software that restricts their uses; often try to remove or disable * passive protection, which exploits differences in how computers and CD players read discs, is generally considered insufficient.

7 February 28, 2005 7 First4Internet’s XCP 4.7 million made; 2.1 million shipped Written with intent to conceal itself from users (like a “rootkit”)  Hides files from the user, intercepts calls to CD drive Extremely difficult to remove without damage  Improper removal can break CD drive Communicated listening habits to a sonymusic.com server

8 February 28, 2005 8 SunnComm’s MediaMax 20 million total; about 5.7 million with MM5. Installed some files (over 12 MB), including DRM, even if user clicks ‘I disagree’ MM5 allowed privilege escalation attacks  SunnComm folder permission open to “Everyone”  Attacker could set booby-trap for next CD play Communicated listening habits to a SunnComm server

9 February 28, 2005 9 Sony BMG’s EULA Both installs included 3000-word End User License Agreement Highlights  Lose rights to digital copy if lose physical CD  Lose rights upon bankruptcy  Can’t leave country with digital copy (i.e., the one on your MP3 player)  Sony can use software to “enforce its rights”  Prohibits reverse engineering  $5 limit on damages; must sue in NY

10 February 28, 2005 10 Privacy Concerns Software sends a unique identifier to an external web server that can be used to identify which CDs are being played Also provides standard web browser info to server Can be used to send content to player software, customized by the songs Was not disclosed to users in EULA or otherwise; website FAQ had denials.

11 February 28, 2005 11 Sony DRM Spotting

12 February 28, 2005 12 What is Spyware? Anti-Spyware Coalition describes spyware as technologies deployed without appropriate user consent and/or implemented in ways that impair user control over: 1)material changes that affect a user's experience, privacy, or system security; 2)use of the user's system resources, including what programs are installed on the user's computer; and/or 3)collection, use, and distribution of a user's personal or other sensitive information. Computer Associates defines spyware as, "Any product that employs a user's Internet connection in the background without their knowledge, and gathers/transmits info on the user or their behavior."

13 February 28, 2005 13 Sony BMG’s XCP Response Oct. 4: F-Secure informs Sony BMG privately Oct. 31: Mark Russinovich blogs about rootkit Nov. 4: Sony BMG Exec. Thomas Hesse, says “Most people, I think, don't even know what a rootkit is, so why should they care about it?” Nov. 8: Sony BMG writes XCP “is not malicious and does not compromise security.” After multiple lawsuits filed and intense public pressure (incl. EFF open letter) Sony changes tune

14 February 28, 2005 14 Sony BMG’s MediaMax Response Nov. 14: EFF open letter pushes on MediaMax Nov. 30: EFF informs Sony BMG privately about vulnerability detected by iSEC Partners (EFF had requested examination of software) Dec. 6: Joint announcement; patch released Dec. 7: Security flaw found in patch Dec. 8: New patch issued.

15 February 28, 2005 15 The Law: Overview Many class action lawsuits filed; Texas AG files civil action; other AGs (NY, MA, IL) and FTC investigating. Legal issues include:  Anti-Spyware Laws  Anti-Hacking Laws  Unfair Business Practices Laws  False Advertising Laws

16 February 28, 2005 16 10 States Have Anti-Spyware Laws E.g. California’s Consumer Protection Against Computer Spyware Act:  Prohibits preventing “an authorized user's reasonable efforts to block the installation of, or to disable, software, by presenting the authorized user with an option to decline installation of software with knowledge that, when the option is selected by the authorized user, the installation nevertheless proceeds.”  Authorized user excludes persons that have “obtained authorization to use the computer solely through the use of an end user license agreement.”

17 February 28, 2005 17 Federal Anti-Hacking Laws Computer Fraud and Abuse Act  “intentionally access protected computers,” and as a result of such conduct, cause damage;  By means of such conduct further an intended fraud; or  Cause a threat to public health or safety, medical computer, administration of justice

18 February 28, 2005 18 State Anti-Hacking Laws California Penal Code 502 :  forbids any person knowingly introducing “any computer contaminant into any computer, computer system, or computer network.”  computer contaminant: “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information.”

19 February 28, 2005 19 Unfair Business Practices Many states have laws against unfair business practices. California’s forbids companies from engaging in unfair competition, which is defined as “any unlawful, unfair or fraudulent business act or practice....” Unlawful: Any violation of law, federal or state, civil or criminal, can be trigger Unfair: Can include privacy violations Fraudulent: Addresses misrepresentations

20 February 28, 2005 20 DMCA Issues Digital Millennium Copyright Act generally prohibits circumventing copy protection systems Some speculated that security research into Sony BMG’s DRM software could violate DMCA In response to EFF’s open letter, Sony BMG said it would not use DMCA against “legitimate security researchers.” Alex Halderman and Ed Felten sought an exemption that would allow DRM circumvention for spyware and security holes through DMCA rulemaking process.

21 February 28, 2005 21 Why Such Problems With DRM? As Prof. Ed Felten points out,* DRM is likely to act like spyware because both face similar problems:  Installing software users do not want  Stopping removal or disabling Plus inherent security risks in operating software at high rights level *See http://www.freedom-to-tinker.com/

22 February 28, 2005 22 A Skeptic’s View of DRM DRM is ineffective at stopping “piracy.” Fair use must be preserved DRM must not impede innovation, competition and consumer choice DRM technology mandates are bad policy Anti-circumvention rules impede innovation and security research

23 February 28, 2005 23 What’s the Big Deal? Many software programs have bugs and security holes Key differences:  Installed without user authorization or knowledge  No notice of ‘phone home’ feature  XCP rootkit was deliberate design decision  Different expectations for CD-Audio

24 February 28, 2005 24 MediaMax Hack Discovered by iSEC Partners (at EFF request) The SunnComm Shared directory uses an ACL allows low rights users (i.e., "Everyone" in Windows parlance) to overwrite the contents, such as MMX.EXE, the MediaMax program. An attacker can overwrite MMX.EXE with code of her choice, and the next time a MediaMax disc is played, her attack code will be executed as an Admin Attack vectors only limited by creativity of malware writers.

25 February 28, 2005 25 Why EFF Got Involved To protect people who purchased these defective discs and to prevent this from re-occurring A watchdog was needed to ensure the settlement was fair, reasonable and adequately addressed all the issues Bring our expertise in DRM issues to bear

26 February 28, 2005 26 The Settlement: EFF’S Goals Close the spigot: Stop production of more flawed CDs. Get people non-DRM'd/non-EULA'd versions of their music. Get this relief to people quickly. Get people some free music, or a choice of some money for their trouble. Ensure adequate notice--of flaws and compensation. Ensure independent security testing and pre-launch EULA review of any future DRM Ensure quick, reliable process for handling future security problems--with independent experts and judicial enforcement

27 February 28, 2005 27 IF YOU BOUGHT:YOU ARE ELIGIBLE FOR: XCP 1. An identical CD that does not contain DRM 2. A clean MP3 version of the music on that CD. 3. For every CD you return: a cash payment of $7.50, plus one free download from a list of approximately 200 album titles in the Sony BMG catalogue; OR three free downloads (same list) MEDIAMAX 5.0 1. A clean MP3 version of the music on that CD 2. One additional download. MEDIAMAX 3.0 A clean MP3 version of the music on that CD

28 February 28, 2005 28 Settlement doesn’t include: Damage to a computer or network resulting from interactions between XCP or MediaMax and user’s computer (e.g., damage to hard drive); Damage related to reasonable efforts to remove XCP or MediaMax; or Copyright, trademark or other IP claims (e.g. GPL claims which can only be brought by code rightholders). Another option: Opting Out (by May 1).

29 February 28, 2005 29 EULA PROVISIONS Replacement CDs/downloads won’t have EULA For old disks: Sony BMG agrees not to enforce provisions forbidding fair use, resale of CDs, and full use of CDs if user fails to instaall update or go bankrupt. Future EULA: Independent EULA reviewer

30 February 28, 2005 30 What about the future? If Sony uses DRM in the future, it must:  Adequately disclose DRM BEFORE sale  Have DRM independently tested for security flaws BEFORE release  Ensure the DRM doesn’t install without explicit permission  Provide ready access to uninstaller  If security flaw found after release-- notify/fix/disclose

Download ppt "February 28, 2005 1 The Sony BMG DRM Debacle Corynne McSherry, Staff Attorney."

Similar presentations

The Deficit Reduction Act, 2005. Deficit Reduction Act of 2005 In the Deficit Reduction Act of 2005 (DRA) Congress, for the first time, has mandated healthcare.

The Deficit Reduction Act, Deficit Reduction Act of 2005 In the Deficit Reduction Act of 2005 (DRA) Congress, for the first time, has mandated healthcare.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Shelby County Technology Scope and Sequence 6-8 #8: AUP Computer Fraud Copyright Violations Penalties Nancy Law Columbiana Middle School.

Shelby County Technology Scope and Sequence 6-8 #8: AUP Computer Fraud Copyright Violations Penalties Nancy Law Columbiana Middle School.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
IRMA Anti-Piracy Compliance Programme. What is IRMA? International Recording Media Association IRMA developed the Anti-Piracy Compliance Programme in.

IRMA Anti-Piracy Compliance Programme. What is IRMA? International Recording Media Association IRMA developed the Anti-Piracy Compliance Programme in.
Spyware: Legislative Responses Jody Blanke Mercer University ALSB, Ottawa August 20, 2004.

Spyware: Legislative Responses Jody Blanke Mercer University ALSB, Ottawa August 20, 2004.
1 The Sony CD DRM Debacle A case study of digital rights management.

1 The Sony CD DRM Debacle A case study of digital rights management.
Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,

Legislation & ICT By Savannah Inkster. By Savannah Computer Laws 1.Data Protection ActData Protection Act 2.Computer Misuse ActComputer Misuse Act 3.Copyright,
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.

Research Development for Android Coopman Tom. What is Android?  Smartphone operating system  Google  Popular  ‘Easy to develop’  Open-Source  Linux.
The Anti-Piracy Campaign: The Drag Behind Their Efforts Jamal Haskin.

The Anti-Piracy Campaign: The Drag Behind Their Efforts Jamal Haskin.
Increasing Social Responsibility

Increasing Social Responsibility
Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.

Mod H-1 Examples of Computer Crimes. Mod H-2 Stuxnet.
Slides prepared by Cyndi Chie and Sarah Frye1 A Gift of Fire Third edition Sara Baase Chapter 4: Intellectual Property.

Slides prepared by Cyndi Chie and Sarah Frye1 A Gift of Fire Third edition Sara Baase Chapter 4: Intellectual Property.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.

CD DRM & SONY-BMG: a case study Muhammed Afzal Hussain Digital Rights Management Seminar 17 th May, 2006.
1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.

1 J. Alex Halderman Dangerous Tunes Lessons from the Sony CD-DRM Episode J. Alex Halderman and Edward W. Felten Center for Information Technology Policy.
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.

IST346: Information Ethics. Ethics  Ethics are the principles of conduct that govern a group of people.  Ethics are not morals.  Morals are the proclamation.

Similar presentations

Ads by Google