SONY BMG said overnight it was recalling millions of music CDs with copy protection software that experts said could expose personal computers to viruses and hackers.

Sony BMG, one of the world's biggest music companies, said it was ending the use of the software provided by a third-party vendor and allowing consumers who purchased CDs to exchange them for similar items without the software.
The joint venture of Japan's Sony and German-based BMG reacted to a firestorm of protests and the threat of legal action over its use of the so-called XCP copy protection software.

When one of the CDs is inserted into a PC, the XCP software can modify computer settings and, according to some experts, expose the computers to a variety of malicious software programs.

"We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right," Sony BMG said in a letter to customers on its website.

"It is important to note that the issues regarding these discs exist only when they are played on computers, not on conventional, non-computer-based CD and/or DVD players."


Advertisement:
Sony said it was halting the use of the copy protection software developed by First4Internet, and providing technical data to anti-virus companies to help fix any problems on affected PCs.
One security firm, Internet Security Systems, went so far as to label the copy protection in the CDs as "malware" or malicious software, noting that it did not allow consumers the ability to remove it.

"This software actively attempts to hide its presence from users and does not offer uninstall functionality," ISS said in a bulletin.

"The software also provides a cloaking mechanism that is being used by different trojans to hide their presence," it said, referring to a common type of computer virus.

Security firm Sophos said its poll of more than 1500 business PC users showed 98 percent believe the software is a "security threat".

"In taking aim at the music pirates, Sony succeeded only in shooting itself in the foot," said Graham Cluley, senior technology consultant at Sophos.

"System administrators have a very low opinion of any code which endangers the safety of their networks."

San Francisco law firm Green Welling LLP said this week it sent a letter to Sony BMG demanding that the music firm fix the problems created by the software on its music CDs.

"Although billed by Sony BMG as common digital rights management (DRM) software that is just for copy protection, it seems that it is really much more," the law firm said.

"The XCP, or extended copy protection, software utilizes 'rootkit' technology that hides the software from users. The software creates a security risk for personal computers that allows hackers to hide damaging programs in computers that have Sony BMG's software in them," the letter continued.

"The software also secretly communicates with Sony's servers and can be used to send information back to the users' media player programs."

Sony BMG officials could not be reached for additional comment, but the New York Times reported that some two million CDs with the copy protection had been sold out of some five million shipped to retailers.

Reports have indicated the XCP program was installed on CDs of artists including Celine Dion, Ricky Martin and others.

The Electronic Frontier Foundation, an activist group critical of the software, has blasted Sony BMG for a "nefarious program, burying it deeply and obscurely within your operating system."

"The program will monitor your computer activity in the name of preventing the so-called epidemic of 'piracy' that results from people making extra copies of their music CDs or favorite songs," EFF said.

"Worse yet, there is no 'uninstall' feature on this program. It's like the roach motel - once Sony BMG's surveillance program checks in, you can't make it check out without completely wiping your entire system clean."

EFF said several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm.