Sony's decision to withdraw its controversial copy-protected CDs followed weeks of flames by bloggers.
Sony BMG Music Entertainment said Wednesday it will stop selling 50 CD titles with its XCP content protection software. Sony also said it will remove the discs from stores, and offer replacements without copy protection to customers.
Before Sony acted, the company suffered through weeks of angry posts by bloggers who stirred outrage against the company.
It started when security researcher Mark Russinovich first posted to his blog that Sony's music CDs surreptitiously installed digital rights management software based on a "rootkit"--a hacking tool widely considered to be spyware. Following that, bloggers of all stripes, from seasoned security experts to aggrieved consumers, vented about the record company's unethical and possibly illegal behavior.
"It seems crystal clear that but for the citizen journalists, Sony never would have done anything about this," says Fred von Lohmann, senior intellectual property attorney for the Electronic Frontier Foundation, a cyber liberties advocacy group that has been vocal in its condemnation of Sony and may eventually file a a lawsuit against Sony, in addition to three that have already been filed. "It's plain to me that it was Sony's intent to brush the story under the rug and forget about it."
Alan Scott, chief marketing office at business information service Factiva, said, "I think that we're in an entirely new world from a marketing perspective. The rules of the game have changed dramatically. The old way of doing things by ignoring issues, or with giving the canned PR spin response within the blogosphere, it just doesn't work."
Thomas Hesse, Sony BMG's Global Digital Business President, attempted to do just that by dismissing the online protests. "Most people, I think, don't even know what a rootkit is, so why should they care about it?" he said in a November 4 interview on National Public Radio's Morning Edition. He added, "The software is designed to protect our CDs from unauthorized copying and ripping."
Blog search site Technorati.com shows well over a hundred blog postings ridiculing this particular quote, each of which may have been linked to by other blogs.
Two days before the NPR interview, Sony attempted to mollify its critics by offering an update that "removes the cloaking technology component" of the XCP DRM software. The update notes claim, "This component is not malicious and does not compromise security."
That's simply not true--the rootkit component allows attackers to take control of target computers. Moreover, another component, the uninstaller Sony provided to remove the XCP software, did compromise security. And once again, it was the blog community that brought this fact to light.
In their Freedom-to-Tinker.com blog, computer researchers J. Alex Halderman and Edward Felten confirmed the findings of a Finnish computer expert that the uninstaller utilizes a poorly coded ActiveX control that allows any Web page a user visits to install and run any code its like on the user's machine.