Controversial copy-protection software used by music publisher Sony BMG on music CDs appears to have tapped an open source project, raising questions about copyrights, software experts said on Friday.
The XCP program, developed by British software firm First4Internet and used by Sony BMG to restrict copying and sharing of music CDs, is already highly controversial because it acts like virus software and hides deep inside a computer where it leaves the backdoor open for malicious hackers.
Sony BMG earlier this week said it would recall
some 4.7 million CDs with the software, after the discovery of the first computer viruses last week that took advantage of the weakness.
The XCP program will have installed itself on a Windows-operated personal computer when consumers want to play 49 title CDs from Sony BMG. The programme forces consumers to use a music player that comes with the program.
This music player contains components from an open source project, the popular LAME MP3 player.
"Multiple software components on the CD have references to the LAME open source MP3 code," Finnish software developer Matti Nikki said in an e-mail.
After unraveling the code, others found similar evidence.
"We can confirm that at least 5 functions in the XCP software are identical to functions in LAME," said Thomas Dullien at security software firm Saber Security in Bochum, Germany, which specializes in the analysis of complex software.
Open source software, if used, needs to be identified as such, so that it can be freely shared with others. Developers on Slashdot.org and other Internet bulletin boards could not find an open source reference in the copy-protection software.
If open source software is tightly integrated into a single executable program, the whole application has to become open source software, even open source software such as LAME whose MP3 encoder is licensed under the more relaxed Lesser General Public License (LGPL), a lawyer said.
"That's the flipside of open source: If you don't respect the open source rules, the old regime of copy protection comes back in full force," said attorney and Internet specialist Christiaan Alberdingk Thijm at law firm SOLV in the Netherlands.
There was LAME and other LGPL code in the program, and significant amounts were tightly integrated into the executable program, Saber Security said.
"We can confirm the existence of significant amounts of code from FAAC (which is LGPL) in the executable ... These functions are part of ECDPlayerControl.ocx, thus directly integrated into the executable," Dullien said in an email.
First4Internet, which sold the XCP software program used by Sony BMG on its CDs, declined to comment on the news-story.
Sony BMG, which also declined to comment, has positioned itself as a defender of artists' rights.
It re-emphasized last week that copy-protection software is "an important tool to protect our intellectual property rights and those of our artists."
Responding to public outcry over the unsecure software, the music publishing venture of Japanese electronics conglomerate Sony and Germany's Bertelsmann AG said last week it would temporarily suspend the manufacture of music CDs containing XCP technology.
Microsoft's anti-virus team said earlier on Tuesday it would add a detection and removal mechanism to rid a PC of the Sony DRM copy-protection software, because it jeopardized the security of Windows computers.
Sony BMG last week was targeted in a class action lawsuit complaining it had not disclosed the true nature of its copy-protection software.
Damage Runs Deep For Sony-BMG
Trying to gauge the damage caused by Sony-BMG rootkit DRM could take years to comprehend. The gaping wound caused by Sony-BMG exists well beyond infected computers, security problems, and a tarnished reputation. The record label entire philosophy on P2P networking, Internet piracy and DRM has been effectively destroyed.
The last thing record labels want is a tremendous amount of attention drawn to the implementation of DRM. As if Sony-BMG actions weren bad enough, drawing negative publicity to the DRM issue on only compounded the situation.
Now people are very aware of the Sony-BMG fiasco and the implementation of DRM. What was once largely invisible to the average customer has been shot right into the spotlight. The term 'DRM' is now associated with malignancies such as virus, malicious software, and Trojan.
This situation has already delayed the implementation of DRM on CDs. Sony-BMG has ceased the manufacture of CDs with XCP software, and does not expect to reinstate their DRM policy until sometime next year. Other record labels are also coming under increased scrutiny for their DRM products, forcing EMI to state, "we don't use rootkits." With so much public scorn now directed towards DRM, record labels are facing the very real possibility that DRM in its current incarnation can no longer manage to exist.
Sony-BMG has managed to accomplish in 16 days what bloggers, the Electronic Frontier Foundation, writers, journalists, and niche sites have been working on for years. Sony-BMG has destroyed the music and movie industry arguments against P2P, and brought mainstream attention and public distaste to the DRM debate.