The Sony DRM debacle will continue to be in the news. Sony was hit with a class action lawsuit in California yesterday, and new information has emerged about the software that Sony has made available to uninstall its malware – namely, that Sony has made it difficult to obtain, and harvests your e-mail address and requires the installation of additional suspicious software before you’re allowed to download it.
Here’s a summary from the investigator who originally uncovered the Sony DRM software.
For those readers that are coming up to speed with the story, here’s a summary of important developments so far:
The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:
- Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
- Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
- The installation provides no way to safely uninstall the software
- Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD
Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:
- There is no way for customers to find the patch from Sony BMG’s main web page
- The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
- Access to the uninstaller is gated by two forms and an ActiveX control
- The uninstaller is locked to a single computer, preventing deployment in a corporation
Consumers and antivirus companies are responding:
- F-Secure independently identified the rootkit and provides information on its site
- Computer Associates has labeled the Sony software “spyware”
- A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
- ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations