Sony's Escalating "Spyware" Fiasco

Along with lawyers, prosecutors, and furious fans, artists are joining the backlash against the label for slipping a hidden, anti-theft program into users' computers

Van Zant's Get Right with the Man CD was released in May, but six months later it still was doing better-than-respectable business on (AMZN). The album ranked No. 887 on the online retailer's list of music sales on Nov. 2. Then news of the CD's aggressive content safeguards -- a sub-rosa software program incorporated courtesy of Sony BMG -- exploded on the Internet.

To prevent audiophiles from making multiple copies of the CDs, Sony (SNE) had programmed the Van Zant disk, and dozens of others, with a hidden code called a "rootkit" that secretly installs itself on hard drives when the CDs are loaded onto listeners' PCs. Soon enough, hackers began designing viruses to take malicious advantage of the hidden program, and a Sony boycott had begun (see BW Online, 11/17/05, "Sony's Copyright Overreach").


  Overnight, Get Right with the Man dropped to No. 1,392 on Amazon's music rankings. By Nov. 22 -- after the news made headlines and Sony was deep into damage control, pulling some 4.7 million copy-protected disks from the market -- Get Right with the Man was even further from Amazon's Top 40, plummeting to No. 25,802.

The wrath of fans killed Sony's CD copy controls, with the company pulling 52 titles off retail shelves, beginning the week of Nov. 14. But the wrath of bands could be far worse for the company -- and for efforts to protect content in general.

Singers and songwriters are increasingly expressing frustration at devices used by record companies to protect digital content from widespread theft that results when CDs are copied repeatedly or popular tracks are given away on peer-to-peer (P2P) networks, such as LimeWire and BitTorrent. Sony's misstep has been bad for the company -- and its effects could spread much further, should the consumer outcry gain traction with the recording artists who need to keep their fans happy if they want to sell records.


  In the beginning, it was cyber libertarians and outspoken consumer groups leading the charge against digital rights management (DRM). But the Sony rootkit debacle has brought the issue home even to digilliterates -- including many of the artists themselves.

"We're really upset about this," says Patrick Jordan, director of marketing for Red Light Management, which represents Trey Anastasio, former front man to jam band Phish. Anastasio's latest solo album, Shine, was released Nov. 1, just as news of Sony's rootkit was worming its way onto Internet blogs and listservs. "I'm expecting a decrease in sales," Jordan adds.

Indeed, Shine debuted with 15,000 sales its first week. But by week two, when the rootkit fiasco was in full swing, sales had plummeted to 7,000. Weekly numbers will be released Nov. 23, and Jordan is bracing for the worst. "It's been damaging, and certainly we're going to discuss that with the label," he says.


  Recording artists as a group have been among the most vocal backers of so-called DRM schemes as a way to control online theft of music. And many such protection devices are widely accepted, because they're loose enough that they don't impede the average audiophile's listening.

A Sony BMG spokesman declined to comment for this story, but the goal of the Sony rootkit has been lost in the digital fog. The software was meant to set up speed bumps for would-be thieves, yet give consumers some of that much-demanded flexibility. In Sony's case, that meant the freedom to make up to three copies of a purchased disk and play it on multiple platforms, such as a PC or a car stereo, yet prevent posting to P2P sites or massive copying.

What tripped up the company was less its goal than the method used to achieve it. Sony BMG's content-protection scheme, designed by an outside software-security firm, was basically a form of spyware. Rootkit installed itself surreptitiously, relayed back to the company what users were doing with their Sony music, and exposed users' PCs to viruses.


  Sony now is facing at least three consumer class-action lawsuits, as well as at least one law-enforcement action. On Nov. 21, Texas Attorney General Greg Abbott accused the company of violating the Lone Star state's laws against computer spyware.

"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Abbott said in a written statement. "Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses, and expose the consumer to possible identity crime."

But the most serious fallout from the rootkit brouhaha could be the cultural challenge to DRM. Some artists, including the Dave Matthews Band, subscribe to a "trust your fan" mentality, and have begun negotiating with their record labels to omit content-protection provisions from their CDs.


  Many others are frustrated with content protections, such as Sony's, which prevent their music from being dragged onto Apple Computer's (AAPL) iPod. Apple refuses to license the proprietary iPod software to the record labels for use with any music that isn't purchased from its iTunes music-download site.

As Sony BMG and other labels release more CDs with tracks that can't be dragged to iPods, artists are hearing from outraged fans. In response, some artists -- including Tim Foreman, guitarist for Switchfoot, whose Nothing Is Sound release was part of the Sony recall -- used a fan site to post instructions for disabling Sony content protections that prevent consumers from dragging tunes to their iPods.

"We were horrified when we first heard about the new copy-protection policy," Foreman wrote in a Sept. 14 post first reported by Billboard magazine. "It is heartbreaking to see our blood, sweat, and tears over the past two years blurred by the confusion and frustration surrounding new technology."


  "This is serious business," says Red Light Management's Jordan. "As managers, we've always supported trusting our fans. Copy protection has nothing to do with trust."

If reaction to the Sony rootkit is any measure, Jordan is right. As news of the secret code grew, music fans began using Amazon's review function to post messages to their favorite tunesters. "Sorry Trey," wrote Freddie, an Anastasio fan from Maryland, "but you should find a new label."

Artists have yet to take such measures -- but if the fallout worsens, Freddie's advice may not sound so drastic.

Before it's here, it's on the Bloomberg Terminal.