The balancing act: Protection vs. fair use
"Independent consumer surveys [about] the CDs that have been released have shown very positive consumer reactions to the way the CDs work in their computer, and the ability to make backup copies," stated First 4 Internet's Gilliat-Smith. "So we're always reviewing the ways forward...and we will recommend and suggest different ways of putting in these speed bumps, but we will not be using the same methodologies that have been written about in [Russinovich's] article."
Ross Rubin, director of industry analysis for NPD Techworld, has been following the XCP DRM story with us. "It's a difficult challenge to balance the convenience of listening to music with the desire to protect intellectual property," he told TG Daily. "I think, at this point, it's very difficult to try to go back in time and turn CDs into a secure mechanism, because there's just such a tremendous installed base of compatible products, and consumers are used to listening to CDs on their computers and ripping them." The ultimate solution, Rubin believes, is to work toward focusing upon preventing the undesired behavior, rather than preventing a large class of behaviors, most of which are not necessarily illegal or even unethical.
But what's a company like F4i to do? If it uses completely benign copy protection methods, even novice users can easily smooth out its "speed bumps;" if it uses stealth in any form (especially now), it opens itself up to ridicule. "It's kind of a no-win situation," responded Rubin. "It's very hard to find the medium that's not going to punish the legitimate users of your product, but which is going to discourage those who would abuse fair usage privileges. I think up until now, most of the criticism has been around the protection schemes being too easy to circumvent. Now, perhaps, the pendulum has swung the other way."
Responses we received to yesterday's article about the Russinovich story included a comment that XCP may be undesirable from a consumer's perspective not because it's malware, but because it wastes processor space and that it monitors customers' CD-ROM listening habits. Gilliat-Smith denied both claims: "I sense what's happening is, people are making assumptions without having run the discs themselves. There is no suggestion that there is any monitoring of what's going on at all...It has not been reported to me that excessive CPU usage is being made here. There is the cloaking technology that had been used up until now, to 'hook and redirect' to disguise the files; [that] might be using minimal CPU usage, but there's certainly no [indication] that it's been making an onerous usage of it."
In an update to his original article posted today, Sysinternals' Mark Russinovich elevated his language. Not only does he now refer to XCP directly as a rootkit, he adds that since XCP's built-in media player software (with which limited backup copies can be produced) does establish a connection with a remote server, the DRM software as a whole truly does "phone home," in essence fulfilling the extra requirement necessary to qualify for the hackers' definition of a rootkit. Further, he cites the fact that the end-user license agreement (EULA) shipped with the Sony BMG audio CD does not make mention of this capability. For proof, Russinovich reproduces the entire language of the EULA on a Web page unto itself, highlighting the portion which references the XCP software package directly. In very rudimentary boilerplate language, it states, "The SOFTWARE is intended to protect the audio files embodied on the CD," and will reside on the user's system until removed or deleted. However, it states, the software will not collect personal information of any form.
In his update, Russinovich characterized Sony BMG's EULA with these words: "An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications."
The EULA, states F4i's Gilliat-Smith, is a matter for Sony BMG to determine for its customers. However, based on his understanding of it, "The EULA is very clear, and it's a very straightforward process. It clearly states that content protection technologies can be loaded. If the user doesn't agree to accept, then the CD does not load, and the program does not load.
"This is not malware, not spyware," Gilliat-Smith reiterated. "No one has suggested that it is. What they're saying is that rootkit technology - which this is not, in its entirety - is something that potentially could be used to masquerade behind, and I confirmed that the XCP technology no longer uses the cloaking technologies that this article suggested could potentially pose a threat."
But Gilliat-Smith would not go so far as to say current or future versions of XCP would refrain from using stealth techniques going forward - just the "hook and redirect" method discovered by Russinovich. "Going forward in the future, we will obviously take forward any concerns, and we will make sure that the consumer is foremost in our minds in terms of how we do it," he told us. "Because it's a balance between protection and keeping the consumer foremost in our minds...We very quickly alleviated anybody's concerns, and are moving forward, and continuing to perform the task that badly needs to be done."
NPD's Ross Rubin sees the same balancing act, but perceives a different solution: "It comes down to the balance argument: Do you really need to be operating that far down in the OS to discourage casual piracy? I don't think you do. The users who are determined to crack the codes are really going to focus time and energy on those kinds of efforts anyway. I wouldn't agree that it's necessary to dig that deep."