Mark Russinovich, an independent Windows security researcher, stirred up the blogosphere’s attention with an entry in his blog on October 31 (Russinovich 2005), which then diffused into mainstream media. Testing a rootkit revealer he had developed, the program identified some cloaked files of unclear origin. Digging a little deeper, he found that they were installed along with a driver bundled into an audio CD he had purchased earlier. These drivers are employed by record companies in order to play a music CD on a CD-Rom drive and enable "sterile burning" (consumers can make a limited number of copies, which in turn cannot be duplicated again). A rootkit is a set of software that helps an intruder gain access to a computer system.

However, this was not the first time that invasive DRM has been employed, but this time it did not go undetected by the broader public. The amount of attention contradicts the content industry’s argument that most users are not aware of and accept DRM. In fact, some 230 consumers posted negative product reviews on Amazon for the CD that sparked the turmoil (cf. Sources).

DRM technology like this directly affects a computers’ operating system, disables access to other applications and allegedly exposes the user to security risks. This is the case with Sony BMG’s rootkit and StarForce, a copy protection system for video game CDs. Another scenario where the consumer’s interests might be considerably affected is the case of Microsoft’s DRM licence system. This might also be an issue with alternative DRM systems, such as Apple’s FairPlay.

This article discusses these three cases and evaluates the impact they might have on user experience and their attitude towards deep impact DRM and the companies employing it.

The Sony BMG rootkit case
This case has already been outlined in the introduction. In this chapter we go into some detail concerning risks and corporate behaviour in order to highlight some recurring patterns when deep impact DRMS are employed.

Intrusive DRMS create unnoticed security risks
An IT security expert detected the files when testing a rootkit revealer. For the average user, they would remain invisible. Some observers argue that this might pose a security risk to the user, as hackers might try to sneak in malicious code that would hide using the syntax of Sony BMG’s rootkit.

On an Internet forum where hackers of the online game World of Warcraft exchange news and ideas, one member rhapsodizes: "For only $14.99 [the price of the CD] you get a well done rootkit" (cf. WOWSharp 2005). Reportedly, a trojan is also exploiting this security leak (cf. SecurityFocus 2005) and a security researcher estimated that about half a million networks have been infected with the files (Norton 2005).

Implementation on operating system level
While "sterile burning" players like those employed by Sony BMG and others are well known, the new thing is that files were installed on the operating system level. While DRM usually tries to control what the consumer does with the content carrier (i.e. number of burns, etc.), these DRM systems directly manipulate the kernel, the operating system’s core. The kernel controls access to a PC’s hardware and various processes. They supposedly scan for activity indicating attempts of piracy. This consumes resources and power in the process.

Intrusive DRMS overstretch the boundaries of any EULA
Similar to the StarForce representative (see below), a Sony BMG spokesperson implies that by accepting the EULA (EULA is short for "End User License Agreement"), the user agrees to have the rootkit installed on the PC as part of the copy protection system (McMillan 2005).

However, given that some consumers buy a larger number of CDs and install plenty of programs, they can hardly be expected to read through and understand each EULA. And there probably has to be a point where content providers cannot cover everything that is in their interest by a EULA.

In many cases the customer is not informed about detailed specifications of the copy protection system before the purchase. And after reading the EULA, and even if the documents were transparent enough, it would very probably be too late to return the CD and ask for a refund.

Intrusive DRMS are hard to uninstall
After uninstalling the player software, said rootkit files remain on the computer. Manual removal by the expert resulted in temporary loss of the CD-Rom drive. Even the patch offered by Sony BMG originally did not remove the files, but only made them visible.

When accepting the EULA consumers allegedly agree to have the copy protection installed, the companies should assume that they want it removed when agreeing to receive and run a patch. But that is not the case.

Companies hesitatingly admit misconduct
According to the developer of the DRM system, British company First4Internet, "this is old news" (Whipp 2005), as the system had already been employed for a while. So the question remains why action is taken only now, if this is old news. "Consumers, for eight months, have been using these discs with positive feedback. When the issue arose, we addressed it quickly", says Mathew Gilliat-Smith, First4Internet’s CEO (Pogue 2005). That might probably be a bit too late.

As a result of the debate, Sony BMG finally offered a patch that people had to apply for by filling out a form on the company’s website, being asked to submit information such as the point of purchase, the album title and a valid email address. Only from November 10, the company offered a link for direct download of a patch revealing and removing the files. The company eventually decided to pull the discs from the market (Borland 2005a). It would have been an acknowledgement of the inconvenience actually or potentially caused by these measures to do so right away.

In an interview on American national radio Sony BMG’s director for digital business, Thomas Hesse, notoriously said: "Most people, I think, don’t even know what a rootkit is, so why should they care about it?" (Orlowski 2005). Although this statement might be partially attributed to situational distress, it reveals a somewhat frightening lack of respect for the customer.

A similar pattern could already have been detected in an earlier case. StarForce is an encryption and activation technology for CD, CD-R and DVD. It is developed by StarForce Technologies and is primarily used to protect electronic games. Basically, what this system does is to deactivate tools that can potentially be used for illegitimate burning of discs, such as Nero Burning or CloneCD. These are reactivated when the user has finished playing the game. In this way, StarForce tries to dictate if or when certain applications can be used.

However, there have been reports on private sites indicating permanent loss of burning software purchased by the user (cf. Parsons 2004). One could argue that this puts every paying customer under the general suspicion of software piracy.

Although it seems evident that customers would not agree to have parts of their property disabled (if only temporarily), one company representative states that "our product is licensed to our customers and becomes part of their product, so the user by accepting the terms [of the EULA] is giving approval" (Wojnarowicz 2004). With DRM getting more invasive, it is time to think about how far-reaching EULAs can be and if the customer’s acceptance reveals his actual consent. After all, he has to accept in order to access the content. But when he learns about the EULA’s details, it is often too late to return the product.

Confronted with problems customers had reported, the representative replied: "Now that we hear the dissatisfaction about it, we have taken steps to fix it" (Wojnarowicz 2004). It appears to be the tactic to see what is possible and if someone notices, to withdraw due to public pressure.

Microsoft DRM
One of Microsoft’s support pages describes the symptoms of the problem I want to discuss in the following: "The Windows Media Digital Rights Management system may not work if you make changes to your computer hardware. You may not be able to play protected content. Protected content includes content such as songs that you have bought and downloaded from an online store" (cf. Microsoft 2004). The reason for this is that users have to authenticate the computers they want to use to play the music they have purchased. So while this prevents the user from illegally swapping files, it may also prevent the user from swapping hardware components, as legitimately purchased property might become inaccessible. This specifically includes crucial components such as the central processing unit or motherboard.

If the consumer is confronted with these problems, Microsoft suggests restoring the PC to its original settings. In case this does not help, a lengthy step-by-step guide is offered to resolve the problem. While this is unnerving for the tech-savvy user, it seems impossible for the average consumer (keep in mind that a lot of people consider programming a VCR too complicated).

But even if the user manages to go through the processes of resetting the computer, back-up the licenses and all the other steps, there still is a chance that purchased files are lost forever. A situation that does not seem to be too far-fetched: "If you cannot back up your license for a particular file, you cannot restore that license after you change your hardware component. If you cannot restore a license, you cannot play the protected file. For more information, visit the Web site of the license issuer to determine whether they support the Backup and Restore feature of Windows Media DRM" (cf. Microsoft 2004).

This practically means that the user has to backup all DRM licenses and if this is not possible, legitimately purchased files might be lost, unless there is support from the distributor. In case there is more than one distributor, things can get even more complicated. Thus, Microsoft’s DRM licensing system and authentication policy can make the replacement of hardware an annoying task, probably resulting in the loss of content.

Bottom line
Any invasion by DRM technology that goes beyond the purpose of DRM is at least questionable and should be made more transparent. Furthermore, the companies’ reactions failed to show their unconditional willingness to serve the paying consumers’ interest. They should keep in mind that they own the music, not their customers’ computer.


About the author: After having graduated from University of Mannheim (Business Administration), Philipp Bohn has joined Berlecon Research as Junior Analyst. He is a member of the INDICARE-team. Contact:

Status: first posted 24/11/05; licensed under Creative Commons