EFF Confirms Secret Software on 19 CDs

San Francisco - News that some Sony-BMG music CDs install secret rootkit software on their owners' computers has shocked and angered thousands of music fans in recent days. Among the cause for concern is Sony's refusal to publicly list which CDs contain the infectious software and to provide a way for music fans to remove it. Now, the Electronic Frontier Foundation (EFF) has confirmed that the stealth program is deployed on at least 19 CDs in a variety of genres.

The software, created by First 4 Internet and known as XCP2, ostensibly "protects" the music from illegal copying. But in fact, it blocks a number of legal uses--like listening to songs on your iPod. The software also reportedly slows down your computer and makes it more susceptible to crashes and third-party attacks. And since the program is designed to hide itself, users may have trouble diagnosing the problem.

"Entertainment companies often complain that fans refuse to respect their intellectual property rights. Yet tools like this refuse to respect our own personal property rights," said EFF staff attorney Jason Schultz. "Sony's tactics here are hypocritical, in addition to being a security threat."

If you have listened to a CD with the XCP software on your Windows PC, your computer is likely already infected. An EFF investigation confirmed XCP software on the following titles:

Trey Anastasio, Shine (Columbia)

Celine Dion, On ne Change Pas (Epic)

Neil Diamond, 12 Songs (Columbia)

Our Lady Peace, Healthy in Paranoid Times (Columbia)

Chris Botti, To Love Again (Columbia)

Van Zant, Get Right with the Man (Columbia)

Switchfoot, Nothing is Sound (Columbia)

The Coral, The Invisible Invasion (Columbia)

Acceptance, Phantoms (Columbia)

Susie Suh, Susie Suh (Epic)

Amerie, Touch (Columbia)

Life of Agony, Broken Valley (Epic)

Horace Silver Quintet, Silver's Blue (Epic Legacy)

Gerry Mulligan, Jeru (Columbia Legacy)

Dexter Gordon, Manhattan Symphonie (Columbia Legacy)

The Bad Plus, Suspicious Activity (Columbia)

The Dead 60s, The Dead 60s (Epic)

Dion, The Essential Dion (Columbia Legacy)

Natasha Bedingfield, Unwritten (Epic)

This is not a complete list and Sony-BMG continues to refuse to make such a list available to consumers. Consumers can spot CDs with XCP by inspecting a CD closely, checking the left transparent spine on the front of the case for a label that says "CONTENT PROTECTED." The back of these CDs also mention XCP in fine print. You can find pictures of these and other telltale labeling at http://www.eff.org/IP/DRM/Sony-BMG/.

"Music fans should protect themselves from this stealth attack on their computer system," said EFF Senior Staff Attorney Fred von Lohmann.

For more tips on keeping your computer uninfected:


Corynne McSherry
Staff Attorney
Electronic Frontier Foundation

Jason Schultz
Staff Attorney
Electronic Frontier Foundation

Related Issues