WHEN Sony BMG admitted a couple of weeks ago that it had shipped a couple million music CDs containing a hidden software program called XCP that secretly installed itself on computers, the public was weirded out. Why the hell was a music company sneaking unidentified software onto people's computers without telling them? Sony's answer—that this was digital-rights management (DRM) software to prevent music piracy—seemed inadequate.

After all, DRM has been around for a while, but it's never come in the form of secretly installed programs. What were those programs doing, anyway?

Computer-security geeks wanted to find out, too. Turns out that XCP is based on a tool called a "rootkit," which bad guys have traditionally used to take control of their victims' computers. Anyone who plays the new Celine Dion CD on his or her computer is making him or herself vulnerable to viruses and other digital nasties. The danger is so great that the U.S. Computer Emergency Response Team actually issued a special alert on Nov. 15 warning people not to play Sony CDs with XCP on them.

Note to entertainment companies: You know you've gone too far with your copy-protection technology when the copyright-expansionist U.S. government steps on your head.

So Sony agreed to fix the problem—sort of. The company issued a deinstaller for XCP that was supposed to get rid of the nastiness. And that's when things got really interesting. According to Ed Felten, a computer-security professor at Princeton, the deinstaller is even worse than the original XCP rootkit.

After examining the deinstaller, Felten wrote in his blog Freedom to Tinker that it includes new versions of all the old files from the rootkit, as well as some new ones. Not only was Sony replacing XCP with something else, it was adding to it. "No doubt, they'll ask us to trust them," Felten wrote. "I wouldn't."

Not surprisingly, the creepy discoveries continued. Researchers found that Sony's sneaky program also phoned home to Sony, potentially allowing the company to track who was playing its CDs and where. Microsoft issued a statement saying that its anti-virus software protected against the Sony rootkit. (It's worth noting that Microsoft might have had a few less-than-benevolent reasons for helping hapless consumers—the company is in litigation with Sony right now.)

Sony responded by saying that it will replace XCP-infected CDs with uninfected ones for free. Meanwhile, Sony got sued in Texas, California and Italy under anti-spyware and consumer-protection laws.

But this DRM meltdown is far from over. It turns out that XCP isn't the only piece of secretly installed and potentially malicious software that Sony is distributing with its holiday CD releases. People who use Windows machines to play CDs with something called MediaMax on them will find that new files and programs suddenly show up, uninvited, in their Common Files directory in a folder called SunnComm Shared (SunnComm is the company that makes MediaMax). There is already evidence that the stuff installed by MediaMax is just as dangerous as the XCP rootkit.

What does all this bad craziness mean? In the short term, it means don't buy any new CDs from Sony BMG. The long term is a little more hazy. Remember, all this stupidity started with an entertainment corporation wanting to protect its intellectual property. That company was so hellbent on preventing you from making an infringing copy of a Billie Holiday CD that it was willing to sacrifice your computer. This scandal over DRM software has been an object lesson on what exactly the values of the music industry are.

While I'd love to believe that the egg on Sony's face will force other entertainment companies to shy away from trying to protect their copyrights using DRM, I think the XCP and MediaMax debacles are ironically going to usher in an era of widespread acceptance of DRM. By making DRM that is so egregiously horrible, Sony has set the floor for what the public will accept. So long as the next generation of DRM doesn't leave computers vulnerable to viruses the way the XCP rootkit does, I believe the media and the public won't kick up a fuss.

It won't matter that future DRM will probably call home—securely, of course—and let Sony know who listens to what CDs and where they are. It won't even matter that future DRM may install all kinds of programs on people's computers to monitor and control their media consumption—as long as those programs are secure and are installed with "permission" (i.e., after you ignore a bunch of legalese and click on an "I Agree" box at the end of it).

Installing alien software to listen to the latest Sarah McLaughlin CD will just seem normal. After all, none of that software is as bad as the Sony rootkit, right? Yeah, right.

Annalee Newitz ([email protected]) is a surly media nerd who listens to music without any kind of protection.

Send a letter to the editor about this story.