News of Russinovich's discovery circulated rapidly on the Internet, and further revelations soon fol-
lowed, from us
1
, from Russinovich, and from others. It was discovered that the XCP rootkit makes users'
systems more vulnerable to attacks, that both CD DRM schemes install risky software components without
obtaining informed consent from users, that both systems covertly transmit usage information back to the
vendor or the music label, and that none of the protected discs include tools for uninstalling the software.
(For these reasons, both XCP and MediaMax seem to meet the consensus definition of spyware.) These and
other findings outraged many users.
As the story was picked up by the popular press and public pressure built, Sony-BMG agreed to recall
XCP discs from stores and to issue uninstallers for both XCP and MediaMax, but we discovered that both
uninstallers created serious security holes on users' systems. Class action lawsuits were filed soon after, and
government investigations were launched, as Sony-BMG worked to repair relations with its customers.
While Sony-BMG and its DRM vendors were at the center of this incident, its implications go beyond
Sony-BMG and beyond compact discs. Viewed in context, it is a case study in the deployment of DRM into
a mature market for recorded media. Many of the lessons of CD DRM apply to other DRM markets as well.
Several themes emerge from this case study: similarities between DRM and malicious software such as
spyware, the temptation of DRM vendors to adopt malware tactics, the tendency of DRM to erode privacy,
the strategic use of access control to control markets, the failure of ad hoc designs, and the force of differing
incentives in shaping behavior and causing conflict.
Outline
The remainder of the paper is structured as follows. Section 2 discusses the business incentives
of record labels and DRM vendors, which drive their technology decisions. Section 3 gives a high-level
technical summary of the systems' design. Sections 49 each cover one aspect of the design in more detail,
discussing the design choices made in XCP and MediaMax and considering alternative designs. We discuss
weaknesses in the copy protection schemes themselves, as well as vulnerabilities they introduce in users'
systems. We cover installation issues in Section 4, recognition of protected discs in Section 5, player soft-
ware in Section 6, deactivation attacks in Section 7, uninstallation issues in Section 8, and compatibility and
upgrading issues in Section 9. Section 10 concludes and draws lessons for other systems.
2
Goals and Incentives
The goals of a CD DRM system are purely economic: the system is designed to protect and enable the busi-
ness models of the record label and the DRM vendor. Accordingly, any discussion of goals and incentives
must begin and end by talking about business models. The record label and the DRM vendor are separate
actors whose interests are not always aligned. We will see that incentive gaps between the label and the
DRM vendor can be important in explaining the design and deployment of CD DRM systems.
2.1
Record Label Goals
We first examine the record label's goals. Though the label would like to keep the music from the CD from
being made available on peer-to-peer (P2P) file sharing networks, this goal is not feasible [4]. If even one
user can rip an unprotected copy of the music and put it on a P2P network, it will be available to the whole
world. In practice, every commercially valuable song appears on P2P networks immediately upon release,
1
As news of the rootkit spread, we added to the public discussion with a series of 27 blog posts analyzing XCP and MediaMax.
This paper provides a more systematic analysis, along with much new information. Our original blog entries can be read at
http://www.freedom-to-tinker.com/?cat=30&m=2005.
2