Tempers flared further after November 4, when Russinovich announced in his blog that other software accompanying XCP on the Sony BMG discs “phoned home,” contacting Sony BMG over the Internet every time a user played a protected CD. Acting on a tip from a Finnish hacker and computer science student named Matti Nikki, Russinovich used a “network tracing” program to analyze traffic flowing into and out of his computer. He found that during startup, the protected CDs would check with a server at Sony BMG for fresh material for a rotating banner advertisement displayed with the player. This exchange was innocuous enough; but to Russinovich and readers of his blog, the affront was that Sony BMG had not disclosed in the CDs’ EULAs that the software would send data to the company or spelled out how that data would be used. “I doubt Sony is doing anything with the data,” Russinovich wrote, “but with this type of connection, their servers could record each time a copy-protected CD is played and the IP address [the location on the Internet] of the computer playing it.”
Security professionals, bloggers, and music fans weren’t the only ones who were dismayed. The U.S. Department of Homeland Security criticized Sony BMG for releasing products that undermined antivirus software and exposed both government-owned and privately owned computers to hackers. At a November 10 trade conference on piracy, Stewart Baker, the department’s assistant secretary for -policy, chastised big media for its obsession with DRM. “It’s very important to remember that it’s your intellectual property, [but] it’s not your computer,” Baker said.
Over and over again, people who encountered the rootkit expressed a sense of violation. John Guarino, the computer consultant, offers this analogy: “Say you want to install cable TV in your apartment. You call the cable company. They say someone is going to come and install it. The cable guy makes you sign something before he comes into the apartment. Then you find out he didn’t actually leave the apartment when he was done. He is still hiding. And you call the company and say, ‘This guy is still here,’ and they say, ‘But you signed the document.’ And you say, ‘Yeah, but he still shouldn’t be here. Where is he?’ and they say, ‘We’re not going to tell you that.’
“And not only is this guy hiding inside your apartment – he’s actually eating from your refrigerator, drinking your water, using the bathroom, and you can’t stop him. He could be inviting other friends over and letting them in. And if you try to find him and take him out yourself, he’s going to throw bombs, and you’ll have to call the construction guys to rebuild your whole apartment.
“That’s what Sony is doing. The rootkit uses your processor, it uses your memory, your hard disk. You can’t take it out easily, because they won’t tell you how. If you try to take it out, it actually messes up your computer. The only solution is to reinstall the whole operating system. It’s total lawlessness, and it’s unacceptable.”