Why DRM leads to spyware
Freedom to Tinker has a fascinating post on copy protection and why the use of spyware with DRM is a logical progression. Felton gives a technical explanation of how DRM works and illustrates and why the problem of getting it on users' computers and keeping it there is the same problem spyware pushers have.
People who face the same technical problems tends to find the same technical solutions. How do you get software installed against the user’s wishes? You mislead the user about what is being installed, or about the consequences of installation. Or you install without getting permission at all. How do you keep software from being uninstalled? You don’t provide an uninstaller. Or you provide an uninstaller that doesn’t really uninstall the whole program. Or you try to cloak the software so the user doesn’t even know it’s there.
There are two separate DRM systems, XCP and MediaMax (made by SunnComm), using spyware that jeopardized users' safety. Sony has released patches for both. Yesterday I bought a CD that uses MediaMax DRM, partly out of curiosity to see what it does. The CD is "="" by="" my="" morning="" jacket"=""> (great CD, btw). I've had auto play disabled for a long time, so I wasn't worried about getting my computer infected. The DRM is so easily defeated, it's almost a joke. I put the CD in, opened it with Windows Explorer, read the EULA in notepad and checked all the contents of the CD. When I read the EULA with its dire terms, I had to laugh because it's so easy to circumvent the DRM. Some excerpts:
Before you can play the audio files on YOUR COMPUTER or create and/or transfer the DIGITAL CONTENT to YOUR COMPUTER, you will need to review and agree to be bound by an end user license agreement or "EULA", [...].
As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise. [...]
In order to access the DIGITAL CONTENT on YOUR COMPUTER, you will need to have a copy of an approved media player software program that is capable of playing the DIGITAL CONTENT in the file format you selected (each such approved media player, an "APPROVED MEDIA PLAYER") on YOUR COMPUTER.
Note -- it never states what media players are approved.
Article 2. PRODUCT FEATURES
1. This CD contains technology that is designed to prevent users from making certain, unauthorized uses of the DIGITAL CONTENT, including, without limitation, the following:
(1) making and storing more than one (1) copy of the DIGITAL CONTENT in each available file format on the hard drive of YOUR COMPUTER;
(2) accessing the DIGITAL CONTENT on YOUR COMPUTER (once you have installed a copy of it on the hard drive of YOUR COMPUTER) using a media player that is not an APPROVED MEDIA PLAYER;
(3) transferring copies of the DIGITAL CONTENT that reside on the hard drive of YOUR COMPUTER on to portable devices that are not APPROVED PORTABLE DEVICES;
(4) burning more than three (3) copies of the DIGITAL CONTENT stored on YOUR COMPUTER (ATRAC OpenMG file format only) onto AtracCDs;
(5) burning more than three (3) copies of the DIGITAL CONTENT onto recordable compact discs in the so-called "Red Book"-compliant audio file format; and
(6) burning more than three (3) backup copies of this CD (using the burning application provided on the CD) onto recordable CDs and burning or otherwise making additional copies from the resulting backup copies.
I proceeded to rip the music tracks as MP3 files using Easy CD-DA Extractor. Now I can load the songs on my Creative Nomad Jukebox and burn them to another CD with no worries.
If someone from Sony BMG is reading this, don't worry, I don't do file sharing, I'm not going to upload the songs to the web for anyone to download and I'm not going to burn a thousand, or even 3, CDs and redistribute them. I am, however, going to enjoy the music I bought and paid for legally for without worrying about DRM software and spyware on my machine. Isn't that how it should be?