Italian police asked to investigate Sony DRM code

CA classifies Sony's software as spyware, hunts it down like a dog

The fallout continues over Sony BMG Music Entertainment's controversial XCP copy protection software, with an Italian digital rights organisation now taking the first step toward possible criminal charges in the matter.

Separately, security vendor Computer Associates International says it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its antispyware software, beginning later this week.

A group based in Milan called the ALCEI-EFI (Association for Freedom in Electronic Interactive Communications — Electronic Frontiers Italy) filed a complaint about Sony's software with the head of Italy's cyber-crime investigation unit, Colonel Umberto Rapetto of the Guardia di Finanza.

The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chair of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he says.

Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti says.

Sony declined to comment on the story. XCP, used on about 20 of the company's music titles, according to Sony, prohibits Windows users from making more than three copies of any XCP-protected CD. The software does not run on non-Windows operating systems such as Mac OS or Linux.

Within the next seven days, ALCEI-EFI also plans to ask the European Union to investigate the matter, Monti says.

"The irony of the case is that pressure from industry lobbies ... have led to weird legislation in Italy that treats copying as a criminal offence," he says. "By spreading a virus-like anticopy device [entertainment companies such as Sony] become the criminals under another, more reasonable, law."

Sony's use of XCP has been widely criticised over the past week, since it was first revealed that the software uses many of the same techniques as spyware and computer viruses to disguise its existence. XCP's developer, British company First 4 Internet, has said these techniques were necessary in order to prevent illegal copiers from circumventing the digital rights management (DRM) software, but critics say First 4 has gone too far and that the product may be a security risk.

Computer Associates (CA) has now classified the product as spyware and will soon direct its eTrust PestPatrol product to remove XCP from customers' computers, according to Sam Curry, vice president of eTrust security management with CA. "We have a scorecard, and there are 22 points that we go through examining how the software behaves," he says. "In this case, XCP is falling down."

XCP installs itself without adequately notifying users of what it will do to their computers, it is too difficult to uninstall, and it also appears to be in secret communication with Sony servers, Curry says.

Even a software patch released by Sony last week to decloak the hidden digital rights management software counts as spyware, Curry adds. "Unfortunately the patch also fails our scorecard," he says. "It fails to notify you about what it's doing, and it can cause the system to crash."

Sony's software will be added to PestPatrol's spyware signatures on November 12, meaning that the security software will disable and remove the product from affected systems, Curry says.

Though XCP uses sophisticated tricks to hide itself from system tools, it can actually be circumvented by disabling the Windows Autorun feature, which launches XCP as soon as the CD is placed into a drive, Curry says.

Autorun can be turned off using Windows system tools, but Curry also suggested a much simpler technique to temporarily disable the feature — holding down the left shift key when installing an XCP-protected CD.