WTH?? Link. Security firm: Sony CDs secretly install spyware Company denies it, saying program aims to foil music piracy By Hiawatha Bray, Globe Staff | November 8, 2005 Sony is spying on thousands of listeners who buy and play its music CDs on their computers, a leading computer security firm said yesterday. Computer Associates International Inc. said that new anticopying software Sony is using to discourage pirating of its music also secretly collects information from any computer that plays the discs. One of the world's largest software and information technology companies, Computer Associates is the latest to wade into the growing controversy over Sony's efforts to curb theft and illegal pirating of its music. The software works only on computers running Microsoft Corp.'s Windows operating system. It limits listeners' ability to copy the music onto their computers, and locks copied files so they cannot be freely distributed over the Internet. But Computer Associates said the antipirating software also secretly communicates with Sony over the Internet when listeners play the discs on computers that have an Internet connection. The software uses this connection to transmit the name of the CD being played to an office of Sony's music division in Cary, N.C. The software also transmits the IP address of the listener's computer, Computer Associates said, but not the name of the listener. But Sony can still use the data to create a profile of a listener's music collection, according to Computer Associates. ''This is in effect 'phone home' technology, whether its intent is to capture such data or not," said Sam Curry, vice president of Computer Associates' eTrust Security Management unit. ''If you choose to let people know what you're listening to, that's your business. If they do it without your permission, it's an invasion of privacy." Sony and the British firm that wrote the antipirating code for the music company flatly denied the software snoops on listeners. ''We don't receive any spyware information, any consumer information," said Mathew Gilliat-Smith, chief executive of First 4 Internet Ltd., which makes the software for Sony BMG Music Entertainment. So far, Sony BMG has installed the software on about 20 titles in its music catalog, including works by jazzman Dexter Gordon, singer Vivian Green, and the new issue by country rockers Van Zant, ''Get Right with the Man." It was the Van Zant disc that led to the controversy over Sony's new software. In late October, a well-known Windows computer engineer, Mark Russinovich, stumbled across the Sony software on one of his personal computers while running a security scan. Russinovich had used the computer to play the Van Zant CD, not realizing that it had installed the anticopying program. When he tried to remove it, Russinovich found that the program lacked the ''uninstall" feature found in most Windows software. Indeed, key components of the software hid themselves deep in his computer by applying the same techniques used by data thieves to conceal their activities. Even a skilled user who identifies the correct files can't safely remove them, said Russinovich. ''Most users that stumble across the cloaked files . . . will cripple their computer if they attempt the obvious step of deleting the cloaked files," he wrote on his technology website, SysInternals. Computer Associates yesterday concurred with Russinovich's assessment. Curry said Sony has made it so difficult for listeners to uninstall its software that some could lose all their data in the process. ''It can damage the operating system and the operating system's integrity, so it can't reboot at all," Curry said. ''As an expert in security, I can say this is bad behavior." Indeed, Computer Associates has added the software to its list of spyware programs that collect personal information from computer users without their permission. Russinovich also said that a patch Sony and First 4 released Friday to stop the software from hiding inside computers malfunctions and can cause an irreparable loss of computer data. Gilliat-Smith of First 4 said he knows of no case in which this has happened. Sony offers a website where users can obtain a program that uninstalls its software. He said both efforts should prove that Computer Associates and Russinovich's complaints are unfounded. ''In theory there should be no concern," Gilliat-Smith said. Hiawatha Bray can be reached at firstname.lastname@example.org.