Sony to pull (some) controversial CDs, offer swap. Specifically, Sony is pulling music CDs with the First4Internet XCP copy protection scheme off the shelves. XCP has been shown to expose computers to serious security problems, in addition to its intended effects of spying on your listening habits and breaking your computer's CD-ROM drive. Sony has not offered a way to cleanly uninstall the software, nor has it offered compensation for damage caused by the security hole. When pressed, Sony put up a method of removing the XCP software that introduces even more serious security holes. Ed Felten does the research.

Sony has not made any concessions regarding discs with the SunnComm MediaMax protection scheme, which is also known to spy on users and be a pain in the butt. XCP gets all the attention because it does these other ridiculously terrible things, which have inspired Microsoft and anti-virus software makers to swear to combat Sony's software.

It's worth distinguishing between the stated purpose of Sony's DRM mechanism (to prevent you from making MP3s of protected music CDs), the apparently intentional additional effects (to prevent you from discovering the DRM mechanism and removing it from your computer), and other side effects the intentions of which are unknown (surreptitiously communicating back to Sony information about your habits, opening security holes). Many of us are angry about all three categories, but it's worth noting that the software could perform its stated purpose without doing any of the other things. The other effects are likely to be intentional in varying degrees. DRM software that's difficult to remove might be more effective against casual file sharers than DRM which doesn't latch on so hard, so Sony probably did that on purpose. It's hard to believe Sony would intentionally expose my computer to security vulnerabilities, though we're free to wonder if Sony (or First4Internet) wants to reserve the ability to exploit the holes themselves.

But I think the oh-my-gawd-why-did-you-do-it-that-way uninstallation procedure that potentially does more harm than good demonstrates another angle on the DRM issue: There is a likelihood that any given DRM control mechanism will be poorly implemented. Even if we agreed that media conglomerates deserved to restrict how we use our computers or the music we buy, we can't trust them to implement the restrictions in a way that meets our expectations. Accidentally or otherwise, data tied up behind a DRM mechanism is further restricted by the limited quality of the implementation. Unrestricted data is not so affected, because I could always find a better way to access the data. See also: paperless electronic voting machines, DVD players; cf. Firefox with Greasemonkey.

The WSJ article includes an anecdote about Bela Fleck buying a copy-protected Dave Matthews CD and discovering he could not transfer the music to his iPod. Bela insisted that Sony not include copy protection on his own album.