L'exception de copie privée face aux dispositifs techniques de protection des oeuvres
par Marjorie PONTOISE
Université Lille II - Master 2 pro Droit du cyberespace (NTIC) 2005
Opponents of Sony BMG's actions, including Slashdot and Digg contributors, later accused Sony BMG of violating the privacy of its customers to create a backdoor onto their machine using code that itself violates an open-source license. They claimed that this DRM program, designed to give Sony BMG control over the customer's machine in the name of copyright protection, is itself infringing copyright by including code from the LAME MP3 library. It appears that, since LAME is under the LGPL, this situation could be rectified by SONY BMG offering a copy of the LAME source code, as well as adding a notice that it was using code from the library (though this would not be a defense against past damages).
The XCP software can be prevented from installing in several ways. First of all, a user can refuse to purchase such copy-protected CDs, perhaps downloading the music from a digital music distributor. Second, it is possible to disable autorun so that the software will not run automatically (this can be done, temporarily, by holding the SHIFT key while inserting the CD). Putting a piece of opaque (to infrared) tape or some other light blocker on the portion of the CD where the executable is stored will also prevent the DRM from running . An alternative is to use an operating system which the software does not automatically install itself on, such as Linux or Mac OS X, or running Windows under a restricted account instead of an administrator account, in which case the installation program will not have the sufficient rights to install the rootkit.
On November 15, 2005, vnunet.com announced  that Sony BMG is backing out its copy-protection software, recalling unsold CDs from all stores, and offering consumers to exchange their CDs with versions lacking the software. The Electronic Frontier Foundation compiled a partial list  of CDs with XCP. Sony BMG is quoted as maintaining that "there were no security risks associated with the anti-piracy technology", despite numerous virus and malware reports. On November 16, 2005, US-CERT, part of the United States Department of Homeland Security, issued an advisory on XCP DRM. They said that XCP uses rootkit technology to hide certain files from the computer user, and that this technique is a security threat to computer users. They also said one of the uninstallation options provided by Sony BMG introduces further vulnerabilities to a system. US-CERT advised, "Do not install software from sources that you do not expect to contain software, such as an audio CD."
Sony BMG announced that it has instructed retailers to remove any unsold music discs containing the software from their shelves. It is estimated by internet expert Dan Kaminsky that XCP is in use on more than 500,000 networks.
CDs with XCP technology can be identified by the letters "XCP" printed on the back cover of the jewel case for the CD.
Information about the swap can be found at the Sony BMG swap program website. As a part of the swap program, consumers can mail their XCP-protected CDs to Sony BMG and would be sent an unprotected disc via return mail.
On November 29, 2005 the New York Attorney General Eliot Spitzer found through his investigators that despite the recall of November 15 Sony BMG CDs with XCP were still for sale in New York City music retail outlets. Spitzer said "It is unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves, during the busiest shopping days of the year," "I strongly urge all retailers to heed the warnings issued about these products, pull them from distribution immediately, and ship them back to Sony." On November 30, 2005 Massachusetts Attorney General Tom Reilly issued a statement saying that Sony BMG CDs with XCP were still available in Boston despite the Sony BMG recall of November 15. Attorney General Reilly advised consumers not to purchase the Sony BMG CDs with XCP and said that he was conducting an investigation of Sony BMG.
As of January 26, 2006, Sony BMG's website offered consumers no reference to this issue and no way to locate Sony BMG's explanation or list of affected CD's. (The link below, however, will bring up the explanation and list.)
As of May 11, 2006, Sony BMG's website offered consumers a link to "Class Action Settlement Information Regarding XCP And Mediamax Content Protection." It has online claim filing and links to software updates/uninstallers.