In late 2005, music fans who bought compact discs from their favorite artists unknowingly brought a digital spy into their homes. When customers inserted these physical discs, measuring 4.7 inches or 120 millimeters in diameter, into their personal computers, hidden software secretly embedded itself deep within their operating systems.
This concealed program monitored private listening habits and opened gaping security holes, remaining completely invisible to standard antivirus scans. The resulting sequence of events triggered massive product recalls, federal investigations, and a complete overhaul of digital rights management.
Secret Software Unknowingly Installed
The controversy centered on roughly 22 million discs distributed by Sony BMG. About two million of these items contained a program called Extended Copy Protection. The remaining 20 million featured a different program known as MediaMax CD-3. When a purchaser placed the compact disc into a Microsoft Windows computer, the Extended Copy Protection software installed itself.
It executed this action even if the end-user license agreement made absolutely no mention of its existence. The MediaMax software installed on both Microsoft Windows and macOS systems, doing so regardless of whether the user accepted the license agreement.
The Shocking Rootkit Discovery
On October 31, 2005, computer researcher Mark Russinovich published a technical analysis exposing the hidden software. He discovered that the Extended Copy Protection program acted as a rootkit, intentionally obscuring its presence from the computer operator.
The software ran constantly in the background, consuming processing power and slowing down overall system performance. Because it utilized unsafe procedures to operate, it often caused catastrophic system crashes. Most alarmingly, the rootkit created severe vulnerabilities that unrelated computer worms and destructive viruses quickly began to exploit.
A Botched Removal Attempt
Following widespread public outrage, the music distributor issued a software tool intended to remove the rootkit from affected machines. Russinovich analyzed this uninstaller and found it only made the hidden files visible without actually deleting the malicious rootkit.
The removal tool also required users to provide an email address and installed additional components that could not be uninstalled. Furthermore, the uninstaller introduced new security flaws, prompting Microsoft to issue a specific update to disable the hazardous components. The company eventually released a revised removal tool later that November.
The Multimillion Dollar Fallout
Facing intense pressure, the distributor recalled unsold merchandise from store shelves and offered consumers an exchange program. Lawsuits materialized rapidly across the country. Texas Attorney General Greg Abbott filed a lawsuit under the state spyware law, resulting in a 750,000 USD settlement for legal fees and customer reimbursements.
Class-action lawsuits emerged in New York and California, while the U.S. Federal Trade Commission required the distributor to reimburse consumers up to 150 USD for computer repairs. By early 2007, the company completely suspended its compact disc copy protection initiatives.