BOSTON - It's been the better part of a decade since Napster and other free song-sharing services began scaring the daylights of the music industry. And still recording companies can't find an effective anti-piracy technology to save their hides.
The fact that so-called digital rights management might always be a doomed experiment became painfully clear with the fiasco that erupted after Sony BMG Music Entertainment added a technology known as XCP to more than 50 popular CDs.
After it was discovered that XCP opened gaping security holes in users' computers - as did the method Sony BMG offered for removing XCP - Sony BMG was forced to recall the discs this week. Some 4.7 million had been made and 2.1 million sold.
Factor in lawsuits that Sony BMG could face, and it's worth wondering whether the costs of XCP and its aftermath might even exceed whatever piracy losses the company would have suffered without it.
That's not even accounting for the huge public relations backlash that hit Sony BMG, the second-largest music label, half-owned by Sony Corp. and half by Bertelsmann AG.
"I think they've set back audio CD protection by years," said Richard M. Smith, an Internet privacy and security consultant. "Nobody will want to pull a 'Sony' now."
Phil Leigh, analyst for Inside Digital Media, said the debacle shows just how reluctant the labels are to change their business model to reflect the distribution powers - good and bad - of the Internet. He believes that rather than adopting technological methods to try to stop unauthorized copying of music, record companies need to do more to remove the incentive for piracy.
"The biggest mistake the labels are making is, they're letting their lawyers make technical decisions. Lawyers don't have any better understanding of technology than a cow does algebra," Leigh said. "They insist on chasing this white whale."
It's easy to understand why the music industry wishes songs could magically be prevented from being ripped from CDs and shared freely.
The industry has seen an estimated $2 billion overall decline in CD sales in the last five years. New digital services such as Apple Computer Inc.'s iTunes have made up some of that, but still account for just 6 percent of the industry's global sales.
The challenge has been to find an anti-piracy tool that works well enough to please the industry without overly annoying users, many of whom want to make legitimate backup copies of their CDs and don't like being assumed to be criminals.
The anti-piracy methods that have been attempted are legion, some rather low-tech. For a while recording labels commonly sent music critics promotional material in portable players glued shut to prevent copying.
For the broader audience, new discs emerged that included digital watermarks - extra encoding designed to lock the recordings, or at least their high-resolution portions - on the disc.
Sony, in fact, tried discs that contained data near the perimeter of the CD instructing a computer's hard drive not to look for audio tracks. But blocking that technology merely required drawing a line with a marker near the edge of the CD.
Other copy-protection schemes could be defeated with such simple measures as holding down the shift key on a computer while the disc was loading. Still other anti-copying speedbumps are easily overcome with the help of free programs on the Internet.
For example, some programs capture and record audio streamed through a computer's sound circuitry.
"It's an arms race that the content owner can never win," said Yankee Group analyst Michael Goodman. "In order to make it usable, you also have to make it beatable. If you really truly want to lock it down, it is possible to lock it down. But it is so onerous on the user that they'd never want to use it in the first place."
Sony BMG seemed to be seriously upping the ante by trying XCP, which is provided by a British company, First 4 Internet Ltd.
When discs with XCP were put into a computer, the CD installed a program that restricted to three the number of times the disc could be copied, according to Mark Russinovich, who discovered the controls and posted his findings online. The program also made it extremely inconvenient to transfer songs into the format used by iPods.
The dangerous factor was a "rootkit," a feature cloaking the files on users' computers that reported back to Sony BMG about how music was played and transferred. Users who tried to remove XCP could find their CD drive crippled.
Sony BMG initially rejected the uproar against XCP as technobabble.
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" the head of Sony BMG's global digital business, Thomas Hesse, told National Public Radio.
But once it turned out that the rootkit gave virus writers an easy tool for hiding "Trojan horses" and other malicious software, Sony BMG had to back down. It put up an online tool for removing XCP - only to find that process itself opened new vulnerabilities in computers.
After agreeing to a recall, Sony BMG said Friday it would let customers who have already purchased CDs to mail them back, postage free, for a replacement. Sony BMG also would send them a link to download digital versions of the tunes.
Although the episode could not have gone worse, it's unlikely to lead other music companies to abandon copy-protection technologies.
One rival, EMI Group PLC, is moving ahead with digital rights management from Macrovision Corp. that lets users burn three copies of a disc and "rip" it onto a computer seven times. While it's safe to assume hacks around these rules could emerge, EMI will try to enlist consumer support for the software by having it include bonus features, like album art, liner notes and videos.
Sony BMG would not comment on whether it plans to explore digital rights management techniques that are less intrusive than XCP.
"They may be going through various iterations to try to find the sweet spot here," Leigh said. "But they're stumbling around, and the consequences of them stumbling are not worth the price."
On the Net:
Sony BMG repeatedly said about 20 discs had XCP, but the number, it turns out, was higher: