The technology used by Sony BMG to prevent piracy of audio CDs is allegedly based on stolen code, according to Sebastian Porst and Matti Nikki, two individuals from Germany and Finland who looked into the application. 

First 4 Internet, the English developer of the controversial XCP anti-piracy technology deployed on some of Sony's audio CDs, is believed to have included software that is governed by the General Public Licence (GPL). 

Under terms of that licence, First 4 Internet is obliged to release the software that uses the GPL code. It did not do so.

"Sony is infringing on open source programmers' copyrights by distributing code which they have no right to use. Even though the code in question was developed by [First 4 Internet], Sony has still been distributing it," Nikki wrote on a webpage where he explained the licence violations. 

The duo examined the binaries for the XCP software and claim to have found numerous references to functions that were taken from an application called mpg123 as well as other applications governed by open source licences. 

Mpg123 is a media player developed in part by John Lech Johansen, the famous DVD cracker. The application is governed by the GPL and parts of it have been made available under the Lesser GPL, which gives developers more liberty when reusing the code. 

The XCP technology came under fire after security experts unmasked the anti-piracy technology as a major security risk. After weeks of pressure Sony said last Friday that it would stop shipping CDs with the technology and would take back any CDs that consumers had purchased.

The record label has provided a list of 52 titles and item numbers to help consumers identity infected CDs. 

When a user inserts an infected audio CD in a Windows system, the CD installs a new media player, digital rights management technology and a so-called rootkit which hides the technology from the user and the system. The GPL code was found in the media player.

Sony BMG did not respond to a request for further information. First 4 Internet was unable to respond due to the time difference between California and the UK where the firm is headquartered. First 4 Internet has declined in the past to comment on the case.