RealTime IT News

Sony Sued Over DRM Rootkit

UPDATED: The Electronic Frontier Foundation (EFF) filed a class-action lawsuit against Sony BMG on Monday.

Two other legal firms, Green Welling and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, joined the digital consumer advocacy group in the suit filed in Los Angeles County Superior Court.

The lawsuit is the EFF's response to the music giant's tepid acknowledgment of the security and privacy issues that came with music released on copy-protected music CDs, lawyers said.

The EFF is seeking compensation for any damages caused by the digital rights management technology and a refund for the copy-protected CDs, lawyers stated.

It's the second legal challenge to Sony BMG in one day. The attorney general for Texas also filed a suit against the music giant for allegedly violating the Consumer Protection Against Computer Spyware Act of 2005.

"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Greg Abbot, Texas attorney general, said in a statement. "Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime."

The state is seeking civil penalties of $100,000 for every violation of the anti-spyware law, attorney's fees and investigative costs.

It would be difficult to find anyone who surfs the Internet who hasn't heard about the music giant's inclusion of cloaking technology in its copy-protected CDs.

Sony has been widely criticized since the discovery last month that some of its music CDs contain a rootkit to cloak the scanning of customer PCs for music-ripping activities.

The rootkit, and Sony's attempts to mitigate the security concerns surrounding its updates and uninstaller, have left a lot of vocal critics in its wake.

But while the Extended Copy Protection (XCP) application from U.K.-based First 4 Internet has been getting most of the attention, because it includes a rootkit that hides the fact that it's scanning the user's PC, digital rights management technology from SunnComm is just as much to blame for the lawsuit, the group contends.

SunnComm's MediaMax is found on more than 20 million CDs, EFF officials said, ten times the amount of CDs with XCP. MediaMax allows a limited number of copies of music CDs, but, unlike XCP, it is installed on the user's computer -- even if the consumer decides not to digitally sign Sony's End User License Agreement (EULA).

Once installed, there's no method for completely uninstalling the software, EFF officials claim, outside repeated requests to Sony. The group points out that the uninstaller itself has been found to contain significant security risks, just as XCP's uninstaller does.

The EFF sent an open letter to Sony executives on Nov. 14, challenging them to undo the XCP- and MediaMax-encumbered technology. The letter noted with concern Sony's inclusion of the technology in the first place, as well as the company's limited response to the security questions from experts and consumers.

Some of the concerns in Friday's open letter have already been addressed by the music giant. Last week, Sony issued a recall of its copyright-protected CDs -- 54 different titles -- and set up a Web form for customers to swap out their CDs for ones without the copyright protections.

Kurt Opsahl, an EFF staff attorney, said that while Sony has responded to some of the terms in its open letter, others that were left untouched prompted the lawsuit.

"We tried to work it out reasonably through the open letter process and through conversations with Sony," he said. "They were willing to make some of the steps, but not all the steps necessary to redress the problems associated with their copy-protection software programs. That left us with no choice but to use the legal system."

The EFF also has problems with what it says are outrageously anti-consumer terms in Sony's EULA. It cites two examples: If the purchaser declares personal bankruptcy, he or she must delete the digital copy from the computer; the same is true if the CD is stolen, because the consumer must maintain a copy of the original CD.

Sony BMG officials would not comment on the lawsuits, although the company did respond to the EFF's open letter through its lawyers.

Jeffrey Cunard, a partner at Debevoise & Plimpton, stated in a letter sent to the EFF Friday that they believe Sony's use of XCP and its EULA do not violate any laws, and the actions undertaken so far go well beyond any obligations the company has under California law.

SunComm, the letter stated, is developing an updated uninstaller to address the security concerns over the MediaMax uninstaller.

Regarding the damages and refund, however, they see no need to comply.

"Although you have asked that Sony BMG 'compensate consumers for any damage to their computers caused by the infected products,'" Cunard stated, "Sony BMG is unaware of any computer that has suffered any 'damage' due to the use of an XCP-protected compact disc. Should Sony BMG be contacted by a consumer claiming such damage, it will respond appropriately."