Sony BMG Music agreed Tuesday it violated federal law by not telling consumers CDs sold by the company contained digital rights management (DRM) software that monitored user listening habits to send them marketing messages.
The Federal Trade Commission (FTC) said Sony BMG agreed to allow consumers to exchange the CDs embedded with the DRM through June 31 and to reimburse consumers up to $150 to repair any damage caused by the software.
Sony BMG also admitted it failed to inform buyers the CDs limited the devices on which the music could be played and restricted the number of copies that could be made.
The FTC additionally claimed the DRM software also exposed consumers to security risks and was “unreasonably difficult” to uninstall.
“Installations of secret software that create security risks are intrusive and unlawful,” FTC Chairman Deborah Platt Majoras said in a settlement.
“Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content.”
The settlement, which comes just a month after Sony BMG paid $4.25 million in a class-action lawsuit over the same issues, also requires Sony BMG to clearly disclose copying limitations on consumers’ use of music CDs and bars the company from using collected information for marketing purposes.
In addition, Sony BGM is also prohibited from installing the software with consumers’ consent and requires the company to provide reasonable means to uninstall the software.
The controversy over the DRM software swirled around Sony BMG’s use of SunnComm’s MediaMax and First4Internet’s Extended Copy Protection (XCP). Sony said it installed the software on its CDs to restrict consumer use of the music.
The XCP application received most of the attention because it included a rootkit
Similar to what malware writers use to mask their tracks when they’ve compromised a computer, rootkits hide the running processes and files used by the attackers to avoid detection and subsequent removal by the end user.
In November of 2005, Sony BMG agreed to recall the rootkit CDs.
MediaMax, though, is found on more than 20 million CDs, ten times the amount of CDs with XCP. According to the FTC, CDs with either XCP or MediaMax restricted the music from being played on portable devices other than those from Sony and Microsoft.
