Sony Sued Over DRM Rootkit

UPDATED: The Electronic Frontier Foundation (EFF) filed a class-action lawsuit
against Sony BMG on Monday.

Two other legal firms, Green Welling and Lerach, Coughlin, Stoia,
Geller, Rudman and Robbins, joined the digital consumer advocacy group
in the suit filed in Los Angeles County Superior Court.

The lawsuit is the EFF’s response to the music giant’s tepid acknowledgment
of the security
and privacy
issues that came with music released on copy-protected music CDs, lawyers said.

The EFF is seeking compensation for any damages caused by the digital rights management technology
and a refund for the copy-protected CDs, lawyers stated.

It’s the second legal challenge to Sony BMG in one day. The
attorney general for Texas also filed a suit against the music giant for
allegedly violating the Consumer Protection Against Computer Spyware Act of
2005.

“Sony has engaged in a technological version of cloak-and-dagger deceit
against consumers by hiding secret files on their computers,” Greg Abbot,
Texas attorney general, said in a statement. “Consumers who purchased a
Sony CD thought they were buying music. Instead, they received spyware that
can damage a computer, subject it to viruses and expose the consumer to
possible identity crime.”

The state is seeking civil penalties of $100,000 for every violation of the
anti-spyware law, attorney’s fees and investigative costs.

It would be difficult to find anyone who surfs the Internet who hasn’t
heard about the music giant’s inclusion of cloaking technology in its
copy-protected CDs.

Sony has been widely criticized since the discovery last month that some of its music CDs contain a rootkit to cloak the
scanning of customer PCs for music-ripping activities.

The rootkit, and Sony’s attempts to mitigate the security concerns
surrounding its updates and uninstaller, have left a lot of vocal critics in
its wake.

But while the Extended Copy Protection (XCP) application from U.K.-based
First 4 Internet has been getting most of the attention, because it includes
a rootkit that hides the fact that it’s scanning the user’s
PC, digital rights management technology from SunnComm is
just as much to blame for the lawsuit, the group contends.

SunnComm’s MediaMax is found on more than 20 million CDs, EFF officials
said, ten times the amount of CDs with XCP. MediaMax allows a limited
number of copies of music CDs, but, unlike XCP, it is installed on the user’s
computer — even if the consumer decides not to digitally sign Sony’s End User
License Agreement (EULA).

Once installed, there’s no method for completely uninstalling the software,
EFF officials claim, outside repeated requests to Sony. The group points
out that the uninstaller itself has been found to contain significant security
risks, just as XCP’s uninstaller does.

The EFF sent an open letter to Sony executives on Nov. 14, challenging them to
undo the XCP- and MediaMax-encumbered technology. The letter noted with
concern Sony’s inclusion of the technology in the first place, as well as the
company’s limited response to the security questions from experts and
consumers.

Some of the concerns in Friday’s open letter have already been addressed by the
music giant. Last week, Sony issued a
recall
of its copyright-protected CDs — 54 different titles — and set
up a Web form for customers to
swap out their CDs for ones without the copyright protections.

Kurt Opsahl, an EFF staff attorney, said that while Sony has responded to
some of the terms in its open letter, others that were left untouched prompted the
lawsuit.

“We tried to work it out reasonably through the open letter process and
through conversations with Sony,” he said. “They were willing to make some
of the steps, but not all the steps necessary to redress the problems
associated with their copy-protection software programs. That left us with
no choice but to use the legal system.”

The EFF also has problems with what it says are outrageously anti-consumer
terms in Sony’s EULA. It cites two examples: If the purchaser declares
personal bankruptcy, he or she must delete the digital copy from the computer;
the same is true if the CD is stolen, because the consumer must maintain a
copy of the original CD.

Sony BMG officials would not comment on the lawsuits, although the company
did respond to the EFF’s open letter through its lawyers.

Jeffrey
Cunard, a partner at Debevoise & Plimpton, stated in a letter sent to the
EFF Friday that they believe Sony’s use of XCP and its EULA do not violate
any laws, and the actions undertaken so far go well beyond any obligations
the company has under California law.

SunComm, the letter stated, is developing an updated uninstaller to address
the security concerns over the MediaMax uninstaller.

Regarding the damages and refund, however, they see no need to comply.

“Although you have asked that Sony BMG ‘compensate consumers for any damage
to their computers caused by the infected products,'” Cunard stated, “Sony
BMG is unaware of any computer that has suffered any ‘damage’ due to the use
of an XCP-protected compact disc. Should Sony BMG be contacted by a
consumer claiming such damage, it will respond appropriately.”

News Around the Web