Sony BMG to settle 'rootkit' lawsuits

Out-Law News | 04 Jan 2006 | 9:19 am | 4 min. read

Sony BMG looks set to settle a class action lawsuit filed over its release of music CDs that, when played on PCs, installed potentially damaging copy-control software. A deal awaiting court approval offers compensation of $7.50 and free music to each claimant.

In a settlement motion filed with a New York district court on 28th December, Sony BMG also agrees to an independent audit of its uses of digital rights management software over the next two years to ensure that it privacy practices are fair to consumers.

Background

The controversy began in October 2005 when computer expert Mark Russinovich revealed in his blog that, when certain Sony BMG CDs were played on a computer, an unusual type of anti-copying software was installed.

The software, known as XCP, installed a so-called rootkit on the user's computer. This is a technique more often used by virus writers hoping to conceal the existence of their software: files are hidden deep in the architecture of a computer's operating system.

Russinovich found that attempting to uninstall the software caused damage to his PC: the CD drive was no longer recognised by Windows, although he was skilled enough to rectify that problem.

But it was soon revealed that XCP's rootkit also made the user's computer more susceptible to unwanted intrusion from malicious hackers, even when any firewall and anti-virus programs previously installed were up to date. In November 2005, security firm Symantec discovered the first virus to use Sony BMG's XCP CD as a cloaking mechanism.

The XCP rootkit was not the only concern. Other Sony BMG CDs were protected by a piece of software called MediaMax. While MediaMax did not appear to carry the same level of security vulnerability, it was described in the New York class action lawsuit as making a PC "more vulnerable to security breaches by third parties" than it would have been before installation. It was also difficult for users to uninstall.

Both XCP and MediaMax exchange information between a user's computer and Sony BMG's servers, including the user's IP address, without informing the user. Sony BMG pointed out that it only collected non-personally identifiable information, saying this was necessary to provide the CDs with enhanced functionality.

XCP and MediaMax also came with End User Licence Agreements (EULAs) that were alleged to be misleading because, according to the claims, they failed to disclose that the programs could not be readily removed by a user and that information would be exchanged with Sony BMG.

The jewel cases of the CDs were also accused of providing insufficient information about the nature and function of XCP and MediaMax.

MediaMax was singled out for installing around a dozen files on the user's hard disk even before its EULA appeared on a user's screen. These files were said to remain installed and active on the user's computer, even if the user declines the EULA.

Class action lawsuits were filed across the US, suing Sony BMG, SunnComm Technologies, the firm behind MediaMax, and First 4 Internet, the firm behind XCP. The Electronic Frontier Foundation (EFF), a civil liberties group, also took action.

But the EFF has joined the preliminary settlement agreement that is expected to settle the class action lawsuits.

The deal

Under the proposed agreement, which still requires court approval, Sony BMG agrees to:

  • Stop manufacturing CDs with the offending software;
  • Immediately recall all XCP CDs;
  • Provide software to update and uninstall XCP and MediaMax content protection software from consumers' computers;
  • Ensure that ongoing fixes to all Sony BMG content protection software are readily available to consumers;
  • Implement changes in operating practices with respect to all CDs with content protection software that Sony BMG makes in the next two years;
  • Waive certain provisions currently contained in the XCP and MediaMax EULAs;
  • Refrain from collecting personal information about users of XCP or MediaMax CDs without their affirmative consent; and
  • Provide additional benefits to members of the class actions, including cash payments, "clean" replacement CDs without content protection software, and free music downloads.

Customers with XCP-protected CDs will be entitled to $7.50 each and one album download from a list of 200 titles, or three album downloads from the list if they waive the cash offer. MediaMax customers only receive downloads as compensation.

Sony BMG also undertakes to take "commercially reasonable steps" to destroy the information that it collects from users – album details and IP addresses – within 10 days of collection, except as otherwise required by law or court order.

The company also agrees to hire an independent third party to verify these practices once in 2006 and once in 2007. It will post the results of each review on its website.

Provisions of the EULAs to be struck out include a prohibition on consumers reselling their CDs and a bizarre requirement that in effect would stop the CD playing on a user's computer should he or she ever file for bankruptcy.

Before manufacturing and issuing any CDs with content protection software at any time until 2008, Sony BMG undertakes, among other things, to ensure that a EULA is accepted before installation begins; to accurately describe the nature and function of the software in plain English in the EULA and on the jewel case; and to obtain a third party's comments about the EULA and the software's risk of creating security vulnerabilities.

Reactions

“The proposed settlement will provide significant benefits for consumers who bought the flawed CDs,” said EFF Legal Director Cindy Cohn. "Under the terms, those consumers will get what they thought they were buying – music that will play on their computers without restriction or security risk."

The original source of the story, Mark Russinovich, described the terms of settlement as "a significant victory for the consumer."

It is not yet known if the Attorney General of Texas, who accused Sony BMG of violating spyware laws, will abandon his case in light of the class action settlement.