Sony BMG Litigation Info
» FAQ on the Sony BMG settlement
» Click here for a guide to spotting CDs affected by XCP and MediaMax
By including a flawed and overreaching computer program in millions of music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.
At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including reporting customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).
After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, Sony BMG has taken some steps to respond to the security risks created by the XCP technology. Sony BMG has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.
Outcome: SonyBMG settled the case providing a range of remedies and compensation to purchasers of CDs with the XCP technology or the MediaMax technology. SonyBMG ultimately stopped putting any DRM on its CDs sold in the United States.
Background
Problems with XCP
Security researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines.
Problems with MediaMax
The MediaMax software, which is included on over 20 million Sony BMG CDs, has different, but similarly troubling problems. It installs on the users' computers even if they click "no" on the EULA, and does not include a way to uninstall the program. The security issue involves a file folder installed on users' computers by the MediaMax software that could allow malicious third parties who have localized, lower-privilege access to gain control over a consumer's computer running the Windows operating system. The software also transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you our your computer."
EFF's Open Letter
On November 14, 2005, EFF wrote an Open Letter to Sony BMG, asking the company to publicly commit to fixing the problems it has caused for its music fans and take steps to reassure the public that its future CDs will respect its customers' ownership of their computer. Among the make-good measures recommended by EFF: a recall of all XCP and SunnComm MediaMax-infected CDs, from both consumers and store shelves; a guarantee to repair, replace, or refund the purchase price of the CDs to anyone who bought the merchandise; and a major publicity campaign warning about the security risks of XCP and SunnComm MediaMax. EFF also asked Sony BMG to pay all consumer costs associated with the damage caused by the XCP or SunnComm MediaMax technology and compensate people for the time, effort, and expense required to verify that their computer was or was not infected with the rootkit.
Sony BMG's Response
Initially Sony BMG denied there was a problem, saying the the XCP rootkit "component is not malicious and does not compromise security." Thomas Hesse, President of Sony BMG's global digital business division, asked in an interview for a National Public Radio "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
After receiving harsh public criticism and EFF's Open Letter, Sony BMG took strong steps in acknowledging the security harm caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, including both privacy problems and fixing its outrageous EULA. See Sony BMG's November 18, 2005, written response to EFF's Open Letter here [PDF].
Critically, Sony BMG has still refused to refund the cost of CDs to consumers or even widely publicize its recall program using its powerful marketing abilities, or to compensate consumers whose computers have been affected. And, Sony has not agreed to eliminate the outrageous terms found in their EULA.
Moreover, Sony BMG has failed to fully respond to concerns about MediaMax, which affects over twenty million CDs — ten times the number of CDs as the XCP software. While Sony responded quickly and responsibly when we drew their attention to a security problem with MediaMax version 5, there remain unresolved issues which EFF will continue to raise with Sony BMG.
Documents
Table Of Contents
Settlement - Canada
- September 18, 2006
Cohn Affidavit[PDF, 1.01 MB]
- Cohn Affidavit Exhibit 1 - US Settlement[PDF, 426.37 KB]
- Cohn Affidavit Exhibit 2 - Open Letter[PDF, 22.79 KB]
- Cohn Affidavit Exhibit 3 - Sony BMG Response[PDF, 228.62 KB]
- Fewer Affidavit[PDF, 1.02 MB]
- Notice of Objection[PDF, 306.11 KB]
- September 18, 2006
Cohn Affidavit[PDF, 1.01 MB]
Settlement
- Affidavit in support of preliminary approval Motion[PDF, 7.58 MB]
- Hearing Order[PDF, 310.82 KB]
- Motion for preliminary approval of Sony BMG Settlement[PDF, 366.94 KB]
- Notice of Errata[PDF, 27.20 KB]
- Settlement Agreement[PDF, 426.37 KB]
Legal Documents
- December 8, 2005 ND Cal. Complaint[PDF, 1.99 MB]
- December 5, 2005 NY Complaint[PDF, 1.38 MB]
- November 21, 2005 Complaint[PDF, 150.37 KB]
EFF's Open Letter
- Sony BMG's response[PDF, 228.62 KB]
Press Releases
- December 06, 2005 Update to Press Release: EFF Does Not Recommend Patch at This Time
- November 14, 2005 Sony-BMG Should Recall Infected CDs, Repair Damage Done
- November 09, 2005 Are You Infected with Sony-BMG's Rootkit?
Deeplinks Posts
- March 24, 2009 Stating the Case Against DRM to the FTC
- January 03, 2006 Florida AG's Office Enters Sony BMG DRM Fray
- November 17, 2005 Finally! Full List of CDs Infected with XCP Rootkit
- November 16, 2005 US-CERT: Never Install Audio-CD DRM Software
- November 15, 2005 Sony-BMG Spyware: SunnComm Stories
- November 14, 2005 Warning: Sony XCP Uninstaller Creates Security Holes
- November 10, 2005 New Virus Exploits Sony-BMG Rootkit
- November 09, 2005 Sony-BMG Rootkit: EFF Collecting Stories, Considering Litigation
- November 08, 2005 Are You Infected by Sony-BMG's Rootkit?
- November 07, 2005 Sony-BMG rootkit DRM in a Nutshell
- November 03, 2005 Uproot Sony-BMG's Invasion of Your Privacy and Your Computer
