By exploiting a hole in the copy protection code, virus writers could modify an old Trojan horse to take advantage of the powerful, though inadvertent, shielding provided by the Sony software. Sony eventually announced that, as part of a review of its digital rights management strategy, it would suspend production of CDs that contain this particular copy-protection technology.
Too late to avoid the legal blowback. In Texas, the attorney general is seeking $100,000 for each alleged violation of the state's "Consumer Protection Against Computer Spyware Act." The California lawsuit is a class action that seeks compensatory damages, disgorgement of profits and punitive damages.
The Electronic Frontier Foundation, which is co-counsel in the California case, says that Sony BMG caused damage by virtue of the First4Internet XCP software and the SunnComm Technologies MediaMax tool included in more than 24 million of Sony's music CDs.
The XCP and SunnComm technologies were unwittingly installed by millions of music customers when they used the Sony CDs in their Windows-based computers. Researchers found that the XCP technology was designed to include many of the qualities of a "rootkit." According to the EFF, the software was developed to conceal its presence and operation from the computer's owner. Once installed, the code degraded system performance, opened new security vulnerabilities, and installed updates through an Internet connection to Sony BMG's servers, EFF alleges.
The nature of a rootkit makes it extremely difficult to remove. That often leaves reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the XCP software, the installer reportedly opened even more security vulnerabilities in users' machines.
EFF argues that the MediaMax software installed on more than 20 million CDs is similarly problematic. It apparently installs files on the users' computers even if they click "no" on the End User License Agreement, and it allegedly does not include a means to fully uninstall the program.
In addition, EFF says the software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the tracking of listening habits--even though the license states that the software will not be used to collect personal information.
When users repeatedly requested an uninstaller for the MediaMax software, EFF maintains that they were eventually provided one, but only after they had provided more personal information. The group also asserts that security researchers have determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did.
EFF has expressed satisfaction that Sony BMG has taken steps in acknowledging the security risks caused by the CDs with XCP software, including a recall of the infected discs. However, the group maintains the measures still fall short of what Sony needs to do to fix the problems caused to customers. "Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs--10 times the number of CDs as the XCP software," EFF declared.
Unless plaintiffs' attorneys are satisfied by remedial and other steps taken by Sony BMG, the litigation will proceed. Of course, Sony BMG will be entitled to its day in court, and it will be allowed to present any available defenses to seek to excuse its conduct.