</p> Security woes were only part of the problem. Having paid full retail price for the CDs, music fans got them home only to discover that using them on a computer was subject to a bewildering and outrageous array of contractual conditions imposed by a mandatory end-user license agreement (EULA). For example, the EULA includes provisions purporting to require the immediate deletion of all copies if a user files for personal bankruptcy or parts with possession of the CD (including, presumably, if the CD were stolen from your car). The EULA also attempts to limit Sony BMG's liability to no more than $5, well short of a refund of the purchase price, and to force consumers to litigate in New York if they have any disputes with Sony BMG. In short, when it came to using these CDs on their computers, music fans are getting far less for their money than they had with traditional CDs.
, G( y8 o; S* @; s Sony BMG's initial efforts to address the problem were half-hearted, at best. An early uninstaller, offered to customers only after completing a complex request procedure, created new security vulnerabilities. Nearly two weeks elapsed before Sony BMG finally announced that it would halt further production of the XCP CDs. Ultimately, Sony BMG announced that it would offer to exchange XCP-protected CDs for unprotected replacements. More than a month after the initial public revelations, a revised XCP uninstaller was finally released.
% y5 y5 i- b' w) }. b The other copy-protection technology, SunnComm's MediaMax, presented its own problems. Researchers discovered that the MediaMax software installed itself on Windows computers even when users declined the pop-up license agreement. When Sony BMG released an uninstaller for MediaMax, it created additional security risks. The Electronic Frontier Foundation (EFF) subsequently commissioned an examination of the MediaMax software, revealing a potentially dangerous security vulnerability. When Sony BMG released a patch to address this flaw, another vulnerability was discovered, necessitating the withdrawal of the patch.
% h& V+ w: p3 v; k' R$ o6 g Both XCP and MediaMax are also troubling from a privacy perspective, as they routinely transmit information over the Internet to servers controlled by Sony BMG, sending information about a user's listening habits. This phone home feature is not disclosed to CD buyers, who are instead told by Sony BMG that no information is ever collected about you or your computer without your consenting.1 f8 | r& I3 F/ ?: K- Y* P1 u
THE LEGAL CLAIMS D: y: C) T' N! m9 }
The numerous lawsuits filed against Sony BMG in the wake of the protected-CD debacle provide an illuminating overview of the kinds of claims that companies may face when distributing faulty software.
& ?2 k! @/ t- F9 W One set of claims is rooted in statutes forbidding computer intrusion. For example, a number of the class action complaints rely on the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which forbids accessing a computer without, or in excess of, the authority of the owner of the computer. Private civil litigants are entitled to bring suit where the prohibited computer intrusion causes losses exceeding $5,000, threatens public health or safety, or damages a computer system used by government entities for judicial, national security or defense functions. Similar state laws have also been invoked, including California's Penal Code §502, which prohibits the unauthorized introduction of a contaminant into a computer that transmits information about a computer to third parties without authorization.
* J8 Z" ?% p+ t8 k9 c0 U2 G* y9 W8 j
Recently enacted state laws aimed at spyware and adware are a second basis for legal claims against Sony BMG. Class actions filed in California, for example, allege violations of recently enacted California Business & Professions Code §22947.3, which prohibits deceptively taking control of a user's computer, modifying computer settings or preventing users from uninstalling software. Similarly, the Texas attorney general relied on the Consumer Protection Against Computer Spyware Act, Texas Business & Commercial Code §48.053, which prohibits manipulating software in order to prevent a computer user from detecting, locating and removing the software. The Texas statute also prohibits intentionally misrepresenting that the installation of software is necessary for security or privacy reasons. §48.055(1). In addition to California and Texas, 10 other states have enacted laws aimed at spyware, many of which may reach Sony BMG's conduct. |