Sony BMG is the world's second largest music company, responsible for approximately one-quarter of all album sales in the United States. Among the CDs that it has been selling in 2005, however, are millions that include copy-protection software. If the owner of one of these CDs wants to play or copy these CDs on her Windows computer, she must first install software intended to restrict the number and kind of copies that her computer can make.8 b) t6 C' t, b; E2 F' o/ n
After quietly distributing these CDs for months, Sony BMG was caught flat-footed when computer security professionals in early November 2005 discovered that its copy-protection software creates serious security risks. At least one variant of the protection software installs itself even if users decline the pop-up end-user license agreement and eject the CD. Moreover, when the CDs are played, the software phones home to servers controlled by Sony BMG, reporting details regarding the user's listening habits. Finally, once installed, the copy-protection software is difficult, if not impossible, to uninstall.: U( h, L5 X) g
The response from customers, musicians and consumer journalists has been swift and merciless. A reporter for Stereophile magazine put it this way: In other words, Sony installs files on its consumers' computers without their permission, does not allow the files to be removed, and spies on its customers. His verdict: Weasels, we calls 'em. On the opinion pages of The New York Times, a working musician urged the music industry to recognize that copy-protection software is bad for everyone, consumers, musicians and labels alike. At online retailer Amazon.com, the reviews of Sony BMG's copy-protected CDs are filled with customer complaints.
! D* { l# J+ ?8 W% ]0 F$ V But the public relations meltdown was only the beginning of Sony BMG's troubles. Within weeks, more than 10 class action lawsuits in both state and federal courts had been filed against Sony BMG (including two in which this author serves as counsel). Texas Attorney General Greg Abbott has also filed an action against Sony BMG, and the attorneys general of New York, Illinois and Massachusetts have expressed concern about the CDs in question.
: S7 O% x% e9 D6 h; J$ P Sony BMG's experience is quickly shaping up into an object lesson in the legal risks that companies can face when they distribute faulty software and mislead the public.' ~0 k5 i( d0 H
THE PROBLEM AND SONY BMG'S RESPONSE
' @$ c9 _1 j; y" J' \$ c. u4 p All of Sony BMG's copy-protected CDs include one of two protection technologies, either First4Internet's Extended Copy Protection (XCP) or SunnComm's MediaMax software.% K0 ~$ z# Q9 n9 }1 p& L' ?
The initial security revelations, published on the SysInternals Web log in early November 2005, related to the XCP software. The Web log reported that the XCP software automatically installed a rootkit on Windows computers. A rootkit is essentially the computer equivalent of Harry Potter's invisibility cloak, permitting software to render itself invisible to a computer's operating system, anti-virus and anti-spyware software, thereby hiding itself from the computer user. Rootkits are generally associated with viruses, spyware and other malware that wants to burrow deep into a computer in order to avoid discovery and removal. The XCP rootkit posed a serious security risk because, once installed on a user's computer, it could be used by other third parties to hide their own malicious software.8 f+ A+ C. s% ^( g
" e" Z6 G! n$ W# w4 O$ P Sony BMG initially responded to the XCP revelations by attempting to downplay the risks, with one senior Sony BMG executive opining that most people, I think, do not even know what a rootkit is, so why should they care about it? While typical computer users may not have appreciated the vulnerabilities created by XCP's rootkit feature, virus writers responded within days by developing and releasing viruses designed to exploit it. Soon thereafter, the leading makers of anti-spyware and anti-virus tools, including Microsoft, Symantec and Computer Associates, branded XCP a security threat. Their concerns were soon echoed by the U.S. Computer Emergency Readiness Team (US-CERT), an arm of the Department of Homeland Security charged with the task of protecting the nation's Internet infrastructure. |