In a settlement motion filed with a New York district court on
28th December, Sony BMG also agrees to an independent audit of its
uses of digital rights management software over the next two years
to ensure that it privacy practices are fair to consumers.
Background
The controversy began in October 2005 when computer expert Mark
Russinovich revealed in his blog that, when certain Sony BMG CDs
were played on a computer, an unusual type of anti-copying software
was installed.
The software, known as XCP, installed a so-called rootkit on the
user's computer. This is a technique more often used by virus
writers hoping to conceal the existence of their software: files
are hidden deep in the architecture of a computer's operating
system.
Russinovich found that attempting to uninstall the software
caused damage to his PC: the CD drive was no longer recognised by
Windows, although he was skilled enough to rectify that
problem.
But it was soon revealed that XCP's rootkit also made the user's
computer more susceptible to unwanted intrusion from malicious
hackers, even when any firewall and anti-virus programs previously
installed were up to date. In November 2005, security firm Symantec
discovered the first virus to use Sony BMG's XCP CD as a cloaking
mechanism.
The XCP rootkit was not the only concern. Other Sony BMG CDs
were protected by a piece of software called MediaMax. While
MediaMax did not appear to carry the same level of security
vulnerability, it was described in the New York class action
lawsuit as making a PC "more vulnerable to security breaches by
third parties" than it would have been before installation. It was
also difficult for users to uninstall.
Both XCP and MediaMax exchange information between a user's
computer and Sony BMG's servers, including the user's IP address,
without informing the user. Sony BMG pointed out that it only
collected non-personally identifiable information, saying this was
necessary to provide the CDs with enhanced functionality.
XCP and MediaMax also came with End User Licence Agreements
(EULAs) that were alleged to be misleading because, according to
the claims, they failed to disclose that the programs could not be
readily removed by a user and that information would be exchanged
with Sony BMG.
The jewel cases of the CDs were also accused of providing
insufficient information about the nature and function of XCP and
MediaMax.
MediaMax was singled out for installing around a dozen files on
the user's hard disk even before its EULA appeared on a user's
screen. These files were said to remain installed and active on the
user's computer, even if the user declines the EULA.
Class action lawsuits were filed across the US, suing Sony BMG,
SunnComm Technologies, the firm behind MediaMax, and First 4
Internet, the firm behind XCP. The Electronic Frontier Foundation
(EFF), a civil liberties group, also took action.
But the EFF has joined the preliminary settlement agreement that
is expected to settle the class action lawsuits.
The deal
Under the proposed agreement, which still requires court
approval, Sony BMG agrees to:
- Stop manufacturing CDs with the offending software;
- Immediately recall all XCP CDs;
- Provide software to update and uninstall XCP and MediaMax
content protection software from consumers' computers;
- Ensure that ongoing fixes to all Sony BMG content protection
software are readily available to consumers;
- Implement changes in operating practices with respect to all
CDs with content protection software that Sony BMG makes in the
next two years;
- Waive certain provisions currently contained in the XCP and
MediaMax EULAs;
- Refrain from collecting personal information about users of XCP
or MediaMax CDs without their affirmative consent; and
- Provide additional benefits to members of the class actions,
including cash payments, "clean" replacement CDs without content
protection software, and free music downloads.
Customers with XCP-protected CDs will be entitled to $7.50 each
and one album download from a list of 200 titles, or three album
downloads from the list if they waive the cash offer. MediaMax
customers only receive downloads as compensation.
Sony BMG also undertakes to take "commercially reasonable steps"
to destroy the information that it collects from users – album
details and IP addresses – within 10 days of collection, except as
otherwise required by law or court order.
The company also agrees to hire an independent third party to
verify these practices once in 2006 and once in 2007. It will post
the results of each review on its website.
Provisions of the EULAs to be struck out include a prohibition
on consumers reselling their CDs and a bizarre requirement that in
effect would stop the CD playing on a user's computer should he or
she ever file for bankruptcy.
Before manufacturing and issuing any CDs with content protection
software at any time until 2008, Sony BMG undertakes, among other
things, to ensure that a EULA is accepted before installation
begins; to accurately describe the nature and function of the
software in plain English in the EULA and on the jewel case; and to
obtain a third party's comments about the EULA and the software's
risk of creating security vulnerabilities.
Reactions
“The proposed settlement will provide significant benefits for
consumers who bought the flawed CDs,” said EFF Legal Director Cindy
Cohn. "Under the terms, those consumers will get what they thought
they were buying – music that will play on their computers without
restriction or security risk."
The original source of the story, Mark Russinovich, described
the terms of settlement as "a significant victory for the
consumer."
It is not yet known if the Attorney General of Texas, who
accused Sony BMG of violating spyware laws, will abandon his case
in light of the class action settlement.
