New Sony BMG Spyware Allegations Surface in Tex. Suit
Tex. Attorney Gen. Greg Abbott upped the ante in a suit against Sony BMG, adding allegations of harm to buyers of CDs ranging from Frank Sinatra to Switchfoot. In Nov., Abbott (R) sued the N.Y.-based firm under a new state spyware law -- the first state official to pursue Sony in court for embedding spyware in products. The original Sony rootkit brouhaha (CED Nov 23 p8), involving First4Internet XCP technology, prompted lawsuits, consumer alerts and an industry-wide wake-up call.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Invoking the Tex. Deceptive Trade Practices Act Wed., Abbott said SunnComm’s MediaMax -- the other copy protection used by Sony now under scrutiny -- violates state spyware and consumer deception laws. CD users are offered an end user license agreement (EULA), but even the agreement is rejected, MediaMax installs files on PCs, rendering them vulnerable to security breaches, the suit alleged. “We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music,” Abbott said. “Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes.”
Trying to minimize digital intrusion, Abbott wrote to retailers urging they immediately yank the troubled titles. “These CDs open the door for malicious hackers to target consumers’ computers,” he said, warning that continuing to sell the CDs could leave stores as liable under the law as Sony. A spokesman said notices have gone only to Circuit City, Best Buy, Wal-Mart and the like. The AG’s office is in the process of sending letters to smaller retailers.
The disputed software has an uninstall feature, said the Electronic Frontier Foundation (EFF). EFF, which initially flagged the vulnerability, said the software also transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, letting the company track listening habits. The EULA states that the software won’t be used to collect personal data and SunnComm’s website states “no information is ever collected about you or your computer.” CDs containing MediaMax technology have a back CD cover that lists the URL: www.suncomm.com/support/sonybmg.
In answering a Nov. EFF letter, Sony denied the rootkit problem and didn’t respond fully to MediaMax fears, EFF said. According to EFF, MediaMax affects over 20 million CDs -- 10 times the number affected by the rootkit software. Sony later responded “quickly and responsibly” when EFF pointed out a security problem with MediaMax version 5.
The new Tex. complaint says Sony CDs containing MediaMax can compromise PCs at least as much as XCP technology targeted in the initial suit. Abbott said Sony used the same deceptive means to spread the vulnerability. Besides alleged violations of the state’s Consumer Protection Against Computer Spyware Act, which sets fines of $100,000 per violation, charges made this week carry a maximum penalty of $20,000 per violation.
A Sony spokesman said the firm is engaged in “an ongoing dialogue” with Abbott’s office but said the company responded appropriately to gripes about MediaMax software installation. “The MediaMax software does not and cannot collect personal information about consumers as spyware typically does,” Sony said: “The MediaMax software is not hidden and was included solely for the purpose of content protection.” Security issues with MediaMax aren’t uncommon and are addressed by a software update Sony has made available, the spokesman said. Sony provided consumers with a one-click uninstall mechanism for total removal of MediaMax.
EFF Staff Attorney Kurt Opsahl said he was glad Abbott is still on the case. Attorneys general in N.Y., Ill. and Mass. are studying MediaMax’s DRM vulnerabilities, he said, noting that other labels also use Suncomm’s technology. EFF sent a letter to the company asking it to make available a list of MediaMax clients, Opsahl said. Suncomm hasn’t responded, but EFF has learned some CDs from Viastar, Koch and Men of Business records use the technology, he said.