New Sony Spyware Allegations Surface in Tex. Suit

Invoking the Tex. Deceptive Trade Practices Act Wed., Abbott said SunnComm’s MediaMax -- the other Sony copy protection now under scrutiny -- violates state spyware and consumer deception laws. CD users are offered an end user license agreement (EULA), but even when the agreement is rejected, MediaMax installs files on PCs, rendering them vulnerable to security breaches, the suit alleged. “We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music,” Abbott said. “Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes.”

Trying to minimize digital intrusion, Abbott wrote to retailers urging they immediately yank the titles. “These CDs open the door for malicious hackers to target consumers’ computers,” he said, warning that continuing to sell the CDs could make the stores liable under the law as Sony. A spokesman said notices have gone to big retailers like Circuit City, Best Buy, Wal-Mart. The AG’s office is working on sending letters to smaller retailers.

The disputed software has an uninstall feature, said the Electronic Frontier Foundation (EFF). EFF, which first flagged the vulnerability, said the software also transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, letting the company track listening habits. The EULA says the software won’t be used to collect personal data and SunnComm’s website says “no information is ever collected about you or your computer.” CDs containing MediaMax technology lists the URL www.suncomm.com/support/sonybmg on the back of the product cover.

Replying to a Nov. EFF letter, Sony denied the rootkit problem and didn’t respond fully to MediaMax fears, EFF said. According to EFF, MediaMax affects over 20 million CDs -- 10 times the number with the rootkit software. Sony later responded “quickly and responsibly” when EFF pointed out a security problem with MediaMax version 5.

The new Tex. complaint says Sony CDs containing MediaMax can compromise PCs at least as much as XCP technology targeted in the initial suit. Abbott said Sony used the same deceptive means to spread the vulnerability. On top of alleged violations of the state’s Consumer Protection Against Computer Spyware Act, which sets fines of $100,000 a violation, charges made this week carry a maximum penalty of $20,000 per violation.

EFF Staff Attorney Kurt Opsahl said he was glad Abbott is still on the case. Attorneys general in N.Y., Ill. and Mass. are studying MediaMax’s DRM vulnerabilities, he said, noting that other labels also use Suncomm’s technology. EFF sent a letter to the company asking it to make available a list of MediaMax clients, Opsahl said. Suncomm hasn’t responded, but EFF has learned some CDs from Viastar, Koch and Men of Business records use the technology, he said.

A Sony spokesman said the firm has “an ongoing dialog” with Abbott’s office and the company responded appropriately to gripes about MediaMax software installation. “The MediaMax software does not and cannot collect personal information about consumers as spyware typically does,” Sony said: “The MediaMax software is not hidden and was included solely for the purpose of content protection.” Security issues with MediaMax aren’t uncommon and are addressed by a software update Sony has made available, the spokesman said. Sony provided consumers a one-click uninstall mechanism for total removal of MediaMax.