Sony BMG Settles FTC Charges
Sony BMG will allow consumers to exchange CDs containing concealed content-protection software purchased before Dec. 31, 2006, for non-content-protected versions and reimburse up to $150 to repair damages resulting directly from attempts to remove the software, according to a settlement with the FTC announced Tues. The FTC voted 5-0 to accept the proposed consent agreement. It will be subject to public comment through March 1, after which the FTC will decide whether to make it final.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The decision sends a strong message to the music industry that DRM may be more trouble than it’s worth, the Electronic Frontier Foundation’s Corynne McSherry told us. Sony BMG and other record labels will likely be more hesitant to use digital rights management (DRM) software in the future, she said. However, the settlement may not mean much for the average consumer, since it doesn’t add anything significant to what’s already been agreed to in state decisions, said Jeremy DeBeer, prof. of law at U. of Ottawa. A spokesman for Sony BMG said the company is pleased to have reached an agreement with the FTC but declined to comment further.
Sony’s DRM software exposed consumers to security risks without adequate notification and consent, the FTC complaint said. After it’s installed, the XCP DRM software hides from Windows, the complaint said. Malicious software can then exploit the cloaking technology to conceal itself, it said. Sony’s MediaMax 5.0 DRM software creates a “privilege escalation vulnerability” that could give 3rd parties who gain low-privilege physical access to a Windows computer full control, the FTC said. In addition, Sony failed to readily provide an uninstall tool, it said.
Sony didn’t adequately disclose that its music CDs installed software that limits disc-to-disc copying and prevents the ability to transfer music to certain digital playback devices, including Apple’s iPod, the complaint said. The complaint also alleged that the software’s media player monitored artists consumers listen to and displayed ads based on the data.
Sony must label content-protected CDs with clear, prominent disclosures that the CD will install software, collect information, limit copying or restrict playback to specific devices, the settlement said. Also, consumers must have the ability to authorize software installation. The agreement prohibits Sony from using any information it collects through installed software for marketing or advertising purposes and requires the destruction of any such information within 3 days. Consumers must agree to any information collection, it said.
Sony BMG must use product packaging to disclose that Media Max 5.0 CDs will create security vulnerabilities that consumers can eliminate with a free, downloadable patch, and that information will be collected from users for ad purposes. Sony must provide retailers the same financial incentive to return MediaMax 5.0 CDs as those for XCP CDs. The incentives must be available for 2 years after the agreement is final.
Sony BMG must provide “reasonable and effective” means to uninstall content-protection software, the settlement said. Sony doesn’t need to provide the ability to uninstall the counter file that determines if a consumer has exceeded the permitted number of copies, but must disclose that the file can’t be removed before it’s installed. Sony must continue to provide free uninstall tools and patches for XCP and MediaMax 5.0 for 2 years after the agreement is final. Sony BMG must notify consumers about the rootkit issue by extending its program of purchasing search word keywords for one year and by publishing notice on its website.
Sony BMG isn’t working hard enough to get the word out to affected consumers, McSherry told us, depending on consumers to seek out the information themselves. Sony should spend the same amount of money to notify consumers of the security vulnerabilities posed by DRM as they do to promote a new album, she said. The media, govt. regulators and class-action lawyers have done much work to use the Sony BMG case as a real-world example of DRM’s dangers, DeBeer told us. “The ‘rootkit’ saga will be DRM’s legacy,” he said.
Sony shares dropped 69 cents to $46.31 as of our deadline Tues. They've traded between $37.24 and $52.29 in the past year.
Sony BMG spent the Dec. holidays settling state lawsuits over 12 million-plus CDs sold with undisclosed anti-copying DRM software in 2005. Sony BMG agreed to pay $750,000 each in Cal. and Tex., and to give harmed consumers up to $175. The record company then agreed to pay $4.25 million to settle suits by 39 more states and D.C. for breaking spyware laws and to reimburse customers with computer damage up to $175.
The Sony BMG “rootkit” debacle also led to an anticircumvention exemption granted in the Copyright Office’s triennial rulemaking last Nov. The exemption allows for “good faith testing, investigating or correcting” of security flaws and vulnerabilities in DRM. Ed Felten, a Princeton U. professor who was leading proponent of the exemption, declined to comment on Sony BMG’s settlement with the FTC.