Sony BMG Settles Suit over CD Rootkit Software
Sony BMG Music Entertainment will pay $1.5 million and kick in thousands more
in customer refunds to settle lawsuits brought by California and Texas over
music CDs that installed a hidden anti-piracy program on consumers' computers.
Not only did the program itself open up a security hole on computers, but attempts
to remove the software by some customers also damaged the PCs.
The settlements, announced Tuesday, cover lawsuits over CDs loaded with one
of two types of copy-protection software -- known as MediaMax or XCP.
Under the terms of the separate settlements, each state will receive $750,000
in civil penalties and costs.
In addition, Sony BMG agreed to reimburse consumers whose computers were damaged
while trying to uninstall the XCP software. Customers in both states can file
a claim with Sony BMG to receive refunds of up to $175.
State officials estimate some 450,000 compact discs carrying the XCP software
were sold in California, while about 130,000 were sold in Texas.
Customers have 180 days to file claims, which must include a description of
how their computer was harmed and documentation of repair expenses.
Some who used certain antispyware software to remove the programs installed
by the Sony BMG CDs ended up with a glitch that disabled their CD-ROM drives.
As part of the settlements, Sony BMG also agreed not to distribute any compact
discs loaded with any copy-protection software that hinders computer users from
easily locating it or removing it from their computers.
The record company also agreed to improve its disclosure practices.
"Companies that want to load their CDs with software that limits the ability
to copy music should fully inform consumers about it, not hide it, and make
sure it doesn't inflict security vulnerabilities on computers," California
Attorney General Bill Lockyer said in a statement. "To its credit, Sony
BMG learned this lesson and has stopped the practices that led to this lawsuit."
According to the complaint filed by Lockyer, Sony BMG did not disclose in the
outer packaging the presence of the software, which was loaded on consumers'
computers without their knowledge or consent when they played the CDs on their
The software also was stored in such a way that it could not be seen on the
PC without taking special measures.
In a news conference Tuesday in Austin, Texas Attorney General Greg Abbot said
the settlement sent a clear message.
"Texans deserve to be protected from harmful hidden software that threatens
their privacy or the security of their computers," he said.
In a statement, Sony BMG said it was pleased to reach agreements with the two
Sony BMG began including MediaMax on some of its discs in August 2003 and introduced
XCP in January 2005. Both programs limited the number of copies of a disc that
a user can make.
But word began to spread on the Internet in late 2005 that the software on
the CDs potentially could make computers vulnerable to hacking. Some suggested
the company was using the technology to spy on consumers.
But the company maintained it did not use any of the software to collect personal
data about the consumers without their consent -- an assertion backed up by an
outside company commissioned by Sony BMG to audit its use of the copy-protection
Sony BMG ultimately recalled the discs with XCP in November 2005 and released
a way to remove the files from users' computers. Some 4.7 million CDs on 52
Sony BMG titles had been made with the technology and 2.1 million had been sold.
Tuesday's settlements close out government probes into the matter by Texas
and California. The company had previously settled a class-action case over
Sony BMG is a joint venture of Sony Corp. and Bertelsmann AG.