Security threats Toolkit

Court orders Sony to pay rootkit victims

Tags:
Sunncomm,
Rootkit

Anne Broache CNET News.com

Published: 23 May 2006 09:55 BST

A federal judge on Monday gave final approval to a settlement in a class action suit against Sony BMG Music Entertainment over copy protection software on music CDs that hacked customers' operating systems.

The agreement covers anyone who bought, received or used CDs containing "cloaked" digital rights management (DRM) software after 1 August 2003. Those customers can file a claim and receive certain benefits, such as a non-protected replacement CD, free downloads of music from that CD and additional cash payments.

The court action picked up last fall when security researchers exposed the behaviour of First4Internet's XCP and SunnComm's MediaMax, which are automatically installed on a user's computer upon loading certain Sony BMG music CDs. The software is masked by a "rootkit" that can make the PC more vulnerable to viruses and other hacker attacks. The software also allegedly sent information about the listener's computer use back to Sony BMG.

At least 15 different lawsuits were filed by class action lawyers against the record label, and the New York cases were eventually consolidated into one proceeding. The parties reached a preliminary settlement with Sony BMG in December, leaving it up to a judge in a US District Court in New York to make it official.

Sony BMG had already yanked the affected discs off the shelves, suspended production of CDs containing the technology and issued a recall of the 4.7 million XCP CDs, offering MP3 downloads in return.

Under the terms of the final settlement, Sony BMG definitively agreed to continue halting manufacture or distribution of CDs containing the two programs. It stopped using XCP on its products in November 2005 and ceased using MediaMax about a month later, according to court filings.

For the duration of the settlement, which lasts until the end of 2007, the company is expected to take several steps before putting any new copy protection software on its wares, including submitting the software for review by an independent security expert and including a brief, written description of the copy protection tool on any CD that contains it.

Sony BMG told ZDNet UK's sister site CNET News.com on Monday that it was "pleased" the settlement had been approved by the court.

Electronic Frontier Foundation legal director Cindy Cohn, whose organisation represented plaintiffs in the settlement, urged anyone in possession of the offending CDs to stake their claims against Sony. Doing so, she predicted, may send a message to Sony BMG and other music labels to "think twice before wrapping songs in DRM".

Sony BMG still faces a separate lawsuit "over materially the same subject matter" from the Texas attorney general, as well as inquiries from the Federal Trade Commission and other state attorneys general, according to the text of the settlement. The document indicates Sony will pursue similar settlements in those cases.