Network News

X My Profile
View More Activity

EFF, Texas Attorney General Sue Sony

Greg Abbott, the attorney general for Texas, today filed a lawsuit against Sony BMG Music Entertainment, alleging that its controversial (and now recalled) "XCP" anti-piracy software violates the state's anti-spyware and consumer protection laws.

"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott is quoted as saying in a press release on his official Web site. "Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime."

Abbott's suit seeks civil penalties of $100,000 for each violation of the law, attorneys' fees and investigative costs.      

At $100,000 per violation, this lawsuit could really hit Sony's pocketbook hard. Last week, computer security researcher Dan Kaminsky published research showing that Sony's flawed anti-piracy software is installed in computers on at least 560,000 networks around the globe. Kaminsky said that if there were on average just two machines on each network running the anti-piracy software, the number of computers currently endangered by Sony's products could number in the millions. 

I spoke with Abbott shortly after their press conference on this and he said that if industry estimates about the percentage of people who buy music CDs listen to them on their PCs (30 percent) are accurate, then there could be "thousands if not tens of thousands" of affected Texas consumers."

"The message we hope to send with this lawsuit is don't mess with Texas' computers," Abbott said.

This would mark the first lawsuit filed under Texas's new spyware law, and it would be the third case brought against Sony over its digital-rights managements software, which installs surreptitiously on Windows PCs, hides its files and resists removal. Lawyers in California and New York also have filed class-action suits against the company.

Consumers who try to remove the software can damage their machine or render their CD-ROM drives inoperable. Security researchers also uncovered security holes in the program itself, as well as flaws in the "patch" Sony recently issued to help consumers remove the most dangerous portions of its software.

Sony said last week it would let consumers exchange compact discs encoded with the software for new versions of the same titles without the software.  The company promised to recall the affected CDs from retailers' shelves, but the Texas suit claims the attorney general's investigators were able to purchase numerous titles at Austin retail stores as recently as Sunday evening.

A PDF version of the Texas suit is online here.

Update, 1:37 p.m. ET: It looks like the Electronic Frontier Foundation (EFF), which has been rumbling about possibly filing a lawsuit on behalf of people who bought Sony CDs, is getting ready to announce something at 3 p.m. ET today. Security Fix will be following that development closely. From my brief conversation with EFF Legal Director Cindy Cohn, it appears EFF may be prepared to pressure Sony not just on the CDs protected by the "XCP" software targeted by the Texas lawsuit, but also vulnerabilities recently uncovered in MediaMax, the anti-piracy software produced for Sony by SunnComm Technologies, whose programs were stitched into roughly 20 million CDs already sold.

Update, 3:38 p.m. ET: EFF filed its class-action lawsuit against Sony in California state court, along with two leading national class-action law firms. In its filing, EFF issued a statement praising Sony for acknowledging problems with its XCP software, but said that the company "has failed entirely to respond to concerns about MediaMax. "Music fans shouldn't have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they've legitimately purchased," the EFF's Cohn said.

Update, 6:25 p.m., ET: It looks like Massachusetts Attorney General Tom Reilly could also soon be going after Sony. Sarah Nathan, a spokesperson for the Mass. AG, confirmed that Reilly's office is investigating Sony BMG for possible violations of the state's consumer protection laws, but she declined to comment further.

By Brian Krebs  |  November 21, 2005; 12:34 PM ET
Categories:  Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Exploit for Unpatched IE Flaw Released
Next: Check Your Exposure to Microsoft Flaw

Comments

For the last few days there has been a CERT advisory " First 4 Internet XCP (Sony DRM) Vulnerabilities"
http://www.us-cert.gov/current/current_activity.html#xcpdrm

The bottom line is their common sense advice: "Use caution when installing software. Do not install software from sources that you do not expect to contain software, such as an audio CD."

Posted by: JCanada | November 21, 2005 1:19 PM | Report abuse

Ha ha ha ha ha ha ha ha

Posted by: Don Wood | November 21, 2005 1:19 PM | Report abuse

jcanada:
windows auto-run... it does it for you.

Posted by: p@ | November 21, 2005 1:29 PM | Report abuse

It looks like the DRM can be defeated by simple physical means.

http://www.theregister.com/2005/11/21/gaffer_tape_trips_up_sony_drm/

Posted by: Keith | November 21, 2005 2:41 PM | Report abuse

1. Thanks for talking to the Texas AG, saves me the trouble of sending him your URL. Yes, you done good.

2. How about CERT, as JCanada pointed out? I think that this should actually be kicked upstairs to DHS:

a. It was an infrastructure attack (on computer networks)
b. It crossed national boundries (only some of the infrastructure damage is property/computers in private hands).
c. It is a "generalized" security threat which needs a policy, not specific laws (Think in terms of "Designer Drugs").

Posted by: GTexas | November 21, 2005 4:33 PM | Report abuse

The Texas lawsuit against Sony is the best news ever. I just wish for more such lawsuits against Sony and other record companies such as EMI which uses such despicable methods to infringe the rights of their customers. Consumers like us must not allow ourselves to be bullied by these companies. We must stand up for our rights as consumers by insisting that we WILL NOT BUY anything that restricts our use of what we have paid for with our hard-earned money. Consumers to the fore! Let all of us, who have been violated by Sony and the likes, join hands and sue them in unison to their last penny!

Posted by: Seb | November 21, 2005 7:07 PM | Report abuse

This kind of thing should be attacked on a much wider front. Software companies are getting away with outright theft and ruining millions of computers in the process. Why is there not more action on this front, in all 50 states? I plan to provide additional information on my web site, terryreport.com. Even Norton anti-virus software, in my view, takes on virus like aspects. When I removed it from my computer, I found it was still there, "reminding" me every time I logged on that I needed it. I don't.

Posted by: Doug Terry | November 21, 2005 8:31 PM | Report abuse

I read that Sony's SunComm DRM software is installed before the user dialog appears asking if you want to "install the software". Anbswering No doesn't remove it, in my view this is wrong. Fortunately millions of Windows users have become capable of sorting Windows problems out for their friends and families, however this will turn millions of citizens into DMCA "criminals". This is often called the "Law of unintended consequences"!

Posted by: TonyC | November 22, 2005 2:15 AM | Report abuse

@Doug Terry; "Even Norton anti-virus software, in my view, takes on virus like aspects. When I removed it from my computer, I found it was still there, 'reminding' me every time I logged on that I needed it."

I can't agree with that.

I don't care for Norton security software and wouldn't use it. Furthermore, as Bruce Schneier comments "Symantec's response to the rootkit has, to put it kindly, evolved."

http://www.wired.com/news/privacy/0,1848,69601,00.html

Moreover, I think it regrettable that Symantec has cut so many deals with the OEMs that you get this stuff on many new PCs **whether you want it or not**.

I think that is downright unacceptable.

However, it does not have "virus like aspects". Computer viruses self-replicate - the same as biological ones, hence the name. The only sensible use of the term "virus-like" is for software that self-replicates.

That Symantec products are, or can be, difficult to uninstall can be a nuisance, but does not make them "virus-like".

Most security software loads on startup - so that you are protected from the get-go - and this is going to mean that uninstall is never a trivial matter.

Moreover, you have to consider that if security software is too easy to uninstall, then it is something of a liability, because it will be easy for malawre to target it and uninstall it.

If you've trouble removing it, I'd consult the relevant pages of instructions for removal on Symantec's site.

Posted by: Mike | November 22, 2005 5:24 AM | Report abuse

As a side note, I hope that one of the fallouts of the rootkit debacle is the prohibition of "partner" software that automatically loads when you install certain software. For example the OEM "restore" disks of WindowsXP loads a bunch of trial programs and nagware. These programs, for the lack of a better word, are tresspassing on my computer. So as a consequence of the rootkit debacle, I hope software vendors will only give us what we bought, nothing more.

Posted by: Steve | November 22, 2005 9:04 AM | Report abuse

Time for a cold shower folks ...

What prompted SONY to imagine they could get away with this ?

"If we can find some way to do this without destroying their machines, we'd be interested in hearing about that, if that's the only way, then I'm all for destroying their machines. There's no excuse for anyone violating copyright laws."

--- Sen. Orrin Hatch, Chairman of the Senate Judiciary Committee on 06/18/03

Scarey, huh?

Posted by: GTexas | November 22, 2005 3:40 PM | Report abuse

It looks like the U.S. Military is finally waking up to the security implications of SONY's rootkit. Here is an article from the Stars & Stripes, a military newspaper.

http://stripes.com/article.asp?article=33184

Also on a related note, SecuROM, SONY's other CD DRM project that is under investigation has removed from the FAQ the proof that they allow users to bypass administrator rights. Look at the Google cache link and then at the new page. Notice #7 has now been changed.

ORIGINAL PAGE:

http://72.14.207.104/search?q=cache:yArz3yeMNRIJ:www.securom.com/support_faq.asp+Why+does+SecuROM%E2%84%A2+install+UAService7.exe&hl=en

NEW PAGE:

http://www.securom.com/support_faq.asp


I have also found several articles on CNET about financial institutions finding rootkit infected systems in their banks. That's just great. Way to go SONY. National Security, Financial Institutions... whats next... Nuclear Plants?? Oh wait, guess what... I'm sure it has already happened.

Posted by: NoMoDRM | November 23, 2005 5:22 AM | Report abuse

I just went to the US-CERT website and did a search on MediaMax and got no result. How come XCP is referenced, but not its evil twin ?

Posted by: jacrav | November 23, 2005 10:57 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company