Network News

X My Profile
View More Activity

Sony BMG to Settle Class-Action Lawsuit

Sony BMG Music Entertainment has agreed to a settlement that would end a nationwide class-action lawsuit brought against the company over security flaws in anti-piracy software that it shipped on millions of music CDs.

The Sunbelt Software blog has a copy of the proposed settlement in the case, which was brought last month by a New York-based attorney on behalf of customers throughout the country who bought the affected CDs.

Sunbelt says the document it obtained is a preliminary settlement that was filed seeking judicial approval. After reading the document, I did a little investigating of my own using the court's PACER document lookup system and found another document -- a hearing order -- indicating that Sony BMG and the plaintiffs reached an agreement on Dec. 27 to settle the case.

The lead attorney for the plaintiffs, New York lawyer Scott Kamber, said the two parties signed a settlement which is awaiting preliminary approval by the U.S. District Court for the Southern District of New York.

"We have reached a settlement with all the parties and that settlement provides real value to the class in a timely manner," Kamber said. "This settlement is subject to court approval and no further comment would be appropriate from me at this time."

Sony BMG spokesperson John McKay confirmed that the company had reached an agreement with the plaintiffs, saying Sony is looking forward to the court approval process. He declined to comment further, however.

According to the terms of the settlement, Sony would be required to stop making CDs outfitted with the flawed "XCP" and MediaMax digital rights management software, programs that security experts showed not only destablized users' PCs but also opened them up to new threats from online attackers and viruses

Sony BMG also would be required to "implement consumer-oriented changes in operating practices with respect to all CDs with content protection software that Sony BMG manufactures in the next two years; refrain from collecting personal information about users of XCP CDs or MediaMax CDs without their affirmative consent; and provide additional settlement benefits to Settlement Class Members including cash payments, 'clean' replacement CDs without content protection software, and free music downloads."

The agreement signed by the two litigants also requires Sony BMG to begin offering relief to customers directly after the preliminary agreement is approved, not after final approval is granted (which typically takes a few months). The agreement also states that both parties will issue a joint news release directly after preliminary approval.

The settlement also would lay to rest a class action suit brought against Sony by several other parties, including the Electronic Frontier Foundation. Still, the settlement will hardly end Sony BMG's legal troubles, though it may indicate that other settlements are imminent. The Texas attorney general's lawsuit alleging violations of the state's anti-spyware law is moving forward, and several other state attorneys general are considering legal action.

Any Security Fix readers who need a refresher on what this whole fiasco is all about can check out the Piracy section of this blog to read the  more than 20 past posts on this subject dating back to Nov. 1.

Update, 5:43 p.m. ET:An earlier version of this post stated that the settlement does not affect a class-action lawsuit brought by the Electronic Frontier Foundation. EFF was one of the parties to this settlement. The above text has been corrected.

By Brian Krebs  |  December 29, 2005; 11:30 AM ET
Categories:  Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Update on the Critical Unpatched Windows Flaw
Next: US-CERT: 5,198 Software Flaws in 2005


They sold out.

Sony gets to walk, the Mediamax malware is not recalled, and despite the supposed "protections" invoked by the settlement it's all gold for Sony and future malware.

They just have to be a little more discreet...

Posted by: the zapkitty | December 29, 2005 1:59 PM | Report abuse

I'm quite disappointed by this proporsed settlement. Sony didn't accidentally cause these problems, they knew what they were doing and lied about it. This settlement does nothing to keep them from doing the same thing in the future.

It also ignores those whose claims are not similar to those of the average "I got infected, and am willing to trust another piece of software from Sony to actually uninstall XCP" such as myself. My transmeta-based laptop has become incredibly unstable since I installed XCP. Sony's response to a letter asking for manual uninstall instructions was met with only a form letter apologizing for my problems and directing me to download and run their "update".

I'm tracking the lawsuit at and have copies of most of the documents that have been filed with the court, for those who want a bit more detail.

Posted by: Mark | December 29, 2005 11:53 PM | Report abuse

Would the Washington Post sneak into my home and install video cameras to ensure that I didn't photcopy it's newspaper? Of course not. Yet, this article focuses on the side-effect of security risks rather than central problem of privacy. Perhaps the Washington Post feels they could install such video cameras as long as they promised to not to make a mess and lock the door behind them? I sincerely doubt that is the case. So why is Sony's software not received with outrage about privacy rather this nonsense that they left dirty dishes in the sink?

Posted by: Jim | December 30, 2005 8:38 AM | Report abuse

Sony and SunCom seem to think they are vindicated for their sneaking into people's private lives by offering free downloads. Watch out!!! They may be watching you!!! What a bunch of yahoos!!(No pun intended)

Posted by: Carol | December 30, 2005 9:20 AM | Report abuse

Dear Sir,

The real problem is not the security flaws. Those were unfortunate, but such things happen.

Rather, the real story is in the parts Sony did on purpose. Most importantly, the decision itself to make a rootkit and covertly install it into customers' computers was intentional. The decision to interfere with CD drives was intentional - it could hardly be otherwise, if limiting CD burning is one of the primary functions of the software.

The copyright infringement also would've been intentional, though probably on the part of First4Internet rather than Sony. You see, XCP itself infringes on copyrights - in a righteous drive to protect its own intellectual property, Sony infringed on that of others, in millions of copies...

If you or I covertly installed a rootkit on somebody's computer, we'd be in a lot of trouble. Doubly so if government computers were among those affected, as they are here. Even at the least, it would be hundreds of dollars worth of clean-up fees; more likely, jail-time. Yet here Sony is walking away with a $7.50 payment and a promise not to do it again for two years.

Not even a "never again". It's "not for the next two years".

With regards,

Jiri Baum

Posted by: Jiri Baum | January 6, 2006 1:25 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company