24-11-05

Sony BMG Sued Over DRM: Robert Hull and others v Sony BMG In a worrying setback in the majors' fight against piracy, a class action lawsuit was filed on 21 November 2005 in California against Sony BMG, on behalf of all relevant CD purchasers, for the damage done by two kinds of DRM software included in over 20 million CDs. The programs embedded within the CDs are referred to in the claim as "spyware", described as "technology deployed without users' consent that impairs control over a user's experience, privacy and system security". It is claimed that, "by including a flawed and overreaching computer program in over 20 million CDs sold to the general public, Sony BMG [in violation of California law] has created serious security, privacy and consumer protection problems" that have damaged users and their computers. Sony BMG admits having used two programs since 2003, MediaMax and Extended Copy Protection (or "XCP"), to restrict customers' computer use of audio CDs. Researchers have shown, however, that the programs were designed with many qualities of a so-called "rootkit" (and more tellingly a "Trojan") which install hidden files on a user's computer allowing Sony BMG to monitor customer listening to the CD (through the Internet), but also degrading the computer's performance and exposing users to malicious attacks by third party websites the user may inadvertently visit. When inserted into a computer running Windows, 18 files are automatically installed using about 15 MB of the user's hard drive. One file (called only "sbcphid") is automatically installed without notice or consent into the computer's operating system before the user has site of the accompanying "End User Licensing Agreement" (or EULA). The file then directs the computer to "phone home" with user ID information every time a protected CD is played. Even if the user never accepts the EULA, the program contains no uninstall feature and, until 15 November 2005 when Sony BMG made available an uninstaller to those who provided further personal data, could not be purged without re-booting the hard disk in its entirety. Since that date, the uninstaller has itself shown problems and has been withdrawn. It is also claimed that Sony BMG also included misleading and "unconscionable" terms in the EULA, including restrictions on use of lawfully-made copies if the original CD is stolen or lost, restrictions on users' ability to use digital copies following a bankruptcy and a disclaimer of the standard "merchantability" and "satisfactory quality" warranties. Sony BMG has already taken some steps to respond to the security risks created by the XCP technology but, it is claimed, not enough to address the security problems posed by MediaMax or the privacy and consumer fairness concerns posed by both programs. At least 52 CDs contained the DRM software and included titles by artists such as Celine Dion, Natasha Bedingfield and The Coral. Presumably Sony BMG in this case believed that their software complied with the relevant law. Nevertheless it is clear that, if there is going to be DRM solution to copyright piracy, the issues of security, privacy and user consent are likely to be of key importance to consumers. If you have already used a relevant CD (full list available from Sony BMG at http://cp.sonybmg.com/xcp/english/titles.html) on your computer, visit http://www.freedom-to-tinker.com/?p=924 for a diagnosis. The full text of the judgment may be accessed via: http://www.eff.org/IP/DRM/Sony-BMG/sony_complaint.pdf
Article by Tom Frederikse