Update: US and Canadian customers can now claim a settlement from Sony BMG
By including a flawed and overreaching computer program in millions of music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.
At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including reporting customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).
After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, Sony BMG has taken some steps to respond to the security risks created by the XCP technology. Sony BMG has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.
Problems with XCP
Security researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines.
Problems with MediaMax
The MediaMax software, which is included on over 20 million Sony BMG CDs, has different, but similarly troubling problems. It installs on the users' computers even if they click "no" on the EULA, and does not include a way to uninstall the program. The security issue involves a file folder installed on users' computers by the MediaMax software that could allow malicious third parties who have localized, lower-privilege access to gain control over a consumer's computer running the Windows operating system. The software also transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you our your computer."
EFF's Open Letter
On November 14, 2005, EFF wrote an Open Letter to Sony BMG, asking the company to publicly commit to fixing the problems it has caused for its music fans and take steps to reassure the public that its future CDs will respect its customers' ownership of their computer. Among the make-good measures recommended by EFF: a recall of all XCP and SunnComm MediaMax-infected CDs, from both consumers and store shelves; a guarantee to repair, replace, or refund the purchase price of the CDs to anyone who bought the merchandise; and a major publicity campaign warning about the security risks of XCP and SunnComm MediaMax. EFF also asked Sony BMG to pay all consumer costs associated with the damage caused by the XCP or SunnComm MediaMax technology and compensate people for the time, effort, and expense required to verify that their computer was or was not infected with the rootkit.
Sony BMG's Response
Initially Sony BMG denied there was a problem, saying the the XCP rootkit "component is not malicious and does not compromise security." Thomas Hesse, President of Sony BMG's global digital business division, asked in an interview for a National Public Radio "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
After receiving harsh public criticism and EFF's Open Letter, Sony BMG took strong steps in acknowledging the security harm caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, including both privacy problems and fixing its outrageous EULA. See Sony BMG's November 18, 2005, written response to EFF's Open Letter here [PDF].
Critically, Sony BMG has still refused to refund the cost of CDs to consumers or even widely publicize its recall program using its powerful marketing abilities, or to compensate consumers whose computers have been affected. And, Sony has not agreed to eliminate the outrageous terms found in their EULA.
Moreover, Sony BMG has failed to fully respond to concerns about MediaMax, which affects over twenty million CDs — ten times the number of CDs as the XCP software. While Sony responded quickly and responsibly when we drew their attention to a security problem with MediaMax version 5, there remain unresolved issues which EFF will continue to raise with Sony BMG.
Canadian settlement site with forms to make a claim: http://cdtechsettlement.sonybmg.ca/en/