News

Sony BMG Settles Suit over CD Rootkit Software

Sony BMG Music Entertainment will pay $1.5 million and kick in thousands more in customer refunds to settle lawsuits brought by California and Texas over music CDs that installed a hidden anti-piracy program on consumers' computers.

Not only did the program itself open up a security hole on computers, but attempts to remove the software by some customers also damaged the PCs.

The settlements, announced Tuesday, cover lawsuits over CDs loaded with one of two types of copy-protection software -- known as MediaMax or XCP.

Under the terms of the separate settlements, each state will receive $750,000 in civil penalties and costs.

In addition, Sony BMG agreed to reimburse consumers whose computers were damaged while trying to uninstall the XCP software. Customers in both states can file a claim with Sony BMG to receive refunds of up to $175.

State officials estimate some 450,000 compact discs carrying the XCP software were sold in California, while about 130,000 were sold in Texas.

Customers have 180 days to file claims, which must include a description of how their computer was harmed and documentation of repair expenses.

Some who used certain antispyware software to remove the programs installed by the Sony BMG CDs ended up with a glitch that disabled their CD-ROM drives.

As part of the settlements, Sony BMG also agreed not to distribute any compact discs loaded with any copy-protection software that hinders computer users from easily locating it or removing it from their computers.

The record company also agreed to improve its disclosure practices.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," California Attorney General Bill Lockyer said in a statement. "To its credit, Sony BMG learned this lesson and has stopped the practices that led to this lawsuit."

According to the complaint filed by Lockyer, Sony BMG did not disclose in the outer packaging the presence of the software, which was loaded on consumers' computers without their knowledge or consent when they played the CDs on their computers.

The software also was stored in such a way that it could not be seen on the PC without taking special measures.

In a news conference Tuesday in Austin, Texas Attorney General Greg Abbot said the settlement sent a clear message.

"Texans deserve to be protected from harmful hidden software that threatens their privacy or the security of their computers," he said.

In a statement, Sony BMG said it was pleased to reach agreements with the two states.

Sony BMG began including MediaMax on some of its discs in August 2003 and introduced XCP in January 2005. Both programs limited the number of copies of a disc that a user can make.

But word began to spread on the Internet in late 2005 that the software on the CDs potentially could make computers vulnerable to hacking. Some suggested the company was using the technology to spy on consumers.

But the company maintained it did not use any of the software to collect personal data about the consumers without their consent -- an assertion backed up by an outside company commissioned by Sony BMG to audit its use of the copy-protection software.

Sony BMG ultimately recalled the discs with XCP in November 2005 and released a way to remove the files from users' computers. Some 4.7 million CDs on 52 Sony BMG titles had been made with the technology and 2.1 million had been sold.

Tuesday's settlements close out government probes into the matter by Texas and California. The company had previously settled a class-action case over the episode.

Sony BMG is a joint venture of Sony Corp. and Bertelsmann AG.

Featured