Difficult times lie ahead for Harry Potter. But at least he doesn't have to deal with rootkits, spyware and a multi-million dollar lawsuit. Along with a growing list of plaintiffs, the EFF has filed a class action lawsuit on behalf of those affected by the Sony-BMG fiasco.

On November 14, 2005, the EFF wrote an open letter to Sony-BMG with several demands. Most notably, the EFF demanded that Sony-BMG recall all CDs with First4Internet's XCP technology; and more interestingly, all CDs with SunnComm’s MediaMax copy protection technology.

The EFF also demanded that Sony-BMG remove misleading statements such as XCP "...is not malicious and does not compromise security", refund the purchase price of the CD, cooperate with anti-virus/spyware companies, and "widely publicize the potential security and other risks associated with the XCP and SunnComm MediaMax technology."

While Sony-BMG did recall the XCP CDs and has made some public attempt to alert affected customers, the EFF believes these actions fall considerably short. In particular, the EFF's demand that Sony-BMG recall CDs with SunnComm's MediaMax technology – somewhere in the order of 20 million CDs - appears to have fallen on deaf ears.

Research conducted on MediaMax has discovered a similar security hole to XCP upon uninstallation, along with unauthorized software installation.

The MediaMax software....installs on the users' computers even if they click "no" on the EULA, and does not include a way to uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you our your computer."

While the EFF commended Sony-BMG's response, several key points of the open letter were not addressed. Primarily, Sony-BMG has not addressed the issues surrounding the implementation of SunnComm's MediaMax DRM. Secondly, Sony-BMG has not widely publicized its recall program. Although the media has brought mainstream attention to the issue, Sony-BMG's scant advertisement on their homepage is a far cry from their full publicity potential.

Sony-BMG did remove misleading statements such as XCP "is not malicious." The media giant has also cooperated with anti-virus and spyware software manufacturers, while somewhat complying with the refund demand. However, it is not surprising that Sony-BMG elected not to comply with the demand to compensate consumers for potential damage nor it is surprising Sony-BMG will not address the SunnComm MediaMax DRM issue.

However with mounting legal pressure, it may be only a matter of time before Sony-BMG caves in. Today, the State of Texas filed a class action suit against Sony-BMG, for violations against its anti-spyware law. It appears for now that Sony-BMG is willing to take its chances in court rather than recall 20 million CDs, and negate almost two years worth of copy protection efforts.

This story is filed in these Slyck News categories
Technology News :: Spyware/Adware

You can read the EFF's press release here...

...and here.

You can discuss this article here - 24 replies