Weekly Edition
Return to the Announcements pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||||
EFF Files Class Action Lawsuit Against Sony BMG
Electronic Frontier Foundation Media Release For Immediate Release: Monday, November 21, 2005 Contact: Cindy Cohn Legal Director Electronic Frontier Foundation cindy@eff.org +1 415 436-9333 x108 (office), +1 415 307-2148 (cell) Corynne McSherry Staff Attorney Electronic Frontier Foundation corynne@eff.org +1 415 436-9333 x122 Kurt Opsahl Staff Attorney Electronic Frontier Foundation kurt@eff.org +1 415 436 9333 x106 EFF Files Class Action Lawsuit Against Sony BMG Company Should Repair Damage to Customers Caused by CD Software San Francisco - The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, today filed a lawsuit against Sony BMG, demanding that the company repair the damage done by the First4Internet XCP and SunnComm MediaMax software it included on over 24 million music CDs. EFF is pleased that Sony BMG has taken steps in acknowledging the security risks caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, and Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs -- ten times the number of CDs as the XCP software. "Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," said Corynne McSherry, EFF Staff Attorney. "It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software." The suit, to be filed in Los Angeles County Superior court, alleges that the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. Researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines. Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA). The MediaMax software installed on over 20 million CDs has different, but similarly troubling problems. It installs files on the users' computers even if they click "no" on the EULA, and it does not include a way to fully uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you or your computer." If users repeatedly requested an uninstaller for the MediaMax software, they were eventually provided one, but they first had to provide more personally identifying information. Worse, security researchers recently determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did. "Music fans shouldn't have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they've legitimately purchased," said EFF Legal Director Cindy Cohn. "Regular CDs have a proven track record -- no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?" "Consumers have a right to listen to the music they have purchased in private, without record companies spying on their listening habits with surreptitiously-installed programs," added EFF Staff Attorney Kurt Opsahl, "Between the privacy invasions and computer security issues inherent in these technologies, companies should consider whether the damage done to consumer trust and their own public image is worth its scant protection." Both the XCP and MediaMax CDs include outrageous, anti-consumer terms in their "clickwrap" EULAs. For example, if purchasers declare personal bankruptcy, the EULA requires them to delete any digital copies on their computers or portable music players. The same is true if a customer's house gets burglarized and his CDs stolen, since the EULA allows purchasers to keep copies only so long as they retain physical possession of the original CD. EFF is demanding that Sony BMG remove these unconscionable terms from its EULAs. The law firms of Green Welling, LLP, and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, LLP, joined EFF in the case. Sony BMG is also facing at least six other class action lawsuits nationwide and an action by the Texas Attorney General. EFF looks forward to representing the voice of digital music fans in the resolution of these disputes between Sony BMG and consumers. For more on the Sony BMG litigation, see: http://www.eff.org/IP/DRM/Sony-BMG/ EFF's open letter to Sony: http://www.eff.org/IP/DRM/Sony-BMG/?f=open-letter-2005-11... For this release: http://www.eff.org/news/archives/2005_11.php#004192 About EFF The Electronic Frontier Foundation is the leading civil liberties organization working to protect rights in the digital world. Founded in 1990, EFF actively encourages and challenges industry and government to support free expression and privacy online. EFF is a member-supported organization and maintains one of the most linked-to websites in the world at http://www.eff.org/ -end- _______________________________________________ presslist mailing list https://falcon.eff.org/mailman/listinfo/presslist (Log in to post comments)
EFF? Good, maybe Posted Nov 21, 2005 23:11 UTC (Mon) by ncm (subscriber, #165) [Link] Most class-action suits result in a big check to the lawyers, and everybody else just gets a coupon for a small discount off the offender's next offending product. Here's hoping the EFF will be more attuned to the actual harm done.
Maybe they can oblige Sony to add software to every future disc that offers to remove whatever was installed by the infected ones (from Sony or from any of the other vendors!). It needn't cost Sony anything, incrementally, so they have no excuse to object. The code involved would have to be produced and signed by somebody appointed by the court, rather than Sony or F4I. EFF should at least ask for this, although they might end up obliged to settle for something less. If they don't ask for it, they'll certainly settle for lots less.
EFF? Good, maybe Posted Nov 21, 2005 23:24 UTC (Mon) by fjf33 (subscriber, #5768) [Link] I think the greater good would be served just by the fact of putting the public at large on notice about some of the risks of DRM, and hopefully some politicians also about the backlash they can suffer by protecting these corporations.
Instead of going after the people that print cheap bootleg CDs and DVDs they go after people that share with friends.
EFF? Good, definitely Posted Nov 21, 2005 23:40 UTC (Mon) by sandy_pond (guest, #9734) [Link] Sony should be severely punishing them and $ is the only tool we have. Otherwise, how do we stop them and others from a repeat.
Other tools Posted Nov 22, 2005 11:02 UTC (Tue) by man_ls (subscriber, #15091) [Link] What? "$ is the only tool we have"? Man, worshipping the almighty $ is alright, I suppose; but this is too much. What about public outcry, humilliation, jail time; losing their jobs, face, good name and prestige? Sony used to care about their customers, to the point of taking their opponents to court in the famed Betamax case; today Sony stands for poor products and despise for their customers. Let them suffer.
Other tools Posted Nov 22, 2005 15:14 UTC (Tue) by madscientist (subscriber, #16861) [Link] Unless there is criminal misconduct, jail is not an option. So far there doesn't seem to be much here other than civil complaints. As for the rest, things like humiliation, face, good name, and prestige only matter to a company insofar as they affect the bottom line: it all comes down to $ in the end, when you're dealing with corporations. That's what capitalism is all about.
Other tools Posted Nov 22, 2005 23:06 UTC (Tue) by ballombe (subscriber, #9523) [Link] > Unless there is criminal misconduct, jail is not an option.
Should I remind you that individuals have been jailed for writing virus and
Other tools Posted Nov 22, 2005 23:15 UTC (Tue) by madscientist (subscriber, #16861) [Link] Writing viruses and compromising computers is considered a form of trespass, and that is criminal. Copyright infringement is only criminal if it's done for economic gain or on a very large scale: assuming you're referring to the LAME, etc. code found on the CD: I seriously doubt that would meet the criteria for criminal copyright infringement. None of the current legal cases against Sony allege any criminal misconduct.
Crimes Posted Nov 25, 2005 7:36 UTC (Fri) by xoddam (subscriber, #2322) [Link] > None of the current legal cases against Sony allege any criminal> misconduct Certainly the *reporting* does. Installing a rootkit is certainly 'compromising' a computer. Violating the LGPL is copyright infringement. What exactly is Sony being sued for, if not these two *crimes*?
Crimes Posted Nov 28, 2005 7:16 UTC (Mon) by madscientist (subscriber, #16861) [Link] As I said, suing someone is a CIVIL matter, not a CRIMINAL matter. There is (at least in the U.S.) a very big difference. As far as I'm aware, no CRIMINAL charges have been made.
Other tools Posted Nov 23, 2005 14:09 UTC (Wed) by man_ls (subscriber, #15091) [Link] That's what capitalism is all about.The "everything is convertible to and from $" is not a part of capitalism; in fact it is more easily assimilable to a form of religion, not an economic theory. Prestige is not about money; if anything, it can be related to future money, but earnings are volatile by nature and cannot be predicted. Similarly, a brand can be bought and sold, but in fact a brand without good products is worthless. I think that a corporation that only looks at earnings and losses is a bad corporation.
other tools than $ Posted Nov 22, 2005 11:52 UTC (Tue) by copsewood (subscriber, #199) [Link] In the UK, once those with compromised computers discover the illegality of what has occurred and complain, we could well see criminal complaints against First4Internet (Computer Misuse Act section 2, preparing for unauthorised modification) and Sony UK (same act section 3: unauthorised modification). I would complain to the police myself if I had a Windows computer that had been modified without my authorisation.
Please, no "good" software to fix the bad software Posted Nov 22, 2005 0:55 UTC (Tue) by felixfix (subscriber, #242) [Link] You wrote ... Maybe they can oblige Sony to add software to every future disc that offers to remove whatever was installed by the infected ones ...
No no no! Not only has it become apparent that their original rootkit was buggy, making me doubt they are competent enough to remove it safely, the original sin was installing software without asking. Even if they ask with the new "good" software, that is a terrible precedent to set. They need to provide the fix on an opt-in basis, and since the bad software has been phoning home, they surely know where most of the rootkits are. They need to take care of this the proper way, sending registered letters, sending email, whatever it takes, to get people aware of what Sony has done to them, and the removal fix must NOT come from Sony's web site. Sony is simply untrustworthy at this stage. The fix must come from some well known trusted site, for instance, the EFF itself, or a government agency.
Discovery Posted Nov 22, 2005 5:16 UTC (Tue) by ncm (subscriber, #165) [Link] Which part of "offers to remove", or "the code involved would have to be produced and signed by somebody appointed by the court, rather than Sony or F4I" was hard to understand? Nobody suggested that would be the whole of the settlement, just a source of continuing embarrassment for Sony.
Perhaps the real value in the lawsuit is in the discovery, which allows us to find out, e.g., how many machines are actually infected, including how many within the DOD, DOE, CIA FBI, Congress, White House, etc.
Discovery Posted Nov 22, 2005 6:58 UTC (Tue) by hppnq (guest, #14462) [Link] What exactly would be the point of this rather shady exercise? Really, I see no need to interfere with Sony's own rather succesful approach, let alone by way of forcing them to distribute another piece of malware. (There is also the tiny practical problem that your scheme forces everyone infected to acquire another cd from Sony.)And are you suggesting that, if machines within US government turned out to be infected, this would really put the icing on the cake?! Things not bad enough as they are?
Discovery Posted Nov 22, 2005 21:12 UTC (Tue) by ncm (subscriber, #165) [Link] First, we already know that machines in gov't agencies are infected, we just don't know how many, although the number is probably large. There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened. Criminal prosecutions would be much better than ordinary lawsuits.Second, I have no idea what you imagine to be "shady", or what you imagine to be successful about "Sony's approach". There is absolutely no way to communicate directly with all the people whose machines are infected, or to explain to them what it means to be infected. However, they are all known to purchase and (unwisely) install software from music CDs. Software to detect and uninstall an already-installed rootkit is much less tricky to write than to install one more-or-less successfully in the first place. Furthermore, it's much less risky, since the harm -- installing it -- has already been done. The worst that could happen is they need to re-install the OS, which is what they probably ought to do anyhow. Again, nobody has suggested that this be the whole of the settlement.
Discovery Posted Nov 22, 2005 22:45 UTC (Tue) by hppnq (guest, #14462) [Link] There's nothing like counting them and publicizing that number to put the pols on notice that something criminal happened. Uhuh. We haven't noticed anything yet.
How about: distributing music cd's with software that messes up your computer? (You cannot step in the same stream twice. ;-)
I am intrigued now, I can see the Sony marketing department studying this scenario. Let's see, what would be more fun: selling the same cd twice, or finally being able to get rid of the music that nobody would be interested in otherwise? Or an entirely new song? "Shake your rootkit" by Michael Jackson, I would buy that. Or shall we just stick with the boring old put-the-patch-on-the-website approach, and do it properly this time?
Discovery Posted Nov 23, 2005 0:22 UTC (Wed) by ncm (subscriber, #165) [Link] We haven't noticed anything yet.Of course not. "50000 DOD and FBI computers infected by Sony spyware" would get headlines, but without a count, there's no headline. Or shall we just stick with the boring old put-the-patch-on-the-website approach...? That's fine if you want to end up with only one in five infected machines cleaned up. This isn't rocket science. Fortunately, the people at EFF are not uniformly thick.
Automated Fix Posted Nov 23, 2005 9:11 UTC (Wed) by ncm (subscriber, #165) [Link] It turns out that at least one of the rootkits involved, when it phones home, checks for updates, so Sony could, in principle, to ordered to "update" it out of existence, no CDs needed -- for machines that are connected to the net, anyhow. That probably means most of them, except of course the more important ones within the DOD, NSA, etc.
Time to push for new legislation as well? Posted Nov 22, 2005 0:01 UTC (Tue) by JoeBuck (subscriber, #2330) [Link] Apparently some anti-virus firms that knew about the Sony rootkit didn't act because they feared liability under DMCA. This could be a good time to amend the DMCA to make it clear to all that we can clean our machines of malware installed by record companies, as well as assist others in doing so.
Time to push for new legislation as well? Posted Nov 22, 2005 1:24 UTC (Tue) by ronaldcole (guest, #1462) [Link] I had read that both Microsoft and at least Symantec were consulted to ignore Sony's rootkit. I also read that F-Secure was not one of the companies consulted and was one of the first to release signatures to detect it.
I personally, don't want to reward any company that was in cahoots with Sony. For those of us that still have to administer Windows systems, it would be nice to have a list of Anti-Virus/-Spyware vendors that I can confidently choose from.
EFF Files Class Action Lawsuit Against Sony BMG Posted Nov 23, 2005 13:11 UTC (Wed) by ekj (subscriber, #1524) [Link] Sometimes that's OK though. Or if not OK, then atleast still a net benefit.Taking money from SONY and giving it to EFFs lawyers is (in my opinion) preferable to letting SONY keep the money. Offcourse taking money from SONY and giving it to everyone who's been infected by this would be even better.
|
|||||||||||||