What began as a promising way to protect CDs from piracy has become a public relations nightmare for Sony BMG Entertainment and its digital rights management (DRM) partners, First 4 Internet (F4I) and SunnComm.
The new lawsuits leveled at Sony BMG stem from its sale of audio CDs protected with a scheme developed by F4I called XCP. Meanwhile, the blogosphere was abuzz with allegations that XCP contains copyrighted code that’s being illegally used by F4I.
Last Friday, Sony BMG announced an exchange program that allows consumers to return XCP titles for unprotected CDs of those titles and posted software at its Web site to address security vulnerabilities created by XCP on consumers’ computers.
But Sony BMG’s actions haven’t placated the filers of the latest lawsuits.
In one suit, Texas Attorney General Greg Abbott alleges that Sony BMG violated his state’s anti-spyware law with its XCP software.
“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” Abbott said in a statement. “Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime.”
It’s estimated that tens of thousands of Texans bought CDs protected with XCP. Texas law imposes a fine of US$100,000 per violation of the anti-spyware act.
Cone of Culpability Widened
In a second lawsuit filed in Los Angeles County Superior court, the Electronic Frontier Foundation (EFF), joined by Green Welling, LLP, and Lerach, Coughlin, Stoia, Geller, Rudman and Robbins, LLP, broadened the cone of culpability to include SunnComm, which has protected some 20 million Sony BMG CDs with its MediaMax technology.
“Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public’s trust,” the EFF said in a statement. “It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software.”
“Offering replacement CDs and MP3 downloads are nice, but they should also be offering refunds so consumers have that option if they want it,” Corynne Mcsherry, an EFF staff attorney, told TechNewsWorld.
“And that’s just in respect to XCP,” she added. “They haven’t offered to recall or replace the MediaMax CDs at all.”
Ignores User’s Wishes
According to the EFF statement, MediaMax installs files on a user’s computer even if the user refuses to accept the terms of the software’s end user licensing agreement, or EULA.
MediaMax doesn’t include a way to fully install the program, the EFF claimed, and it transmits information about users to SunnComm through an Internet connection whenever a MediaMax CD is played on a computer.
“If users repeatedly requested an uninstaller for the MediaMax software, they were eventually provided one, but they first had to provide more personally identifying information,” the EFF maintained.
“Worse,” it continued, “security researchers recently determined that SunnComm’s uninstaller creates significant security risks for users, as the XCP uninstaller did.”
SunnComm President and CEO Peter H. Jacobs told TechNewsWorld that the EFF’s allegations about MediaMax are “not accurate.”
“Our job was to design software that inhibits casual copying but didn’t get in the way of the music,” he said. “We don’t take people’s names. We don’t record their habits. We don’t do any of that stuff.”
He explained that the “security vulnerability” referred to by the EFF was an ActiveX control left on a user’s computer after an uninstall of MediaMax. “What we’ve done is we’ve made sure that the ActiveX component deletes itself at the end of the process now,” he said.
Attempts to reach Sony BMG for comment about the cases were unavailing.
Meanwhile, security researchers have begun identifying similarities between code used in XCP and a number of Open Source programs.
Ed Felten, a professor of Computer Science and Public Affairs at Princeton University and Alex Halderman, a student in Computer Science there, who write the web log “Freedom to Tinker”, reported yesterday that Matti Nikki (a.k.a. Muzzy) and Sebastian Porst have discovered that the code file ECDPlayerControl.ocx, which ships as part of XCP, contains code from several copyrighted programs, including LAME, id3lib, mpglib, mpg123, FAAC, and DVD-Jon’s DRMS.
Felton and Halderman wrote at their blog:
- “Open source programs are distributed with license agreements. If you copy and redistribute such a program, you’re a copyright infringer, unless you’re complying with the terms of the program’s license.
“The licenses in question are the Free Software Foundation’s GPL for mpg123 and DRMS, and the LGPL for the other programs. The terms of the GPL would require the companies to distribute the source code of XCP, which they’re certainly not doing.
“The LGPL requires less, but it still requires the companies to distribute things such as the object code of the relevant module without the LGPL-protected code, which the companies are not doing.
“So if they’re shipping code from these libraries, they’re infringing copyrights.”
Brusque Wake Up Call
The EFF lawsuit brings to seven the number of class-action suits filed against Sony BMG over XCP.
“Sony made a blanket decision that all of its customers were criminals and now it is going to pay dearly for the mistake in terms of eroded brand reputation, possible lawsuits for compromised computers, and fewer customers that will be willing to ever again trust a Sony branded CD,” Jarad Carleton, an IT industry analyst Frost & Sullivan in Palo Alto, Calif. told TechNewsWorld via e-mail.
“It would not surprise me at all to see this costing Sony more money than they would have ever lost through unauthorized MP3 sharing,” he said.
“And if it does end up costing Sony millions in damages, frankly I believe they deserve it,” he declared. “Their arrogance and utter disregard for their customers necessitates a brusque wake up call.”