Ken Paxton

Tuesday, December 19, 2006

Attorney General Abbott Settles Spyware Lawsuit With Sony BMG

AUSTIN - Texas Attorney General Greg Abbott today concluded a year-long investigation and legal action against Sony BMG Music Entertainment by obtaining an Agreed Final Judgment that provides restitution to consumers and brings sweeping reforms that will protect consumers nationwide.

Texas was the first state in the nation to take legal action against the music giant after determining that Sony BMG released millions of compact discs containing harmful software that was not disclosed to consumers. Today’s precedent-setting action prohibits Sony BMG from selling CDs containing XCP, MediaMax or any other content-protection software that hides or cloaks its software files. Sony BMG must also destroy any existing CDs embedded with XCP or MediaMax technology, continue working to withdraw those CDs from the marketplace, and submit to independent, third-party monitoring of any software-enhanced music CDs for the next five years.

Texans deserve to be protected from harmful, hidden files that threaten their privacy or the integrity of their computer systems, said Attorney General Abbott. Our first-in-the-nation action against Sony BMG shows that consumer privacy will be vigorously protected. Today’s settlement removes harmful products from the marketplace, compensates consumers for any harm they have suffered, and sets best practices that we hope will lead to reforms across the industry.

In November 2005, the Attorney General’s Consumer Protection Division brought the first lawsuit ever filed under the Texas Consumer Protection Spyware Act after learning that so-called XCP and MediaMax technologies violated Texas' consumer protection laws. Further investigation revealed that the software embedded on some Sony BMG CDs could damage consumers’ computers and create security vulnerabilities. The State’s lawsuit also claimed that Sony BMG violated the Deceptive Trade Practices Act.

Texas consumers whose computers and CD-ROM drives were damaged by XCP software may qualify for restitution from Sony BMG. Today’s agreement requires that Sony BMG publish claim forms on its Web site, Consumers seeking restitution should submit claim forms to Sony BMG, along with repair receipts and other evidence of system damage. Claimants could receive up to $175 each to compensate them for the costs of repairing computers damaged by Sony BMG products. Those without proof of out-of-pocket expenses are still eligible for $25.

The judgment also requires that Sony BMG continue encouraging consumers to return XCP or MediaMax-enhanced compact discs. Consumers who return their CDs in accordance with the settlement will receive the following incentives:


In exchange for an XCP-enhanced CD, consumers will receive:

A compact disc bearing the same title (by the same artist) that does not contain copy-protection ( DRM) software, AND
An MP3 download containing a data file of the disc bearing the same title (by the same artist) that they exchanged that does not include DRM software; AND
$7.50 cash (debit card) and one (1) free album download (from select titles); OR
Three (3) free album downloads (from select titles)

If any download codes are unused or unwanted, consumers can exchange them for $2.00 each.

MediaMax 5.0 CDs

Consumers will receive an MP3 download containing a data file of the disc bearing the same title (by the same artist) that they exchanged that does not include DRM software; AND
One (1) free album download (from select titles)

If any download codes are unused or unwanted, consumers can exchange them for $2.00 each.

MediaMax 3.0 CDs

Consumers will receive an MP3 download containing a data file of the disc bearing the same title and by the same artist that they exchanged that does not include DRM software.

Today’s agreement permanently prohibits Sony BMG from manufacturing and selling compact discs that contain the XCP or MediaMax software that formed the basis for Texas’ lawsuit. Additionally, future Sony BMG CDs with anti-piracy programs are prevented from including any hidden files and must prominently disclose specific items on the CD packaging and on its Web site. The required disclosures include: system requirements; limitations on the number of times a CD can be copied; limitations on the digital file formats into which music on the CD can be converted; and any potential incompatibility issues.

In 2005, Sony BMG distributed millions of copies of 52 compact disc titles that utilized new copyright protection technology. When consumers inserted the discs into their computers, a pop-up window prompted them to enter into a licensing agreement consenting to the installation of a proprietary audio player. Sony BMG represented that accepting the agreement was the only way a consumer could listen to its CDs on a computer.

During the installation of the Sony BMG media player, however, the software also installed components of its XCP technology in Microsoft Windows folders. When these files are downloaded onto a computer, they "cloak" or hide themselves, making it almost impossible for a consumer to detect and remove them. The cloaking technique used by XCP and MediaMax undermines the computer’s data integrity by rendering it more susceptible to hackers.

Investigators soon discovered that files containing XCP and, in some cases, MediaMax software transmitted a unique code identifying the compact disc being played on a user’s computer. Once installed, the files remained hidden and active at all times (whether or not the media player was inactive), prompting concerns about the files’ true purpose. Investigators also discovered that secret files embedded in the XCP program were continually active in the background, thus using system resources and potentially slowing computers. The investigation has not revealed that users’ personal identifying information was transmitted.

Sony BMG compact discs containing MediaMax software secretly downloaded large files onto consumers' computers immediately after they were inserted into CD-ROM drives. This download occurred despite a pop-up window indicating users could decline the terms of usage, cause the CD to be automatically ejected, and thereby not download the Sony BMG software, like XCP.

In September, the Office of the Attorney General sent a consumer alert warning about an incompatibility issue involving XCP files and certain anti-virus or anti-spyware programs, including America Online's "Safety and Security Center" software and Computer Associates’ "Pest Patrol" software. Investigators discovered that Microsoft Windows users who played an XCP-enhanced CD while running those security programs could find their CD-ROM drives were disabled. As a result, some consumers may have spent considerable resources to replace or fix their computer systems.