Sony Settles Secret Spyware Suit

Music label Sony BMG has reached a settlement with the Federal Trade Commission (FTC) over charges that it violated federal law by installing spyware and digital rights management (DRM) software onto music CDs without telling consumers.

The deal calls for Sony BMG to allow consumers to exchange CDs purchased before the end of 2006 for new discs that do not contain the secret software. That offer will be good through June 31, 2007.

In addition, Sony agreed to reimburse consumers up to US$150 each to repair damage to their computers that they may have suffered in trying to remove the software. Although the process for reimbursing repair costs has not yet been disclosed, the settlement suggests that the consumer will have to submit documentation that their computer was damaged.

The controls installed on Sony CDs — sometimes referred to as a rootkit but formally known as extended copyright protection, or XCP — limited the number of devices that could play the music CD, restricted the number of copies that could be made and contained technology that monitored users’ listening habits. Sony could use this data to send targeted marketing messages.

The FTC had also claimed that the software “exposed consumers to significant security risks and was unreasonably difficult to uninstall.”

As part of the settlement, Sony BMG agreed to clearly disclose limitations on consumers’ use of music CDs and said it would stop using data collected for marketing purposes. Sony also agreed to stop installing software without consumer consent and to provide users with an easy means of uninstalling unwanted programs.

“Installations of secret software that create security risks are intrusive and unlawful,” said FTC Chairman Deborah Platt Majoras. “Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content.”

In the Past

The settlement could help bring to an end an embarrassing episode for Sony BMG and one that ignited a far-ranging debate about DRM tools and about the consumer’s right to know what programs might be hidden on CDs and other media.

Sony BMG had argued that it needed to take the extra steps to prevent music piracy. The controls were seen as too restrictive by many, however. For instance, songs ripped from the CDs onto computers couldnot be loaded onto iPods.

The FTC argued that it was “deceptive for Sony BMG to fail to disclose adequately that software would be installed on consumers’ computers, and that the software would limit consumers’ copying and use of the CDs on their computers.”

It was also a violation of federal law, the agency argued, to install tracking software for marketing purposes without users’ knowledge and consent.

Future Sony CDs must bear “clear and prominent disclosure” of any restrictions on copying or transferring songs to other media.

Sony is not barred from collecting marketing data via its CDs. However, if users are required to participate in a Sony-driven marketing program as a condition of buying a CD, that have to be informed in advance of the purchase.

Sony BMG must also make an uninstall and repair tool available for two years and advertise those tools on its Web site. Details of the reimbursement program for computer repairs will be made available on the Sony BMG Web site.

It’s not clear how much financial exposure Sony BMG faces through the settlement, though as many as 3 million CDs were sold that contained the “extended copyright” technology. The settlement does not constitute an admission of wrongdoing by Sony BMG, the FTC said.

Missed Target

Previously, Sony BMG had settled private lawsuits brought because of the rootkits, as well as actions from individual states including Texas and California.

Sony’s use of hidden software came to light in late 2005, when an Internet security firm posted a warning about a Trojan circulating that the Sony BMG software to possibly allow an attackers to control a user’s PC remotely.

The majority of business PC users quickly began to recognize the added protections as a security threat, security firm Sophos said. “Sony took aim at music pirates, but succeeded only in shooting itself in the foot,” said Graham Cluley, senior technology consultant at Sophos.

Sony moved to quickly stop sales of the enhanced CDs and recalled those already sold.

Other music companies were testing their own DRM enhancements around the same time. Some may have been convinced to back off by the firestorm that erupted over the Sony BMG revelations, however.

Adding copying restrictions to CDs can significantly harm music sales, even among consumers who had no intention of illegally swapping songs, according to JupiterResearch analyst David Card. “Fundamentally, it’s a bad idea,” he said.