Reprinted with permission from CNET News

Sony BMG Music Entertainment, feeling the legal heat over the copy-protection software in millions of its music CDs, last week was sued in both Texas and California.

By exploiting a hole in the copy protection code, virus writers could modify an old Trojan horse to take advantage of the powerful, though inadvertent, shielding provided by the Sony software. Sony eventually announced that, as part of a review of its digital rights management strategy, it would suspend production of CDs that contain this particular copy-protection technology.

Too late to avoid the legal blowback. In Texas, the attorney general is seeking $100,000 for each alleged violation of the state's "Consumer Protection Against Computer Spyware Act." The California lawsuit is a class action that seeks compensatory damages, disgorgement of profits and punitive damages.

The Electronic Frontier Foundation, which is co-counsel in the California case, says that Sony BMG caused damage by virtue of the First4Internet XCP software and the SunnComm Technologies MediaMax tool included in more than 24 million of Sony's music CDs.

The XCP and SunnComm technologies were unwittingly installed by millions of music customers when they used the Sony CDs in their Windows-based computers. Researchers found that the XCP technology was designed to include many of the qualities of a "rootkit." According to the EFF, the software was developed to conceal its presence and operation from the computer's owner. Once installed, the code degraded system performance, opened new security vulnerabilities, and installed updates through an Internet connection to Sony BMG's servers, EFF alleges.

The nature of a rootkit makes it extremely difficult to remove. That often leaves reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the XCP software, the installer reportedly opened even more security vulnerabilities in users' machines.

EFF argues that the MediaMax software installed on more than 20 million CDs is similarly problematic. It apparently installs files on the users' computers even if they click "no" on the End User License Agreement, and it allegedly does not include a means to fully uninstall the program.

In addition, EFF says the software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the tracking of listening habits--even though the license states that the software will not be used to collect personal information.

When users repeatedly requested an uninstaller for the MediaMax software, EFF maintains that they were eventually provided one, but only after they had provided more personal information. The group also asserts that security researchers have determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did.

Satisfaction shortfall

EFF has expressed satisfaction that Sony BMG has taken steps in acknowledging the security risks caused by the CDs with XCP software, including a recall of the infected discs. However, the group maintains the measures still fall short of what Sony needs to do to fix the problems caused to customers. "Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs--10 times the number of CDs as the XCP software," EFF declared.

Unless plaintiffs' attorneys are satisfied by remedial and other steps taken by Sony BMG, the litigation will proceed. Of course, Sony BMG will be entitled to its day in court, and it will be allowed to present any available defenses to seek to excuse its conduct.

Eric Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with the word "Subscribe" in the subject line.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the United States, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the nation and around the world.