Here's the California class action Complaint against Sony filed by EFF, as text, thanks to BilltheCat. This is not an official EFF transcript, of course, although they are certainly free to use it. Any mistakes belong to us at Groklaw. If you see any, let me know, and we'll aim for perfection. It looks like this isn't the last of the lawsuits Sony is going to face, either. I hear on the grapevine that a law firm in Canada is researching the matter and looking for people who live there and who bought one of these CDs. I don't doubt there will be many more. The EFF complaint asks that Sony BMG be required to fix the damage to victims' computers, and it says the EULA is unconscionable, listing specific things the Plaintiffs allege are unconscionable in the EULA that accompanies both XCP and MediaMax. When you read the list, I think you will agree it's hard to argue with EFF that this list is anything a reasonable man would agree to without duress, and as you read them, ask yourself: What do they have to do with copyright rights?
Here's the list:
104. Sony BMG has inserted several unconscionable provisions EULA that accompanies the XCP and MediaMax CDs. These
provisions include:
a. Restrictions on the user's ability to use the digital content on the CD in the event that that consumer chose to leave
the United States;
b. Restrictions on resale and transfer of the digital content on the CDs;
c. Restrictions on user's ability to use the digital content on the CDs at work;
d. Restrictions on user's ability to use and retain lawfully-made copies of the digital content on the CDs in the event that
the original CD is stolen or lost;
e. Restrictions on user's ability to use the digital content on the CDs following a bankruptcy;
f. Conditioning the user's continued use of the digital content on the CDs on acceptance of all Sony BMG software updates;
g. A purported $5.00 limit on Sony BMG's entire liability to the purchaser of the CDs; h. Restrictions on user's ability to examine and test his or her computer to understand and attempt to prevent the damage
cause by the rootkit;
i. A reservation of rights by Sony BMG to use "technological "self-help" measures against the computers of users who desire
to make use of the digital content on the CDs "at any time, without notice to [the user]."
j. Restrictions on the user's ability to seek redress in California courts, under California law, and the purchaser's
ability to seek a trial by jury;
k. A disclaimer of all warranties, including implied warranties of merchantability, satisfactory quality,
noninfringement, and fitness for any particular purpose. It makes your blood boil to read this list, doesn't it? Forget for a minute all the secretive things they did to customers behind their backs and without notice or explanation. Look at what they told them to their face. This isn't enforcement of copyright rights. Copyright law doesn't forbid you to take a copyrighted book with you to Europe, for example, nor must you turn it in if you go bankrupt. What lawyer thought that one up? And why? Note that there are several typos in the document, which is not surprising when you consider how quickly this was drawn up, so before you let me know of any corrections, can you please check the original first? Also, there are references to exhibits, and I'm working on them. I will put them here when ready, so you can swing back by later if you are particularly interested in the EULA. While we are on the subject of the EFF, they have begun a campaign to support bloggers, which is a subject dear to my heart. They ask for financial support, so they can continue to do what they do, and there is a graphic you can place on your website directing the public's attention to the campaign. I have placed one on Groklaw. Here's a snip from EFF's website: Here at EFF, we're fighting hard for bloggers' rights. We've created the Legal Guide for Bloggers, we're litigating the reporter's privilege for online journalists and we are working hard to defend bloggers' rights to free expression, political speech, and anonymity, just to name a few.
But we need your help to spread the word, grow our membership and keep fighting. So we're launching a special membership campaign specifically for bloggers. We've created a button for you to put in a permanent space on your blog that declares your support for bloggers' rights, and for the work EFF does to support them. The button links to our Bloggers' rights campaign, http://www.eff.org/bloggers/join/ Here's the Legal Guide for Bloggers and their How to Blog Safely. For an international flavor, try also Reporters Without Borders. They have a guidebook called Handbook for Bloggers and Cyber-Dissidents. As you know, I believe strongly in the right of anonymous speech. And I'm familiar with unfair retaliation against bloggers. So I'm delighted that EFF views this as something vitally important and worth fighting for. Litigation is very expensive. Aren't you shocked to see how much SCO, for example, has paid in legal fees? Well, it's expensive for EFF to do it too. *******************************
Robert S. Green (State Bar No. 136183) Jenelle Welling (State Bar No. 209480) Avin P. Sharma (State Bar No. 233328)
[address, phone, fax]
Cindy Cohn (State Bar No. 145997) Fred von Lohmann (State Bar No. 192657) Kurt Opsahl (State Bar No. 191303)
Corynne McSherry (State Bar No. 221504) ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]
Reed R. Kathrein (State Bar No. 139304) Shana Scarlett (State Bar No. 217895) LERACH COUGHLIN STOIA GELLER
RUDMAN & ROBBINS LLP
[address, phone, fax]
Attorneys for Plaintiffs
_________________________________
SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF LOS ANGELES
ROBERT HULL, JOSEPH HALPIN and EDWIN BONNER, on behalf of themselves and all others similarly
situated
Plaintiffs,
v.
SONY BMG MUSIC ENTERTAINMENT CORP., SONY CORPORATION OF AMERICA, and BERTELSMANN, INC.
Defendants.
CLASS ACTION COMPLAINT
JURY TRIAL DEMANDED
___________________________
Plaintiffs, by and through their attorneys, bring this action on behalf of themselves and all others similarly situated, and
allege against Defendants as follows:
INTRODUCTION
1. By including a flawed and overreaching computer program in over 20 million music CDs sold to the general public,
including California residents, Sony BMG has created serious security, privacy and consumer protection problems that have
damaged Plaintiffs and thousands of other Califomians. At issue are two software technologies -- MediaMax and Extended Copy
Protection, also known as XCP -- which defendant Sony BMG claims to have placed on the music CDs to restrict consumer use of the
music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed
and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without
appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms.
These, plus other problems caused by Sony BMG's inclusion of this software, are in violation of California law and public
policy. After a series of embarrassing public revelations about security risks associated with the XCP software, including
warnings issued by the United States Government, Microsoft and leading anti-virus companies, defendant Sony BMG has taken some
steps to respond to the security risks created by the XCP technology. It has failed, however, to address security concerns
raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.
JURISDICTION AND VENUE
2. The jurisdiction of this Court arises under Code of Civil Procedure § 410.10 because Defendants conduct business in
and sell a substantial number of audio compact discs in the State of California. This Court has subject matter jurisdiction
over this Class and the representative action pursuant to Bus. & Prof. Code, § 17200, et seq. ("UCL"); Bus. &
Prof. Code § 17500, et seq.; Civ. Code § 1750, et. seq.; Code of Civil Procedure § 382; and other provisions of
the California Codes.
3. Venue is proper in this County pursuant to Code of Civil Procedure, § 395.5, Civil Code, § 1780(c), Bus. &
Prof. Codes, §§ 17202 and 17203, because Sony BMG conducts substantial business within this County.
2
PARTIES
4. At all times mentioned herein. Plaintiff Robert Hull was, and still is, an individual and resident of Chatsworth,
California.
5. At all times mentioned herein. Plaintiff Joseph Halpin was, and still is, an individual and resident of Sebastopol,
California.
6. At all times mentioned herein, Plaintiff Edwin Bonner was, and still is, an individual and resident of La Jolla,
California.
7. At all times mentioned herein, Defendant Sony BMG Music Entertainment ("Sony BMG"), is and at all relevant times was, a
Delaware General Partnership, with its principal place of business in New York, New York. Sony BMG maintains an office in
California.
8. Defendant Sony Corporation of America is the U.S. subsidiary of Sony Corporation, a multinational corporation based in
Japan. At all times mentioned herein, Defendant Sony Corporation of America, is and at all relevant times was, a New York
corporation, with its principal place of business in New York, New York.
9. Defendant Bertelsmann, Inc. is the U.S. subsidiary of Bertelsmann AG, a multinational corporation based in Germany. At all times mentioned herein, Defendant Bertelsmann, Inc., is a Delaware Corporation with its principal place of business in New
York, New York.
FACTUAL ALLEGATIONS COMMON TO ALL CLAIMS
10. In August 2004, Sony Corporation merged its Sony Music Entertainment, Inc. with Bertelsmann AG's BMG to create a joint
venture, Sony BMG. Sony Corporation of America and Bertelsmann AG are the parent companies, respectively, of Sony Music
Entertainment and BMG.
11. Sony BMG is the world's second largest music company. Its labels include Arista Records, Columbia Records, Epic Records,
J Records, Jive Records, LaFace Records, Legacy Recordings, Provident Music Group, RCA Records, RCA Victor Group, RLG -
Nashville, SONY BMG Masterworks, Sony Music Nashville, Sony Urban Music, Sony Wonder, So So Def
3
Records, and Verity Records.
Sony BMG manufactures, distributes, markets, and sells audio compact discs ("CDs").
12. In 2003, Sony BMG began to distribute CDs that contain software that Sony BMG refers to as Digital Rights Management
("DRM") to the public. This DRM software on the Sony BMG CDs includes MediaMax created by SunnComm ("MediaMax CDs") and
Extended Copy Protection ("XCP") created by First4Intemet ("XCP CDs"). On information and belief, Sony BMG intended that most
of its CDs sold in the United States would incorporate one of these technologies.
13. Sony BMG is the first company to commercially deploy XCP.
14. On information and belief, Sony BMG has been using versions of XCP since 2002 on prerelease CDs sent to radio stations
and internal employees.
15. On information and belief, Sony BMG and BMG have been using MediaMax on some CDs since at least 2003. On information and
belief, Sony BMG currently uses MediaMax 5 on its MediaMax CDs.
16. Since March 2005, Sony BMG has distributed at least 52 music titles with XCP software. On information and belief, Sony
BMG has shipped at least 4.7 million CD's containing the XCP software, of which 2.1 million have been sold.
17. Sony BMG has also distributed many more music titles with MediaMax software -- including a number one hit CD last year
by Velvet Revolver, entitled Contraband. On information and belief, Sony BMG has distributed at least 20 million CDs
with MediaMax software.
18. In a November 11, 2005, MSNBC.com article, by Bob Sullivan, Sunncomm CEO Peter Jacobs states that MediaMax is "now on
about 20 million Sony BMG music discs."
THE SUNNCOMM SOFTWARE IS UNDISCLOSED SPYWARE AND COMPROMISES SECURITY
19. The Anti-Spyware Coalition ("ASC") describes spyware as technologies deployed without appropriate user consent and/or
implemented in ways that impair user control over:
(1) material changes that affect a user's experience, privacy, or system security; (2) use of the
4
user's system resources,
including what programs are installed on the user's computer; and/or (3) collection, use, and distribution of a user's personal
or other sensitive information. Computer Associates defines spyware as "Any product that employs a user's Internet connection
in the background without their knowledge, and gathers/transmits info on the user or their behavior." As discussed below, the
MediaMax software used by Sony BMG on many of its CDs meets the ASC's definition of spyware.
20. MediaMax installs without meaningful consent or notification. When a MediaMax CD is inserted into a computer running
Windows, MediaMax installs, prior to the appearance of the End User License Agreement ("EULA"), approximately eighteen files
that consume approximately 15 MB on the user's hard drive. These files remain installed even if the user declines the EULA
presented later. One of them, a kernel-level driver with the cryptic name "sbcphid," is both installed and launched. The
"kernel" is the core of a computer operating system, which controls and secures access to the computer's basic operations.
21. This kernel-level driver is the heart of the MediaMax copy protection system. When it is running, it attempts to block
CD ripping and copying applications from reading the audio tracks on MediaMax CDs. The software refrains from making one final
change until after users accept the license—it does not set the driver to automatically run again every time Windows
starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if
the agreement is declined.
22. Only after these files are installed and at least one has launched does the software display a EULA, which the user may
accept or decline, making it a contract of adhesion. Even if the EULA is declined, however, the software already installed
prior to presentation of the EULA remains on the user's computer.
23. The MediaMax CDs' EULA states: "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD
will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended
to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the
SOFTWARE will reside on YOUR COMPUTER
5
until removed or deleted." This statement is not true, since by the time this message is
displayed, over eighteen files are already installed and, as noted above, those files remain on the hard disk indefinitely,
even if the agreement is declined. Attached hereto as Exhibit A and incorporated herein by reference is a true and correct copy
of the MediaMax EULA.
24. Sony BMG's MediaMax CD EULA states that "[T]he SOFTWARE will not be used at any time to collect any personal information
from you, whether stored on YOUR COMPUTER or otherwise."
25. If purchasers seek more information about the software that has been installed on their computer, they are directed to
the SunnComm Sony BMG customer care website, which falsely tells users that "No information is ever collected about you or your
computer without you consenting" and also states: "Is any personal information collected from my computer during the digital
key delivery process? No, during the digital key delivery process, no information is ever collected about you or your
computer."
26. Despite the representations to the contrary in the EULA and the SunnComm website, and without notification or consent of
the user, the MediaMax software "phones home" to SunnComm every time a user plays a protected CD. The software causes the
computer to connect to a Sony BMG and/or SunnComm server via the internet. The MediaMax software conveys a unique code that
identifies the album to which the user is listening. The request also contains standard HTTP headers from which can be used to
determine what operating system the user is running and what version of the Internet Explorer web browser the user has.
27. On information and belief, prior versions of the MediaMax software still used on some Sony BMG CDs contact Sony BMG
and/or SunnComm to obtain "digital keys" that permitted the CDs to be copied.
28. The SunnComm Sony BMG customer care website also does not have a visible privacy policy.
29. The Media Max software connects to an online service at http ://license. sunncomm2 .corn/, which does not have a
visible privacy policy.
30. The MediaMax software opens a web page from a Sony BMG and/or SunnComm
6 server and sends a 32-character identifier
through an HTTP request. On information and belief, this is a unique code that tells Sony BMG and/or SunnComm to which album
the user is listening. The request also contains standard HTTP headers that can be used to determine the user's operating
system.
31. The server to which the MediaMax software connects returns an HTTP response to the MediaMax software. On information and
belief, this response is intended to facilitate the placement of dynamic, interactive advertisements that can be changed at any
time by Sony BMG and/or SunnComm.
32. The MediaMax software also transmits the user's computer's Internet Protocol or "IP" address to servers controlled by
Sony BMG or its agents, without receiving permission from the computer user. No two IP addresses are alike and IP addresses
provide the means to determine information about the person who used the particular IP address. Users are assigned an IP
address by their Internet service provider or system administrator. Many users are issued frequently changing "dynamic" IP
addresses that make it difficult to track them individually, but others have fixed, "static" addresses that can permit Sony BMG
to ascertain their identities and associate listening habits with particular individuals across many different CDs containing
the Sunncomm software.
33. The Sunncomm MediaMax support website (http://tickets.sunncomm.com/selfhelp/), also misleadingly states, "Please
note that MediaMax was designed to manage and safeguard the copyrights of specified artists' CDs while giving you an enhanced
visual and listening experience. It does not interfere with or impact any of the normal operations and/or functions of
your computer." (emphasis in the original). As described above, this statement is false.
34. Sony BMG fails to disclose, prior to purchase, that users running the MediaMax CDs on Windows-based computers could have
filed downloaded and stored on their computers without their consent, and failed to disclose that the software would transmit
information about user, including monitoring whenever users listen to the CDs, without notification to or consent of the users.
7
SUNNCOMM'S MEDIAMAX UNINSTALLER CREATED A GREATER SECURITY RISK AND VIOLATED USER'S PRIVACY
35. On information and belief, none of the MediaMax CDs from Sony BMG contains an uninstaller.
36. Upon request, SunnComm will provide an internet-based uninstaller for the MediaMax software. On information and belief,
SunnComm provides this uninstaller only after repeated requests that require the disclosure of personally identifying
information.
37. The uninstaller suffers from a design flaw. When a user visits the SunnComm uninstaller web page, the user is prompted
to accept a small software component—an ActiveX control called "AxWebRemoveCtrl" created by SunnComm.
38. This ActiveX control is designed so that any web page can ask it to download and executing code from an arbitrary
website location or URL.
39. If a user visits a malicious website, the site can use the flawed ActiveX control to download, install, and run
malicious or dangerous software code on the user's computer without the user's knowledge or consent. Such code could severely
damage a user's computer, including but not limited to erasing a user's hard disk.
40. The uninstaller fails to remove the vulnerable ActiveX control from the user's computer following completion of the
uninstallation process.
41. Sony BMG fails to disclose the security risks created by the MediaMax software and the MediaMax uninstaller, and their
potential harm to a user's computer.
42. Therefore, users who hope to prevent and/or limit security and privacy risks must rely on the research and publication
efforts of independent security experts and consumer advocates.
43. On information and belief, the MediaMax software causes additional damage to users' computers. 8
THE XCP SOFTWARE IS UNDISCLOSED SPYWARE AND COMPROMISES SECURITY
44. Sony BMG's actions and omissions with respect to the MediaMax software are part of a pattern of corporate failure to
investigate, address, and disclose the security and privacy risks associated with its inclusion of so-called DRM software on
music CDs.
45. Similar and, in some respects, more serious risks have been identified in CDs loaded with another Sony BMG technology.
Extended Copy Protection, or XCP. As with the MediaMax software, these risks have been disclosed by independent researchers and
consumer advocates, rather than Sony BMG.
46. The software on a Sony BMG XCP CD is designed to operate only on Windows-based computers that run Windows
98SE/NT/2000/XP.
47. When a computer user places the Sony BMG XCP CD in a Windows based computer, the software is designed such that the user
is first required to agree to a EULA. According to the EULA, a user cannot utilize the audio files or the digital content of
the CD on the computer unless the user agrees to the EULA making it a contract of adhesion. Attached hereto as Exhibit B and
incorporated herein by reference is a true and correct copy of the XCP EULA.
48. The user is then told that the XCP software automatically installs player software into the user's computer that will
allow the user to play, save and copy the audio files on the CD.
49. According to the EULA, the software automatically installed by the XCP CD is intended to protect the "digital content"
embodied on the XCP CD. Digital content appears to include audio files converted into digital music files as well as
unspecified other "already existing digital content."
50. While the user is led to believe that Sony BMG's XCP software is installing the player software into the user's
computer, it is actually installing software as a "rootkit" into the user's hard drive. The Sony BMG XCP software also installs
a CD drive filter driver that intercepts calls to the computer's CD drive.
9
51. A rootkit is used to hide login, processes, files, and logs and may include software to intercept data from terminals,
network connections, CD drives, and keyboards. A rootkit is invisible to the operating system and antivirus and security
software, and is frequently used by unauthorized third-parties, after gaining access to a computer system, to hide their
activities.
52. Specifically, the Sony BMG rootkit is a system filter driver which intercepts all calls for process, directory or
registry listings, and then modifies what information is visible to the operating system in order to hide every file, process,
or registry key beginning with the characters "$sys$."
53. Unbeknownst to users, once the rootkit is installed by the software on a Sony BMG CD, the rootkit degrades the
performance of the user's computer.
54. In a November 1, 2005, eweek.com article by Paul Roberts, computer security analyst Mark Russinovich states that the
rootkit files interact with the Windows operating system at a very low level and fail to account for certain conditions that
could cause the files to overwrite areas of memory, crashing applications that use that memory, or even crashing the entire
Windows operating system. On information and belief, this article correctly illustrates some of the damage the rootkit could
do.
55. The rootkit causes significant and cumulative injury to a user's computer. Specifically, the rootkit can interfere with
the computer's CD drive, file copying software, and media players. The rootkit also uses up system memory that would otherwise
be available.
56. On or around November 4, 2005, on National Public Radio's "Morning Edition" program, Thomas Hesse, President of Sony
BMG's global digital business division, when asked about the XCP controversy, responded "Most people, I think, don't even know
what a rootkit is, so why should they care about it?" In the same program, Mr. Hesse also denied that Sony BMG's software
communicated with Sony BMG, saying "No information ever gets gathered about the users' behavior, no information ever gets
communicated back to the user, this is purely about restricting the ability to bum MP3 files in an unprotected manner."
57. Sony BMG failed to disclose that the XCP software, in the rootkit, automatically connects the user's computer via the
internet to a server owned or operated by Sony BMG or its
10
affiliates, without the user's consent. Once a user's computer is
connected to the Sony BMG website, the software sends an identification code associated with each XCP CD that is played on that
computer to the Sony BMG website. The Sony BMG server then automatically checks for updates to the album art and lyrics for
that album. This process uses the bandwidth that would otherwise be available to the user's computer for other tasks.
58. As with the MediaMax software, this network connection provides Sony BMG with the ability to record each time a CD with
XCP software is played and the IP address of the computer playing it, without receiving permission from the computer user. As
discussed above, no two IP addresses are alike and IP addresses provide the means to determine information about the person who
used the particular IP address. Sony BMG does not disclose the possibility of this use of DRM software in its packaging, the
installation process, or its EULA. Instead the EULA states, "the SOFTWARE will not be used at any time to collect any personal
information from you, whether stored on YOUR COMPUTER or otherwise."
59. The Anti-Spyware Coalition and computer security firm Computer Associates identify Sony BMG's XCP software as "Spyware."
60. Sony BMG's XCP software meets the ASC standards for spyware because the rootkit is placed on the computer without the
user's consent and it changes the user's system security because the rootkit makes the user's computer more vulnerable to other
types of malware.
61. Computer Associates has classified the Sony BMG XCP rootkit as a form of spyware known as a "Trojan," noting that the
"XCP Sony Rootkit modifies you[r] operating system at a low level, represents a large threat to both corporate and consumer
users system integrity." Computer Associates also has noted that "[t]he Rootkit functionality hides files and enables hackers
and other spyware to hide files with impunity."
62. Computer Associates has categorized Sony BMG's "Media Player" as spyware, noting that "When launched from the CD, Music
Player sends information back to Sony BMG, indicating which album is being played."
63. Once the rootkit is on a user's computer, it creates an undisclosed risk of security
11
breach to that computer because
other malicious software, such as computer viruses, worms, and spyware that enter the computer could exploit the software
concealed by the rootkit.
64. Malicious software coders have discovered that they can effectively render their programs invisible by using names for
computer files similar to ones cloaked by the Sony BMG technology. On information and belief, several malicious programs that
exploit the XCP technology's ability to avoid detection have already been distributed over the internet. Further, as stated
above, XCP software transmits information about the user's computer, IP address, and listening habits.
65. On or around November 12, 2005, Microsoft, Inc., the maker of the Windows operating system stated that "Rootkits have a
clearly negative impact on not only the security, but also the reliability and performance of their systems" and Microsoft's
Anti-Malware Engineering Team informed consumers that "in order to help protect our customers we will add a detection and
removal signature for the rootkit component of the XCP software."
66. The nature of a rootkit makes it extremely difficult for a computer user to remove, often leaving reformatting the
entire hard drive as the only solution. Reformatting a hard drive requires backing up all data on the hard drive, as
reformatting a hard drive deletes all data on the hard drive. The user is then required to re-install the operating system and
all applicable programs and drivers. This process can take many hours and is beyond the technical capabilities of many users.
Sony BMG's XCP CD EULA and install process do not disclose nor does the CDs' software prompt users with information about the
rootkit or the need to reformat the hard drive in order to remove it.
67. In response to the public outcry about the deceptive nature of Sony BMG XCP CDs, Sony BMG made available a software
patch. The patch was only available on the Sony BMG support site (http://cp.sonybmg.com/xcp/english/home.html). The
patch does not remove the software or allow the user to remove the software. The software patch merely makes the software
visible to system tools and antivirus software while installing an additional 3.5 MB of updated versions of the software into
the user's computer. Additionally, the patch contains a design flaw that could cause a computer to crash as it is installed.
12
68. Sony BMG failed to disclose that if a user attempts to disable the software it will likely disable the audio CD driver
on the computer, rendering the user's CD drive inoperable. If the rootkit is removed manually, the Sony BMG software's changes
to the user's system will render the user's CD drive non-functional. According to computer security firm Computer Associates,
"[reconfiguring the CD-ROM driver to a functioning state will be beyond the ability of the average home user."
69. Computer Associates categorized Sony BMG's patch as a "Trojan" and noted that the Sony BMG software, even when patched
with Sony BMG's update, continues to "represent a threat to the user's control over their system ...."
70. The United States Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security that is
charged with the task of "protecting the nation's Internet infrastructure" by coordinating "defense against and responses to
cyber attacks across the nation" has stated that the XCP rootkit "can pose a security threat" and that "one of the
uninstallation options provided by Sony BMG also introduces vulnerabilities to a system."
71. Installation of a rootkit on a computer undermines the security of that computer.
72. Installation of a rootkit on a computer causes impairment to the integrity or availability of data, a program, a system
or information.
73. The software installed by Sony BMG includes a set of computer instructions that are designed to modify, damage, destroy,
record, and/or transmit information within a computer, computer system, or computer network without the intent or permission of
the owner of the information.
74. On information and belief, the XCP software causes additional damage to users' computers.
SONY BMG'S FIRST XCP UNINSTALLER CREATED A GREATER SECURITY RISK AND VIOLATED USER'S PRIVACY
75. On information and belief, the only way for typical users to safely uninstall the software is to obtain an uninstaller
from Sony BMG. Until approximately November 15, 2005,
13
in order to obtain an uninstaller from Sony BMG, a user was required to
navigate an extensive request process and disclose more personal information to Sony BMG. First, the user was required to go to
the Sony BMG support website and fill out a form stating: a country where the CD was purchased; the artist's name; the album
title; the store name; and the user's e-mail address. After submitting the form, the user was directed to a website which
states that the user that the user will receive an e-mail with a "Case ID." Next, the user received an e-mail that directed the
user to install the patch and then visit another website if the user still wanted to uninstall the DRM software.
76. This further website, available until November 15, 2005, required the user to install ActiveX control software. The user
was then required to enter the Case ID and fill in the reasons for the request. Once the user submitted this information, the
user receives an email that notifies the user that a customer service representative would email the uninstall instructions to
the user within a business day. The user then received an e-mail with a link to a confidentiality notice, which had to be
accepted before software could be uninstalled.
77. Sony BMG states that the information collected by Sony BMG before providing the uninstaller is subject to its Privacy
Policy, http://www.sonybmg.com/privacypolicy.html. The Sony BMG Privacy Policy states, inter alia, that Sony BMG
"may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from
reputable third parties in whose products and services we think you may have an interest. We may also share your information
with reputable third-parties who may contact you directly."
78. On information and belief, if the Sony BMG software was uninstalled using the uninstaller available until November 15,
2005, the user was no longer able to receive the full use and value of the XCP CD on his or her computer. Therefore, Sony BMG
required the user to either accept the malicious software or lose the full use and value of the XCP CD. Sony BMG did not
disclose this fact to users prior to purchase.
79. The Sony BMG software could not be uninstalled if the user proceeded to the link from a different computer than the one
on which the user installed the ActiveX control software. If the user is not at that same computer he or she will receive an
error message. The
14
uninstall link contains the Case ID in the address, so when the user proceeds to the uninstall link, the
ActiveX control software sends the sends a Sony BMG website an encrypted block of data. This encrypted data is a signature that
is tied to the hardware configuration of the user's computer.
80. On information and belief, the ActiveX uninstaller leaves behind numerous software methods that can be exploited by
others.
81. The ActiveX uninstaller also exposes a user's computer to additional risks by enabling malicious third parties to
download and install over the internet because but the ActiveX uninstaller fails to restrict such access only to Sony BMG or
First4Intemet. Such malicious code could severely damage a user's computer, including but not limited to erasing a user's hard
disk.
82. Sony BMG does not cause the ActiveX control to be removed from user's computers following completion of the installation
process.
83. On information and belief, the uninstallation can cause further damage to users' computers, including but not limited
to, causing a user's Windows operating system to crash.
84. On or around November 15, 2005, Sony BMG posted the following message on its website: "We currently are working on a new
tool to uninstall First4Intemet XCP software. In the meantime, we have temporarily suspended distribution of the existing
uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience
and understanding." Sony BMG failed to disclose the problems associated with the old uninstaller. As of the filing of this
complaint, no new uninstaller has been made available.
85. On information and belief, the software released by Sony BMG to resolve the flaws in the XCP software can cause further
damage to users' computers.
SONY BMG HAS MADE MATERIAL MISREPRESENTATIONS AND OMISSIONS REGARDING THE SOFTWARE IT HAS INCLUDED ON MUSIC
CDS
86. In addition to the material misrepresentations and omissions set forth above, Sony BMG has made numerous additional
misrepresentations and omissions of material facts.
87. On information and belief, the XCP and MediaMax CDs are disseminated wit
15 identical EULAs.
88. Sony BMG's EULAs state that the MediaMax and XCP software installed on a user's computer will not be used to collect any
personal information. As set forth above, this is untrue.
89. Sony BMG's EULAs state that the MediaMax and XCP software will remain on the user's computer until it is removed or
deleted. Neither the MediaMax nor the XCP software allows a user to use the standard "add/remove program" function on the
Windows operating system to remove the program. Sony BMG's MediaMax and XCP CDs and its software fail to provide information
about how to remove the program or even how to contact Sony BMG to resolve any problems with the program.
90. The EULAs disclose that the MediaMax and XCP drivers try to "protect the audio files embodied on the CD." However, the
drivers also attempt to restrict access to any other CD that uses MediaMax or XCP technology. Therefore, users need only agree
to installation on one album for the software to affect users' ability to use many other titles.
91. Sony BMG uses its website to advertise and promote the sale of its CDs. On its website, until November 15, 2005, Sony
BMG falsely denied that its software is spyware and that it posed a security risk. Sony BMG also made the false claim that the
software does not collect any personal information nor is it designed to be intrusive to the user's computer system.
92. On or around November 8, 2005, Sony BMG publicly and falsely stated, on the http://cp.sonybmg.com/xcp website,
that the XCP software's rootkit "component is not malicious
and does not compromise security."
93. The above website directs users to another site, http://updates.xcp-aurora.com/, where users can obtain a software
update to remove the rootkit component of the XCP technology. As of the filing of this complaint, the website states that the
cloaking component "is not malicious and does not compromise security."
94. On its support website (http://cp.sonybmg.com/xcp/english/home.html). Sony BMG stated, until approximately
November 16, 2005, that its XCP software simply acts to prevent unlimited copying and ripping from discs featuring the
technology. Sony BMG created
16
the false impression that the only effect of software included on CDs would be to restrict the
ability to create copies of CDs or the quantity of CDs that a user can copy.
95. On or around November 16, 2005, Sony BMG announced, on the http://cp.sonybmg.com/xcp website, that it shared the
security concerns of consumers regarding
the XCP discs, and offered to exchange new CDs for CDs with XCP software. Sony BMG did not indicate the nature or extent of
the security risks associated with the XCP software. Sony BMG also affirmed that the XCP software was not a "monitoring
technology."
96. Sony BMG uses its website to advertise and promote the sale of its CDs. On its website, until November 15, 2005, Sony
BMG falsely denied that its software is spyware and that it posed a security risk. Sony BMG also made the false claim that the
software does not collect any personal information nor is it designed to be intrusive to the user's computer system. Sony BMG
has failed to make efforts to publicize the flaws in its XCP software and uninstaller, apart from statements on its websites
and statements to the press. Therefore, many XCP CD purchasers are unaware of the security and other risks caused by the
software.
97. Sony BMG has failed to publicly disclose or address the risks associated with MediaMax software and its uninstaller.
Therefore, many MediaMax CD purchasers are unaware of the security and other risks caused by the software.
98. As set forth above, the MediaMax CD EULA and the SunnComm Sony BMG support website misleadingly represent that the
software will not be used to collect personal information about the user without his or her permission.
99. As set forth above, the MediaMax CD EULA and the SunnComm Sony BMG support website falsely represent that MediaMax
software will not be installed if the user declines the EULA.
100. The MediaMax EULA fails to disclose other important details about what the uninstaller does, including but not limited
to the security risks it poses to users' computers.
101. According to Sony BMG, the purpose of the software is to restrict the ability to create copies of CDs or the quantity
of CDs that a user can copy. The MediaMax and XCP software goes far beyond copyright protection, however. For example, the
software makes it
17
extremely difficult for a consumer with a PC to transfer their music to an Apple Corporation-manufactured
iPod but easy to transfer to other portable digital music players, such as those sold by Sony. Sony BMG asks iPod owners who
have XCP CDs to complain to Apple about the inability to play Sony BMG protected music on an iPod. The MediaMax support website
also asks iPod owners who have MediaMax CDs to complain to Apple about the inability to play Sony BMG protected music on an
iPod. To the extent that this is intended to advantage Sony BMG or its partners in the portable digital music player market,
this advantage comes at the expense of consumers.
SONY BMG'S EULAS CONTAIN NUMEROUS UNCONSCIONABLE AND UNREASONABLE PROVISIONS
102. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.
103. On information and belief, the XCP and MediaMax CDs are disseminated with identical EULAs.
104. Sony BMG has inserted several unconscionable provisions EULA that accompanies the XCP and MediaMax CDs. These
provisions include:
a. Restrictions on the user's ability to use the digital content on the CD in the event that that consumer chose to leave
the United States;
b. Restrictions on resale and transfer of the digital content on the CDs;
c. Restrictions on user's ability to use the digital content on the CDs at work;
d. Restrictions on user's ability to use and retain lawfully-made copies of the digital content on the CDs in the event that
the original CD is stolen or lost;
e. Restrictions on user's ability to use the digital content on the CDs following a bankruptcy;
f. Conditioning the user's continued use of the digital content on the CDs on acceptance of all Sony BMG software updates;
g. A purported $5.00 limit on Sony BMG's entire liability to the purchaser of the CDs; h. Restrictions on user's ability to examine and test his or her computer to understand and attempt to prevent the damage
cause by the rootkit;
18
i. A reservation of rights by Sony BMG to use "technological "self-help" measures against the computers of users who desire
to make use of the digital content on the CDs "at any time, without notice to [the user]."
j. Restrictions on the user's ability to seek redress in California courts, under California law, and the purchaser's
ability to seek a trial by jury;
k. A disclaimer of all warranties, including implied warranties of merchantability, satisfactory quality,
noninfringement, and fitness for any particular purpose.
SONY BMG'S SOFTWARE IS A COMPUTER CONTAMINANT
105. Sony BMG has introduced a computer contaminant, in violation of California Penal Code Section 502, into the Plaintiffs'
and the Class' computers, computer systems or computer networks.
106. Sony BMG software includes a set of computer instructions that are designed to modify, damage, destroy, record, or
transmit information within a computer, computer system, or computer network.
107. Sony BMG software transmits information about which CDs the user is playing through the Internet.
108. Sony BMG knowingly introduced the software into a computer, computer system, or computer network.
109. The Plaintiffs and the Class do not intend for the Sony BMG software to transmit information about which CDs the user
is playing through the Internet.
110. The Plaintiffs and the Class did not give permission for the Sony BMG software to transmit information about which CDs
the user is playing through the Internet.
111. Sony BMG has intentionally accessed a computer without authorization or exceeded authorized access, and thereby
obtained information from computers owned by Plaintiffs and the Class; and accessed such computers without authorization, and
as a result of
19
such conduct, recklessly caused damage.
112. Sony BMG knowingly caused the transmission of a program, information, code, or command, and as a result of such
conduct, intentionally caused damage without authorization, to computers owned by Plaintiffs and the Class.
113. Sony BMG intentionally accessed computers owned by Plaintiffs and the Class without authorization.
114. Sony BMG knowingly and with intent to defraud, accessed computers owned by Plaintiffs and the Class without
authorization, or exceeded authorized access. Sony BMG's conduct furthered the fraud and allowed Sony BMG to obtain information
of value.
115. By engaging in the above-described acts, Sony BMG knowingly, intentionally and/or recklessly caused damage.
116. By engaging in the above-described acts, Sony BMG caused damage.
117. By engaging the above described acts, Sony BMG has caused or attempted to cause a threat to public health or safety,
118. It is important to public safety not to defeat or undermine the security measures on computers.
119. Keeping the Internet infrastructure functioning is important to public safety.
SONY BMG HAS CAUSED DAMAGE TO CONSUMERS
AND THE PUBLIC
120. On or around November 16, 2005, Sony BMG issued a public statement announcing that it would recall XCP CDs and allow
customers to exchange the XCP CDs for CDs that would not contain any DRM.
121. As of the filing of this Complaint, Sony BMG has not offered to refund the purchase price of the XCP CDs.
122. As of the filing of this complaint. Sony BMG has not offered to recall, replace, or refund the purchase price of
MediaMax CDs.
123. As of the filing of this complaint. Sony BMG has not compensated or offered to compensate consumers for the damage it
has caused to their computers.
124. Through the actions set forth above. Sony BMG has damaged its customers,
20 including Plaintiffs
and Class members, to an extent to be determined at trial, caused them actual injury, and caused them to lose money and
property.
125. Investigation into the scope and extent of the effects and damage caused by Sony BMG's software is ongoing. Plaintiffs,
on behalf of themselves and the Class, reserve the right to amend these allegations as new information is discovered.
CLASS ACTION ALLEGATIONS
126. Plaintiffs bring this action on behalf of themselves and all others similarly situated, in both a representative
capacity and as a class action pursuant to California Code of Civil Procedure section 382 and California Civil Code section
1781. Plaintiffs seek to represent the following class: All California residents who purchased an audio compact disc distributed by Sony BMG, which contains XCP or MediaMax software. Not included within the class definition are Defendants and its affiliates.
Additionally, solely for the purposes of the Consumer Legal Remedies Act, California Civil Code Section 1750, et seq.,
the class does not include business entities. In the alternative, to the grounds for class certification set forth below.
Plaintiffs may seek an injunctive relief class based on the fact that Sony BMG has acted or refused to act on grounds generally
applicable to the class and California consumers, thereby making appropriate final injunctive relief and declaratory relief
with respect to the Class and California consumers as a whole.
127. This action has been brought and may properly be maintained as a class action, pursuant to the provisions of the
California Code of Civil Procedure Section 382 and California Civil Code Section 1781.
128. Numerosity of the Class - - Code Civ. Proc., § 382; Civ. Code, § 1781 (b)(l): Members of the Class are so numerous that their individual joinder is impracticable. The precise numbers of members of the
Class and their addresses are unknown to the Plaintiffs. Plaintiffs estimate the Class to consist of hundreds of thousands of
members. The precise number of persons in the Class and their identities and addresses may be ascertained from Defendants'
records. Members of the Class may be notified of the pendency of this action by mail,
21
supplemented (if deemed necessary or
appropriate by the Court) by published notice.
129. Existence and Predominance of Common Questions of Fact and Law - - Code Civ. Proc. § 382; Civ. Code, §
1781(b)(2): Common questions of law and fact exist as to all members of the Class. These questions predominate over the
questions affecting only individual members of the Class. These common legal and factual questions include whether:
a. Sony BMG engaged in deceptive business practice in connection with the sale and advertising of the XCP and MediaMax CDs;
b. Sony BMG, directly or by implication, advertises or represents that the XCP and MediaMax CDs have characteristics they do not have;
c. Whether Sony BMG attempts to cause consumers to waive provisions of the CLRA in violation of the express terms of the statute;
d. Whether some or all of the terms of the EULA are unconscionable;
e. Whether the MediaMax software installs on consumers' computers without authorization;
f. Whether the MediaMax and XCP software exceed the authorizations given by consumers;
g. Whether the communications by the MediaMax and XCP software over the internet are disclosed and necessary uses of the copy protection software.
130. Typicality - - Code Civ. Proc., § 382; Civ. Code § 1781(b)(3): Plaintiffs' claims are typical of the
claims of the members of the Class because Plaintiffs purchased a CD distributed by Defendants, and Plaintiffs were required to
agree to the EULA, which did notify Plaintiffs of the true nature of the software that the CD was to install on Plaintiffs'
computer.
131. Adequacy - - Code Civ. Proc., § 382; Civ. Code § 1781(b)(4): Plaintiffs are adequate representatives
of the Class because their interests do not conflict with the interests of the members of the Class they seek to represent.
Plaintiffs have retained counsel competent and experienced in complex class action litigation and Plaintiffs intend to
prosecute this action vigorously. The interests of members of the Class will be fairly and adequately protected by Plaintiffs
and their counsel.
22
132.Superiority - Code Civ. Proc., § 382: A class action is superior to other available means for the fair and
efficient adjudication of the claims of Plaintiffs and members of the Class. The damages suffered by each individual Class
member may be relatively small, especially given the burden and expense of individual prosecution of the complex and extensive
litigation necessitated by Defendants' conduct. Furthermore, it would be virtually impossible for the Class members, on an
individual basis, to obtain effective redress for the wrongs done to them. Moreover, even if Class members themselves could
afford such individual litigation, the court system could not. Individualized litigation presents a potential for inconsistent
or contradictory judgments. Individualized litigation increases the delay and expense to all parties and the court system
presented by the complex legal issues of the case. By contrast, the class action device presents far fewer management
difficulties, and provides the benefits of a single adjudication, economy of scale, and comprehensive supervision by a single
court.
FIRST CLAIM FOR RELIEF (Violation of Consumer Legal Remedies Act)
133. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.
134. The Consumer Legal Remedies Act (CLRA), California Civil Code sections 1750 et seq, applies to Sony BMG's
actions and conduct because such actions and conduct pertain to transactions that were intended to result and/or resulted in
the sale or lease of goods or services to consumers.
135. Plaintiffs and each member of the class are "consumers" within the meaning of Civil Code Section 1761(d).
136. The Sony BMG products that are the subject of this litigation are "goods" within the meaning of Civil Code section 1761
(a).
137. Sony BMG has engaged in deceptive practices, unlawful methods of competition and/or unfair acts as defined by Civ. Code
§1770, to the detriment of Plaintiffs and the Class. Plaintiffs and members of the Class have suffered harm as a proximate
result of the violations of law and wrongful conduct of Defendant alleged herein.
23
138. Sony BMG intentionally and unlawfully perpetrated harm upon Plaintiffs and the Class by the above described acts.
139. In violation of Civil Code section 1770(5), Sony BMG has represented that its CDs have characteristics, uses or
benefits which they do not have.
140. In violation of Civil Code section 1770(a)(9), Sony BMG has advertised its CDs with intent not to sell them as
advertised.
141. In violation of Civil Code section 1770(a)(14), Sony BMG has represented that the purchase and/or use of its XCP and
MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by
law.
142. In violation of Civil Code section 1770(a)(19), Sony BMG has inserted several unconscionable provisions into the
end-user license agreement (EULA) that accompanies the XCP and MediaMax CDs.
143. Sony BMG concealed material information regarding the XCP and MediaMax CDs from Plaintiffs and other class members,
including but not limited to the existence of the rootkit program and its effects on users' computers and the lack of a
reasonable way to uninstall the software in the event of security or privacy violations.
144. Users, including Plaintiffs and class members, routinely rely on this type of information in making music purchase
decisions. Had Sony BMG disclosed this material information. Plaintiffs and other class members would not have purchased the
XCP and MediaMax CDs.
145. Plaintiffs and other class members relied on this material information to their detriment.
146. Sony BMG's deceptive acts and omissions and unfair business practices occurred in the course of selling a consumer
product and violate Civil Code section 1770(a).
147. As a direct and proximate result of Sony BMG's violations of the CLRA, Plaintiffs and other class members have suffered
harm.
148. Sony BMG's policies and practices are unlawful, unethical, oppressive, fraudulent and malicious. The gravity of the
harm to all consumers from Sony BMG's policies and
24
practices far outweighs any purported utility those policies and practices
have.
149. Pursuant to Civil Code section 1780(a), Plaintiffs seek an order enjoining Defendant from engaging in the methods, acts
or practices alleged herein, including an order enjoining the defendant from continuing to sell and market XCP and MediaMax CDs
and continuing to disclaim the risks of using such CDs.
150. Pursuant to Civil Code section 1782, on November 14, 2005, Plaintiffs notified Sony BMG of its commission of unlawful
acts under Civil Code section 1770, specifying the particular violations, and demanded that Sony BMG rectify its illegal acts
within 30 days. The demand letter requested that Sony BMG compensate consumers for computer problems related to the XCP and
MediaMax software.
151. On November 18, 2005, Sony BMG responded. In its response, Sony BMG did not agree to provide compensation or to discuss
a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money
to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court
deems proper.
SECOND CLAIM FOR RELIEF (Violation of California Business and Professions Code Section 17200)
152. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.
153. Plaintiffs and the Class have suffered injury in fact and lost money or property as a result of such unfair
competition. Such injuries and losses include, but are not limited to, computer damage, time and effort spent identifying and
attempting to remove the damaging software, loss of use of the ability to listen to the music on the CDs, and the purchase
price of the CDs.
154. Sony BMG has engaged in unfair, unlawful and fraudulent business practices as set forth above.
155. By engaging in the above-described acts and practices. Sony BMG has committed
25
one or more unfair business practices
within the meaning of Bus. & Prof. Code §17200, et seq. Specifically, Sony BMG's business practices offend the public
policies set forth in California Constitution Art. 1, section 1; Civil Code sections 1750 et seq (Consumer Legal Remedies Act);
Business and Professions Code section 22947 (Consumer Protection Against Computer Spyware Act); Business and Professions
Code section 17500 et seq.; Business and Professions Code sections 22575-579 (Online Privacy Protection Act); and California
Penal Code section 502.
156. Sony BMG's above-described deceptive and misleading acts and practices have and/or are likely to deceive Plaintiffs and
other Class members.
157. Sony BMG's acts and practices are also unlawful because they violate Civil Code sections 1750 et seq (Consumer Legal
Remedies Act); Business and Professions Code section 22947 (Consumer Protection Against Computer Spyware Act); and California
Penal Code section 502.
158. Specifically, Sony BMG marketed and sold the XCP and MediaMax CDs in defective condition and deceptively failed to
disclose their defects as described above; advertised its XCP and MediaMax CDs with intent not to sell them as advertised;
represented that the purchase and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which
it does not have or involve, or which are prohibited by law; inserted several unconscionable provisions into the EULA that
accompanies the XCP and MediaMax CDs infected with the XCP and MediaMax software; took control and modified the settings of
user's computers, collected personally identifiable information about users, tracked users as they listen to the CDs and
attempted to prevent users from blocking or disabling the XCP and MediaMax software; violated the implied covenant of good
faith and fair dealing; and failed to comply with the implied warranty of merchantability.
159. Plaintiffs and the Class have suffered injury in fact and have lost money or property as a result of such unfair
competition.
160. Plaintiffs, on behalf of themselves and on behalf of the Class, seek an order of this Court awarding restitution,
disgorgement, injunctive relief and all other relief allowed under §17200, et seq.
26
THIRD CLAIM FOR RELIEF (Breach of Implied Covenant of Good Faith and Fair Dealing)
161. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.
162. California law implies a covenant of good faith and fair dealing in all contracts between parties entered into in the
State of California.
163. By engaging in above-described acts and practices, Sony BMG has violated the implied covenant of good faith and fair
dealing in the consumer's purchase of the XCP and MediaMax CDs.
164. By engaging in the above-described acts and practices. Sony BMG has caused Plaintiffs and the Class to suffer damages
in an amount to be determined at trial.
FOURTH CLAIM FOR RELIEF
(False or Misleading Statements)
165. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.
166. Through its advertising practices, promotional materials, packaging, EULA, public statements, and other acts and
practices described herein. Sony BMG has made untrue and misleading statements and omitted material facts in violation of
California Business and Professions Code §§17500, et seq.
167. The misrepresentations, omissions and other misleading conduct described herein concerning the XCP and MediaMax CDs
were "likely to deceive." These misrepresentations and omissions continue to this date.
168. Sony BMG knows or should know that these misrepresentations and omissions concerning the XCP and MediaMax CDs are false
and misleading.
169. Plaintiffs and the Class were actually deceived by the misrepresentations and omissions.
170. Plaintiffs and the Class relied on these misrepresentations and omissions to their
27
detriment.
171. Plaintiffs and the Class have been harmed. Plaintiffs, on behalf of themselves and on behalf of the Class seek
restitution, disgorgement, injunctive relief and all other relief allowable under §17500, et seq.
PRAYER FOR RELIEF
172. For compensatory damages in an amount to be proven at trial.
173. For restitution and disgorgement of profits realized as a result of the unlawful conduct of defendants.
174. For any treble and/or punitive damages to the extent permitted by law.
175. For equitable relief, including but not limited to, requiring Sony BMG to:
a) Notify consumers, through widespread publicity, of the potential security and other risks associated with the XCP and
MediaMax technology, to allow consumers to make informed decisions regarding their use of those CDs. The notification process
should include issuing a public statement describing the risks associated with both XCP and MediaMax software and
listing every Sony BMG CD, DVD or other product that contains MediaMax software. In addition, Sony BMG must use the banner
communication system incorporated in its software to advise consumers that refunds and uninstall software is available. The
notifications much be reasonably calculated to reach all consumers who have purchased the products.
b) Cooperate fully with any interested manufacturer of anti-virus, anti-spyware, or similar computer security tools, and
with security researchers, to facilitate the identification and complete removal of both XCP and MediaMax software from the
computers of those infected. Among other actions, Sony BMG should publicly waive any claims it may have against such vendors or
researchers under the
28
EULA, the Digital Millennium Copyright Act (DMCA) and any similar laws.
c) Refund the purchase price of the CDs containing XCP technology for those consumers who prefer a refund to a replacement
CD.
d) Refund the purchase price of the CDs containing MediaMax technology or, at the consumer's election, provide a replacement CD that does not contain the MediaMax technology.
For those consumers who choose to retain CDs containing the MediaMax technology, develop and make widely available a software
update that will allow consumers to easily uninstall the technology without losing the ability to play the CD on their
computers, without causing further damage to their computers, and without revealing any personally identifying information.
e) To avoid future abuses, prior to releasing any future product containing technology with similar functions, thoroughly
test the software to determine the existence of any security risks or other possible damages the technology might cause to any
user's computer AND certify in a statement included in the packaging of every CD containing the technology that the product
does not contain any concealed software such as the XCP rootkit, does not electronically communicate with Sony BMG or any other
party nor initiate the download of any software update or other data without informed consent of the consumer immediately prior
to each communication, can be uninstalled without any need to contact and/or disclose personal information to Sony BMG or its
affiliates and agents, does not present any security risks to any consumer's computer, and will not damage or reduce the
functionality of the consumer's computer in any way.
29
176. For the award to Plaintiffs of their attorneys' fees and other costs of suit.
177. For such other and further relief as the Court deems just and equitable.
DATED: November 21, 2005 >
GREEN WELLING LLP
By: Robert S. Greens
Jenelle Welling
Avin P. Sharma
[address, phone, fax]
Cindy Cohn
Fred von Lohmann
Kurt Opsahl
Corynne McSherry
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]
Reed R. Kathrein
Shanna Scarlett
LERACH COUGHLIN STOIA GELLER
RUDMAN & ROBBINS LLP
[address, phone, fax]
Lawrence E. Feldman LAWRENCE E. FELDMAN & ASSOCIATES
[address, phone, fax]
Attorneys for Plaintiffs
30
|