It looks like this isn't the last of the lawsuits Sony is going to face, either. I hear on the grapevine that a law firm in Canada is researching the matter and looking for people who live there and who bought one of these CDs. I don't doubt there will be many more.

The EFF complaint asks that Sony BMG be required to fix the damage to victims' computers, and it says the EULA is unconscionable, listing specific things the Plaintiffs allege are unconscionable in the EULA that accompanies both XCP and MediaMax. When you read the list, I think you will agree it's hard to argue with EFF that this list is anything a reasonable man would agree to without duress, and as you read them, ask yourself: What do they have to do with copyright rights?

Here's the list:

104. Sony BMG has inserted several unconscionable provisions EULA that accompanies the XCP and MediaMax CDs. These provisions include:

a. Restrictions on the user's ability to use the digital content on the CD in the event that that consumer chose to leave the United States;

b. Restrictions on resale and transfer of the digital content on the CDs;

c. Restrictions on user's ability to use the digital content on the CDs at work;

d. Restrictions on user's ability to use and retain lawfully-made copies of the digital content on the CDs in the event that the original CD is stolen or lost;

e. Restrictions on user's ability to use the digital content on the CDs following a bankruptcy;

f. Conditioning the user's continued use of the digital content on the CDs on acceptance of all Sony BMG software updates;

g. A purported $5.00 limit on Sony BMG's entire liability to the purchaser of the CDs;

h. Restrictions on user's ability to examine and test his or her computer to understand and attempt to prevent the damage cause by the rootkit;

i. A reservation of rights by Sony BMG to use "technological "self-help" measures against the computers of users who desire to make use of the digital content on the CDs "at any time, without notice to [the user]."

j. Restrictions on the user's ability to seek redress in California courts, under California law, and the purchaser's ability to seek a trial by jury;

k. A disclaimer of all warranties, including implied warranties of merchantability, satisfactory quality, noninfringement, and fitness for any particular purpose.

It makes your blood boil to read this list, doesn't it? Forget for a minute all the secretive things they did to customers behind their backs and without notice or explanation. Look at what they told them to their face. This isn't enforcement of copyright rights. Copyright law doesn't forbid you to take a copyrighted book with you to Europe, for example, nor must you turn it in if you go bankrupt. What lawyer thought that one up? And why?

Note that there are several typos in the document, which is not surprising when you consider how quickly this was drawn up, so before you let me know of any corrections, can you please check the original first? Also, there are references to exhibits, and I'm working on them. I will put them here when ready, so you can swing back by later if you are particularly interested in the EULA.

While we are on the subject of the EFF, they have begun a campaign to support bloggers, which is a subject dear to my heart. They ask for financial support, so they can continue to do what they do, and there is a graphic you can place on your website directing the public's attention to the campaign. I have placed one on Groklaw. Here's a snip from EFF's website:

Here at EFF, we're fighting hard for bloggers' rights. We've created the Legal Guide for Bloggers, we're litigating the reporter's privilege for online journalists and we are working hard to defend bloggers' rights to free expression, political speech, and anonymity, just to name a few.

But we need your help to spread the word, grow our membership and keep fighting. So we're launching a special membership campaign specifically for bloggers. We've created a button for you to put in a permanent space on your blog that declares your support for bloggers' rights, and for the work EFF does to support them. The button links to our Bloggers' rights campaign, http://www.eff.org/bloggers/join/

Here's the Legal Guide for Bloggers and their How to Blog Safely. For an international flavor, try also Reporters Without Borders. They have a guidebook called Handbook for Bloggers and Cyber-Dissidents.

As you know, I believe strongly in the right of anonymous speech. And I'm familiar with unfair retaliation against bloggers. So I'm delighted that EFF views this as something vitally important and worth fighting for. Litigation is very expensive. Aren't you shocked to see how much SCO, for example, has paid in legal fees? Well, it's expensive for EFF to do it too.

*******************************

Robert S. Green (State Bar No. 136183)
Jenelle Welling (State Bar No. 209480)
Avin P. Sharma (State Bar No. 233328)
[address, phone, fax]

Cindy Cohn (State Bar No. 145997)
Fred von Lohmann (State Bar No. 192657)
Kurt Opsahl (State Bar No. 191303)
Corynne McSherry (State Bar No. 221504)
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]

Reed R. Kathrein (State Bar No. 139304)
Shana Scarlett (State Bar No. 217895)
LERACH COUGHLIN STOIA GELLER
RUDMAN & ROBBINS LLP
[address, phone, fax]

Attorneys for Plaintiffs

_________________________________

SUPERIOR COURT OF THE STATE OF CALIFORNIA
COUNTY OF LOS ANGELES

ROBERT HULL, JOSEPH HALPIN and
EDWIN BONNER, on behalf of themselves
and all others similarly situated

Plaintiffs,

v.

SONY BMG MUSIC ENTERTAINMENT
CORP., SONY CORPORATION OF
AMERICA, and BERTELSMANN, INC.

Defendants.

CLASS ACTION COMPLAINT

___________________________

Plaintiffs, by and through their attorneys, bring this action on behalf of themselves and all others similarly situated, and allege against Defendants as follows:

INTRODUCTION

1. By including a flawed and overreaching computer program in over 20 million music CDs sold to the general public, including California residents, Sony BMG has created serious security, privacy and consumer protection problems that have damaged Plaintiffs and thousands of other Califomians. At issue are two software technologies -- MediaMax and Extended Copy Protection, also known as XCP -- which defendant Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms. These, plus other problems caused by Sony BMG's inclusion of this software, are in violation of California law and public policy. After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, defendant Sony BMG has taken some steps to respond to the security risks created by the XCP technology. It has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.

JURISDICTION AND VENUE

2. The jurisdiction of this Court arises under Code of Civil Procedure § 410.10 because Defendants conduct business in and sell a substantial number of audio compact discs in the State of California. This Court has subject matter jurisdiction over this Class and the representative action pursuant to Bus. & Prof. Code, § 17200, et seq. ("UCL"); Bus. & Prof. Code § 17500, et seq.; Civ. Code § 1750, et. seq.; Code of Civil Procedure § 382; and other provisions of the California Codes.

3. Venue is proper in this County pursuant to Code of Civil Procedure, § 395.5, Civil Code, § 1780(c), Bus. & Prof. Codes, §§ 17202 and 17203, because Sony BMG conducts substantial business within this County.

2

PARTIES

4. At all times mentioned herein. Plaintiff Robert Hull was, and still is, an individual and resident of Chatsworth, California.

5. At all times mentioned herein. Plaintiff Joseph Halpin was, and still is, an individual and resident of Sebastopol, California.

6. At all times mentioned herein, Plaintiff Edwin Bonner was, and still is, an individual and resident of La Jolla, California.

7. At all times mentioned herein, Defendant Sony BMG Music Entertainment ("Sony BMG"), is and at all relevant times was, a Delaware General Partnership, with its principal place of business in New York, New York. Sony BMG maintains an office in California.

8. Defendant Sony Corporation of America is the U.S. subsidiary of Sony Corporation, a multinational corporation based in Japan. At all times mentioned herein, Defendant Sony Corporation of America, is and at all relevant times was, a New York corporation, with its principal place of business in New York, New York.

9. Defendant Bertelsmann, Inc. is the U.S. subsidiary of Bertelsmann AG, a multinational corporation based in Germany. At all times mentioned herein, Defendant Bertelsmann, Inc., is a Delaware Corporation with its principal place of business in New York, New York.

FACTUAL ALLEGATIONS COMMON TO ALL CLAIMS

10. In August 2004, Sony Corporation merged its Sony Music Entertainment, Inc. with Bertelsmann AG's BMG to create a joint venture, Sony BMG. Sony Corporation of America and Bertelsmann AG are the parent companies, respectively, of Sony Music Entertainment and BMG.

11. Sony BMG is the world's second largest music company. Its labels include Arista Records, Columbia Records, Epic Records, J Records, Jive Records, LaFace Records, Legacy Recordings, Provident Music Group, RCA Records, RCA Victor Group, RLG - Nashville, SONY BMG Masterworks, Sony Music Nashville, Sony Urban Music, Sony Wonder, So So Def

3

12. In 2003, Sony BMG began to distribute CDs that contain software that Sony BMG refers to as Digital Rights Management ("DRM") to the public. This DRM software on the Sony BMG CDs includes MediaMax created by SunnComm ("MediaMax CDs") and Extended Copy Protection ("XCP") created by First4Intemet ("XCP CDs"). On information and belief, Sony BMG intended that most of its CDs sold in the United States would incorporate one of these technologies.

13. Sony BMG is the first company to commercially deploy XCP.

14. On information and belief, Sony BMG has been using versions of XCP since 2002 on prerelease CDs sent to radio stations and internal employees.

15. On information and belief, Sony BMG and BMG have been using MediaMax on some CDs since at least 2003. On information and belief, Sony BMG currently uses MediaMax 5 on its MediaMax CDs.

16. Since March 2005, Sony BMG has distributed at least 52 music titles with XCP software. On information and belief, Sony BMG has shipped at least 4.7 million CD's containing the XCP software, of which 2.1 million have been sold.

17. Sony BMG has also distributed many more music titles with MediaMax software -- including a number one hit CD last year by Velvet Revolver, entitled Contraband. On information and belief, Sony BMG has distributed at least 20 million CDs with MediaMax software.

18. In a November 11, 2005, MSNBC.com article, by Bob Sullivan, Sunncomm CEO Peter Jacobs states that MediaMax is "now on about 20 million Sony BMG music discs."

THE SUNNCOMM SOFTWARE IS UNDISCLOSED SPYWARE AND COMPROMISES SECURITY

19. The Anti-Spyware Coalition ("ASC") describes spyware as technologies deployed without appropriate user consent and/or implemented in ways that impair user control over: (1) material changes that affect a user's experience, privacy, or system security; (2) use of the

4

20. MediaMax installs without meaningful consent or notification. When a MediaMax CD is inserted into a computer running Windows, MediaMax installs, prior to the appearance of the End User License Agreement ("EULA"), approximately eighteen files that consume approximately 15 MB on the user's hard drive. These files remain installed even if the user declines the EULA presented later. One of them, a kernel-level driver with the cryptic name "sbcphid," is both installed and launched. The "kernel" is the core of a computer operating system, which controls and secures access to the computer's basic operations.

21. This kernel-level driver is the heart of the MediaMax copy protection system. When it is running, it attempts to block CD ripping and copying applications from reading the audio tracks on MediaMax CDs. The software refrains from making one final change until after users accept the license—it does not set the driver to automatically run again every time Windows starts. Nevertheless, the code keeps running until the computer is restarted and remains on the hard disk indefinitely, even if the agreement is declined.

22. Only after these files are installed and at least one has launched does the software display a EULA, which the user may accept or decline, making it a contract of adhesion. Even if the EULA is declined, however, the software already installed prior to presentation of the EULA remains on the user's computer.

23. The MediaMax CDs' EULA states: "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER

5

24. Sony BMG's MediaMax CD EULA states that "[T]he SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."

25. If purchasers seek more information about the software that has been installed on their computer, they are directed to the SunnComm Sony BMG customer care website, which falsely tells users that "No information is ever collected about you or your computer without you consenting" and also states: "Is any personal information collected from my computer during the digital key delivery process? No, during the digital key delivery process, no information is ever collected about you or your computer."

26. Despite the representations to the contrary in the EULA and the SunnComm website, and without notification or consent of the user, the MediaMax software "phones home" to SunnComm every time a user plays a protected CD. The software causes the computer to connect to a Sony BMG and/or SunnComm server via the internet. The MediaMax software conveys a unique code that identifies the album to which the user is listening. The request also contains standard HTTP headers from which can be used to determine what operating system the user is running and what version of the Internet Explorer web browser the user has.

27. On information and belief, prior versions of the MediaMax software still used on some Sony BMG CDs contact Sony BMG and/or SunnComm to obtain "digital keys" that permitted the CDs to be copied.

28. The SunnComm Sony BMG customer care website also does not have a visible privacy policy.

29. The Media Max software connects to an online service at http ://license. sunncomm2 .corn/, which does not have a visible privacy policy.

30. The MediaMax software opens a web page from a Sony BMG and/or SunnComm

6

31. The server to which the MediaMax software connects returns an HTTP response to the MediaMax software. On information and belief, this response is intended to facilitate the placement of dynamic, interactive advertisements that can be changed at any time by Sony BMG and/or SunnComm.

32. The MediaMax software also transmits the user's computer's Internet Protocol or "IP" address to servers controlled by Sony BMG or its agents, without receiving permission from the computer user. No two IP addresses are alike and IP addresses provide the means to determine information about the person who used the particular IP address. Users are assigned an IP address by their Internet service provider or system administrator. Many users are issued frequently changing "dynamic" IP addresses that make it difficult to track them individually, but others have fixed, "static" addresses that can permit Sony BMG to ascertain their identities and associate listening habits with particular individuals across many different CDs containing the Sunncomm software.

33. The Sunncomm MediaMax support website (http://tickets.sunncomm.com/selfhelp/), also misleadingly states, "Please note that MediaMax was designed to manage and safeguard the copyrights of specified artists' CDs while giving you an enhanced visual and listening experience. It does not interfere with or impact any of the normal operations and/or functions of your computer." (emphasis in the original). As described above, this statement is false.

34. Sony BMG fails to disclose, prior to purchase, that users running the MediaMax CDs on Windows-based computers could have filed downloaded and stored on their computers without their consent, and failed to disclose that the software would transmit information about user, including monitoring whenever users listen to the CDs, without notification to or consent of the users.

7

SUNNCOMM'S MEDIAMAX UNINSTALLER CREATED A GREATER SECURITY
RISK AND VIOLATED USER'S PRIVACY

35. On information and belief, none of the MediaMax CDs from Sony BMG contains an uninstaller.

36. Upon request, SunnComm will provide an internet-based uninstaller for the MediaMax software. On information and belief, SunnComm provides this uninstaller only after repeated requests that require the disclosure of personally identifying information.

37. The uninstaller suffers from a design flaw. When a user visits the SunnComm uninstaller web page, the user is prompted to accept a small software component—an ActiveX control called "AxWebRemoveCtrl" created by SunnComm.

38. This ActiveX control is designed so that any web page can ask it to download and executing code from an arbitrary website location or URL.

39. If a user visits a malicious website, the site can use the flawed ActiveX control to download, install, and run malicious or dangerous software code on the user's computer without the user's knowledge or consent. Such code could severely damage a user's computer, including but not limited to erasing a user's hard disk.

40. The uninstaller fails to remove the vulnerable ActiveX control from the user's computer following completion of the uninstallation process.

41. Sony BMG fails to disclose the security risks created by the MediaMax software and the MediaMax uninstaller, and their potential harm to a user's computer.

42. Therefore, users who hope to prevent and/or limit security and privacy risks must rely on the research and publication efforts of independent security experts and consumer advocates.

43. On information and belief, the MediaMax software causes additional damage to users' computers.

8

THE XCP SOFTWARE IS UNDISCLOSED SPYWARE AND COMPROMISES SECURITY

44. Sony BMG's actions and omissions with respect to the MediaMax software are part of a pattern of corporate failure to investigate, address, and disclose the security and privacy risks associated with its inclusion of so-called DRM software on music CDs.

45. Similar and, in some respects, more serious risks have been identified in CDs loaded with another Sony BMG technology. Extended Copy Protection, or XCP. As with the MediaMax software, these risks have been disclosed by independent researchers and consumer advocates, rather than Sony BMG.

46. The software on a Sony BMG XCP CD is designed to operate only on Windows-based computers that run Windows 98SE/NT/2000/XP.

47. When a computer user places the Sony BMG XCP CD in a Windows based computer, the software is designed such that the user is first required to agree to a EULA. According to the EULA, a user cannot utilize the audio files or the digital content of the CD on the computer unless the user agrees to the EULA making it a contract of adhesion. Attached hereto as Exhibit B and incorporated herein by reference is a true and correct copy of the XCP EULA.

48. The user is then told that the XCP software automatically installs player software into the user's computer that will allow the user to play, save and copy the audio files on the CD.

49. According to the EULA, the software automatically installed by the XCP CD is intended to protect the "digital content" embodied on the XCP CD. Digital content appears to include audio files converted into digital music files as well as unspecified other "already existing digital content."

50. While the user is led to believe that Sony BMG's XCP software is installing the player software into the user's computer, it is actually installing software as a "rootkit" into the user's hard drive. The Sony BMG XCP software also installs a CD drive filter driver that intercepts calls to the computer's CD drive.

9

51. A rootkit is used to hide login, processes, files, and logs and may include software to intercept data from terminals, network connections, CD drives, and keyboards. A rootkit is invisible to the operating system and antivirus and security software, and is frequently used by unauthorized third-parties, after gaining access to a computer system, to hide their activities.

52. Specifically, the Sony BMG rootkit is a system filter driver which intercepts all calls for process, directory or registry listings, and then modifies what information is visible to the operating system in order to hide every file, process, or registry key beginning with the characters "$sys$."

53. Unbeknownst to users, once the rootkit is installed by the software on a Sony BMG CD, the rootkit degrades the performance of the user's computer.

54. In a November 1, 2005, eweek.com article by Paul Roberts, computer security analyst Mark Russinovich states that the rootkit files interact with the Windows operating system at a very low level and fail to account for certain conditions that could cause the files to overwrite areas of memory, crashing applications that use that memory, or even crashing the entire Windows operating system. On information and belief, this article correctly illustrates some of the damage the rootkit could do.

55. The rootkit causes significant and cumulative injury to a user's computer. Specifically, the rootkit can interfere with the computer's CD drive, file copying software, and media players. The rootkit also uses up system memory that would otherwise be available.

56. On or around November 4, 2005, on National Public Radio's "Morning Edition" program, Thomas Hesse, President of Sony BMG's global digital business division, when asked about the XCP controversy, responded "Most people, I think, don't even know what a rootkit is, so why should they care about it?" In the same program, Mr. Hesse also denied that Sony BMG's software communicated with Sony BMG, saying "No information ever gets gathered about the users' behavior, no information ever gets communicated back to the user, this is purely about restricting the ability to bum MP3 files in an unprotected manner."

57. Sony BMG failed to disclose that the XCP software, in the rootkit, automatically connects the user's computer via the internet to a server owned or operated by Sony BMG or its

10

58. As with the MediaMax software, this network connection provides Sony BMG with the ability to record each time a CD with XCP software is played and the IP address of the computer playing it, without receiving permission from the computer user. As discussed above, no two IP addresses are alike and IP addresses provide the means to determine information about the person who used the particular IP address. Sony BMG does not disclose the possibility of this use of DRM software in its packaging, the installation process, or its EULA. Instead the EULA states, "the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."

59. The Anti-Spyware Coalition and computer security firm Computer Associates identify Sony BMG's XCP software as "Spyware."

60. Sony BMG's XCP software meets the ASC standards for spyware because the rootkit is placed on the computer without the user's consent and it changes the user's system security because the rootkit makes the user's computer more vulnerable to other types of malware.

61. Computer Associates has classified the Sony BMG XCP rootkit as a form of spyware known as a "Trojan," noting that the "XCP Sony Rootkit modifies you[r] operating system at a low level, represents a large threat to both corporate and consumer users system integrity." Computer Associates also has noted that "[t]he Rootkit functionality hides files and enables hackers and other spyware to hide files with impunity."

62. Computer Associates has categorized Sony BMG's "Media Player" as spyware, noting that "When launched from the CD, Music Player sends information back to Sony BMG, indicating which album is being played."

63. Once the rootkit is on a user's computer, it creates an undisclosed risk of security

11

64. Malicious software coders have discovered that they can effectively render their programs invisible by using names for computer files similar to ones cloaked by the Sony BMG technology. On information and belief, several malicious programs that exploit the XCP technology's ability to avoid detection have already been distributed over the internet. Further, as stated above, XCP software transmits information about the user's computer, IP address, and listening habits.

65. On or around November 12, 2005, Microsoft, Inc., the maker of the Windows operating system stated that "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" and Microsoft's Anti-Malware Engineering Team informed consumers that "in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."

66. The nature of a rootkit makes it extremely difficult for a computer user to remove, often leaving reformatting the entire hard drive as the only solution. Reformatting a hard drive requires backing up all data on the hard drive, as reformatting a hard drive deletes all data on the hard drive. The user is then required to re-install the operating system and all applicable programs and drivers. This process can take many hours and is beyond the technical capabilities of many users. Sony BMG's XCP CD EULA and install process do not disclose nor does the CDs' software prompt users with information about the rootkit or the need to reformat the hard drive in order to remove it.

67. In response to the public outcry about the deceptive nature of Sony BMG XCP CDs, Sony BMG made available a software patch. The patch was only available on the Sony BMG support site (http://cp.sonybmg.com/xcp/english/home.html). The patch does not remove the software or allow the user to remove the software. The software patch merely makes the software visible to system tools and antivirus software while installing an additional 3.5 MB of updated versions of the software into the user's computer. Additionally, the patch contains a design flaw that could cause a computer to crash as it is installed.

12

68. Sony BMG failed to disclose that if a user attempts to disable the software it will likely disable the audio CD driver on the computer, rendering the user's CD drive inoperable. If the rootkit is removed manually, the Sony BMG software's changes to the user's system will render the user's CD drive non-functional. According to computer security firm Computer Associates, "[reconfiguring the CD-ROM driver to a functioning state will be beyond the ability of the average home user."

69. Computer Associates categorized Sony BMG's patch as a "Trojan" and noted that the Sony BMG software, even when patched with Sony BMG's update, continues to "represent a threat to the user's control over their system ...."

70. The United States Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security that is charged with the task of "protecting the nation's Internet infrastructure" by coordinating "defense against and responses to cyber attacks across the nation" has stated that the XCP rootkit "can pose a security threat" and that "one of the uninstallation options provided by Sony BMG also introduces vulnerabilities to a system."

71. Installation of a rootkit on a computer undermines the security of that computer.

72. Installation of a rootkit on a computer causes impairment to the integrity or availability of data, a program, a system or information.

73. The software installed by Sony BMG includes a set of computer instructions that are designed to modify, damage, destroy, record, and/or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information.

74. On information and belief, the XCP software causes additional damage to users' computers.

SONY BMG'S FIRST XCP UNINSTALLER CREATED A GREATER SECURITY RISK AND VIOLATED USER'S PRIVACY

75. On information and belief, the only way for typical users to safely uninstall the software is to obtain an uninstaller from Sony BMG. Until approximately November 15, 2005,

13

76. This further website, available until November 15, 2005, required the user to install ActiveX control software. The user was then required to enter the Case ID and fill in the reasons for the request. Once the user submitted this information, the user receives an email that notifies the user that a customer service representative would email the uninstall instructions to the user within a business day. The user then received an e-mail with a link to a confidentiality notice, which had to be accepted before software could be uninstalled.

77. Sony BMG states that the information collected by Sony BMG before providing the uninstaller is subject to its Privacy Policy, http://www.sonybmg.com/privacypolicy.html. The Sony BMG Privacy Policy states, inter alia, that Sony BMG "may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly."

78. On information and belief, if the Sony BMG software was uninstalled using the uninstaller available until November 15, 2005, the user was no longer able to receive the full use and value of the XCP CD on his or her computer. Therefore, Sony BMG required the user to either accept the malicious software or lose the full use and value of the XCP CD. Sony BMG did not disclose this fact to users prior to purchase.

79. The Sony BMG software could not be uninstalled if the user proceeded to the link from a different computer than the one on which the user installed the ActiveX control software. If the user is not at that same computer he or she will receive an error message. The

14

80. On information and belief, the ActiveX uninstaller leaves behind numerous software methods that can be exploited by others.

81. The ActiveX uninstaller also exposes a user's computer to additional risks by enabling malicious third parties to download and install over the internet because but the ActiveX uninstaller fails to restrict such access only to Sony BMG or First4Intemet. Such malicious code could severely damage a user's computer, including but not limited to erasing a user's hard disk.

82. Sony BMG does not cause the ActiveX control to be removed from user's computers following completion of the installation process.

83. On information and belief, the uninstallation can cause further damage to users' computers, including but not limited to, causing a user's Windows operating system to crash.

84. On or around November 15, 2005, Sony BMG posted the following message on its website: "We currently are working on a new tool to uninstall First4Intemet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding." Sony BMG failed to disclose the problems associated with the old uninstaller. As of the filing of this complaint, no new uninstaller has been made available.

85. On information and belief, the software released by Sony BMG to resolve the flaws in the XCP software can cause further damage to users' computers.

SONY BMG HAS MADE MATERIAL MISREPRESENTATIONS AND OMISSIONS REGARDING THE SOFTWARE IT HAS INCLUDED ON MUSIC CDS

86. In addition to the material misrepresentations and omissions set forth above, Sony BMG has made numerous additional misrepresentations and omissions of material facts.

87. On information and belief, the XCP and MediaMax CDs are disseminated wit

15

88. Sony BMG's EULAs state that the MediaMax and XCP software installed on a user's computer will not be used to collect any personal information. As set forth above, this is untrue.

89. Sony BMG's EULAs state that the MediaMax and XCP software will remain on the user's computer until it is removed or deleted. Neither the MediaMax nor the XCP software allows a user to use the standard "add/remove program" function on the Windows operating system to remove the program. Sony BMG's MediaMax and XCP CDs and its software fail to provide information about how to remove the program or even how to contact Sony BMG to resolve any problems with the program.

90. The EULAs disclose that the MediaMax and XCP drivers try to "protect the audio files embodied on the CD." However, the drivers also attempt to restrict access to any other CD that uses MediaMax or XCP technology. Therefore, users need only agree to installation on one album for the software to affect users' ability to use many other titles.

91. Sony BMG uses its website to advertise and promote the sale of its CDs. On its website, until November 15, 2005, Sony BMG falsely denied that its software is spyware and that it posed a security risk. Sony BMG also made the false claim that the software does not collect any personal information nor is it designed to be intrusive to the user's computer system.

92. On or around November 8, 2005, Sony BMG publicly and falsely stated, on the http://cp.sonybmg.com/xcp website, that the XCP software's rootkit "component is not malicious and does not compromise security."

93. The above website directs users to another site, http://updates.xcp-aurora.com/, where users can obtain a software update to remove the rootkit component of the XCP technology. As of the filing of this complaint, the website states that the cloaking component "is not malicious and does not compromise security."

94. On its support website (http://cp.sonybmg.com/xcp/english/home.html). Sony BMG stated, until approximately November 16, 2005, that its XCP software simply acts to prevent unlimited copying and ripping from discs featuring the technology. Sony BMG created

16

95. On or around November 16, 2005, Sony BMG announced, on the http://cp.sonybmg.com/xcp website, that it shared the security concerns of consumers regarding the XCP discs, and offered to exchange new CDs for CDs with XCP software. Sony BMG did not indicate the nature or extent of the security risks associated with the XCP software. Sony BMG also affirmed that the XCP software was not a "monitoring technology."

96. Sony BMG uses its website to advertise and promote the sale of its CDs. On its website, until November 15, 2005, Sony BMG falsely denied that its software is spyware and that it posed a security risk. Sony BMG also made the false claim that the software does not collect any personal information nor is it designed to be intrusive to the user's computer system. Sony BMG has failed to make efforts to publicize the flaws in its XCP software and uninstaller, apart from statements on its websites and statements to the press. Therefore, many XCP CD purchasers are unaware of the security and other risks caused by the software.

97. Sony BMG has failed to publicly disclose or address the risks associated with MediaMax software and its uninstaller. Therefore, many MediaMax CD purchasers are unaware of the security and other risks caused by the software.

98. As set forth above, the MediaMax CD EULA and the SunnComm Sony BMG support website misleadingly represent that the software will not be used to collect personal information about the user without his or her permission.

99. As set forth above, the MediaMax CD EULA and the SunnComm Sony BMG support website falsely represent that MediaMax software will not be installed if the user declines the EULA.

100. The MediaMax EULA fails to disclose other important details about what the uninstaller does, including but not limited to the security risks it poses to users' computers.

101. According to Sony BMG, the purpose of the software is to restrict the ability to create copies of CDs or the quantity of CDs that a user can copy. The MediaMax and XCP software goes far beyond copyright protection, however. For example, the software makes it

17

SONY BMG'S EULAS CONTAIN NUMEROUS UNCONSCIONABLE AND UNREASONABLE PROVISIONS

102. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.

103. On information and belief, the XCP and MediaMax CDs are disseminated with identical EULAs.

104. Sony BMG has inserted several unconscionable provisions EULA that accompanies the XCP and MediaMax CDs. These provisions include:

a. Restrictions on the user's ability to use the digital content on the CD in the event that that consumer chose to leave the United States;

b. Restrictions on resale and transfer of the digital content on the CDs;

c. Restrictions on user's ability to use the digital content on the CDs at work;

d. Restrictions on user's ability to use and retain lawfully-made copies of the digital content on the CDs in the event that the original CD is stolen or lost;

e. Restrictions on user's ability to use the digital content on the CDs following a bankruptcy;

f. Conditioning the user's continued use of the digital content on the CDs on acceptance of all Sony BMG software updates;

g. A purported $5.00 limit on Sony BMG's entire liability to the purchaser of the CDs;

h. Restrictions on user's ability to examine and test his or her computer to understand and attempt to prevent the damage cause by the rootkit;

18

i. A reservation of rights by Sony BMG to use "technological "self-help" measures against the computers of users who desire to make use of the digital content on the CDs "at any time, without notice to [the user]."

j. Restrictions on the user's ability to seek redress in California courts, under California law, and the purchaser's ability to seek a trial by jury;

k. A disclaimer of all warranties, including implied warranties of merchantability, satisfactory quality, noninfringement, and fitness for any particular purpose.

SONY BMG'S SOFTWARE IS A COMPUTER CONTAMINANT

105. Sony BMG has introduced a computer contaminant, in violation of California Penal Code Section 502, into the Plaintiffs' and the Class' computers, computer systems or computer networks.

106. Sony BMG software includes a set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network.

107. Sony BMG software transmits information about which CDs the user is playing through the Internet.

108. Sony BMG knowingly introduced the software into a computer, computer system, or computer network.

109. The Plaintiffs and the Class do not intend for the Sony BMG software to transmit information about which CDs the user is playing through the Internet.

110. The Plaintiffs and the Class did not give permission for the Sony BMG software to transmit information about which CDs the user is playing through the Internet.

111. Sony BMG has intentionally accessed a computer without authorization or exceeded authorized access, and thereby obtained information from computers owned by Plaintiffs and the Class; and accessed such computers without authorization, and as a result of

19

112. Sony BMG knowingly caused the transmission of a program, information, code, or command, and as a result of such conduct, intentionally caused damage without authorization, to computers owned by Plaintiffs and the Class.

113. Sony BMG intentionally accessed computers owned by Plaintiffs and the Class without authorization.

114. Sony BMG knowingly and with intent to defraud, accessed computers owned by Plaintiffs and the Class without authorization, or exceeded authorized access. Sony BMG's conduct furthered the fraud and allowed Sony BMG to obtain information of value.

115. By engaging in the above-described acts, Sony BMG knowingly, intentionally and/or recklessly caused damage.

116. By engaging in the above-described acts, Sony BMG caused damage.

117. By engaging the above described acts, Sony BMG has caused or attempted to cause a threat to public health or safety,

118. It is important to public safety not to defeat or undermine the security measures on computers.

119. Keeping the Internet infrastructure functioning is important to public safety.

SONY BMG HAS CAUSED DAMAGE TO CONSUMERS AND THE PUBLIC

120. On or around November 16, 2005, Sony BMG issued a public statement announcing that it would recall XCP CDs and allow customers to exchange the XCP CDs for CDs that would not contain any DRM.

121. As of the filing of this Complaint, Sony BMG has not offered to refund the purchase price of the XCP CDs.

122. As of the filing of this complaint. Sony BMG has not offered to recall, replace, or refund the purchase price of MediaMax CDs.

123. As of the filing of this complaint. Sony BMG has not compensated or offered to compensate consumers for the damage it has caused to their computers.

124. Through the actions set forth above. Sony BMG has damaged its customers,

20

125. Investigation into the scope and extent of the effects and damage caused by Sony BMG's software is ongoing. Plaintiffs, on behalf of themselves and the Class, reserve the right to amend these allegations as new information is discovered.

CLASS ACTION ALLEGATIONS

126. Plaintiffs bring this action on behalf of themselves and all others similarly situated, in both a representative capacity and as a class action pursuant to California Code of Civil Procedure section 382 and California Civil Code section 1781. Plaintiffs seek to represent the following class: All California residents who purchased an audio compact disc distributed by Sony BMG, which contains XCP or MediaMax software. Not included within the class definition are Defendants and its affiliates. Additionally, solely for the purposes of the Consumer Legal Remedies Act, California Civil Code Section 1750, et seq., the class does not include business entities. In the alternative, to the grounds for class certification set forth below. Plaintiffs may seek an injunctive relief class based on the fact that Sony BMG has acted or refused to act on grounds generally applicable to the class and California consumers, thereby making appropriate final injunctive relief and declaratory relief with respect to the Class and California consumers as a whole.

127. This action has been brought and may properly be maintained as a class action, pursuant to the provisions of the California Code of Civil Procedure Section 382 and California Civil Code Section 1781.

128. Numerosity of the Class - - Code Civ. Proc., § 382; Civ. Code, § 1781 (b)(l): Members of the Class are so numerous that their individual joinder is impracticable. The precise numbers of members of the Class and their addresses are unknown to the Plaintiffs. Plaintiffs estimate the Class to consist of hundreds of thousands of members. The precise number of persons in the Class and their identities and addresses may be ascertained from Defendants' records. Members of the Class may be notified of the pendency of this action by mail,

21

129. Existence and Predominance of Common Questions of Fact and Law - - Code Civ. Proc. § 382; Civ. Code, § 1781(b)(2): Common questions of law and fact exist as to all members of the Class. These questions predominate over the questions affecting only individual members of the Class. These common legal and factual questions include whether:

a. Sony BMG engaged in deceptive business practice in connection with the sale and advertising of the XCP and MediaMax CDs;

b. Sony BMG, directly or by implication, advertises or represents that the XCP and MediaMax CDs have characteristics they do not have;

c. Whether Sony BMG attempts to cause consumers to waive provisions of the CLRA in violation of the express terms of the statute;

d. Whether some or all of the terms of the EULA are unconscionable;

e. Whether the MediaMax software installs on consumers' computers without authorization;

f. Whether the MediaMax and XCP software exceed the authorizations given by consumers;

g. Whether the communications by the MediaMax and XCP software over the internet are disclosed and necessary uses of the copy protection software.

130. Typicality - - Code Civ. Proc., § 382; Civ. Code § 1781(b)(3): Plaintiffs' claims are typical of the claims of the members of the Class because Plaintiffs purchased a CD distributed by Defendants, and Plaintiffs were required to agree to the EULA, which did notify Plaintiffs of the true nature of the software that the CD was to install on Plaintiffs' computer.

131. Adequacy - - Code Civ. Proc., § 382; Civ. Code § 1781(b)(4): Plaintiffs are adequate representatives of the Class because their interests do not conflict with the interests of the members of the Class they seek to represent. Plaintiffs have retained counsel competent and experienced in complex class action litigation and Plaintiffs intend to prosecute this action vigorously. The interests of members of the Class will be fairly and adequately protected by Plaintiffs and their counsel.

22

132.Superiority - Code Civ. Proc., § 382: A class action is superior to other available means for the fair and efficient adjudication of the claims of Plaintiffs and members of the Class. The damages suffered by each individual Class member may be relatively small, especially given the burden and expense of individual prosecution of the complex and extensive litigation necessitated by Defendants' conduct. Furthermore, it would be virtually impossible for the Class members, on an individual basis, to obtain effective redress for the wrongs done to them. Moreover, even if Class members themselves could afford such individual litigation, the court system could not. Individualized litigation presents a potential for inconsistent or contradictory judgments. Individualized litigation increases the delay and expense to all parties and the court system presented by the complex legal issues of the case. By contrast, the class action device presents far fewer management difficulties, and provides the benefits of a single adjudication, economy of scale, and comprehensive supervision by a single court.

FIRST CLAIM FOR RELIEF
(Violation of Consumer Legal Remedies Act)

133. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.

134. The Consumer Legal Remedies Act (CLRA), California Civil Code sections 1750 et seq, applies to Sony BMG's actions and conduct because such actions and conduct pertain to transactions that were intended to result and/or resulted in the sale or lease of goods or services to consumers.

135. Plaintiffs and each member of the class are "consumers" within the meaning of Civil Code Section 1761(d).

136. The Sony BMG products that are the subject of this litigation are "goods" within the meaning of Civil Code section 1761 (a).

137. Sony BMG has engaged in deceptive practices, unlawful methods of competition and/or unfair acts as defined by Civ. Code §1770, to the detriment of Plaintiffs and the Class. Plaintiffs and members of the Class have suffered harm as a proximate result of the violations of law and wrongful conduct of Defendant alleged herein.

23

138. Sony BMG intentionally and unlawfully perpetrated harm upon Plaintiffs and the Class by the above described acts.

139. In violation of Civil Code section 1770(5), Sony BMG has represented that its CDs have characteristics, uses or benefits which they do not have.

140. In violation of Civil Code section 1770(a)(9), Sony BMG has advertised its CDs with intent not to sell them as advertised.

141. In violation of Civil Code section 1770(a)(14), Sony BMG has represented that the purchase and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.

142. In violation of Civil Code section 1770(a)(19), Sony BMG has inserted several unconscionable provisions into the end-user license agreement (EULA) that accompanies the XCP and MediaMax CDs.

143. Sony BMG concealed material information regarding the XCP and MediaMax CDs from Plaintiffs and other class members, including but not limited to the existence of the rootkit program and its effects on users' computers and the lack of a reasonable way to uninstall the software in the event of security or privacy violations.

144. Users, including Plaintiffs and class members, routinely rely on this type of information in making music purchase decisions. Had Sony BMG disclosed this material information. Plaintiffs and other class members would not have purchased the XCP and MediaMax CDs.

145. Plaintiffs and other class members relied on this material information to their detriment.

146. Sony BMG's deceptive acts and omissions and unfair business practices occurred in the course of selling a consumer product and violate Civil Code section 1770(a).

147. As a direct and proximate result of Sony BMG's violations of the CLRA, Plaintiffs and other class members have suffered harm.

148. Sony BMG's policies and practices are unlawful, unethical, oppressive, fraudulent and malicious. The gravity of the harm to all consumers from Sony BMG's policies and

24

149. Pursuant to Civil Code section 1780(a), Plaintiffs seek an order enjoining Defendant from engaging in the methods, acts or practices alleged herein, including an order enjoining the defendant from continuing to sell and market XCP and MediaMax CDs and continuing to disclaim the risks of using such CDs.

150. Pursuant to Civil Code section 1782, on November 14, 2005, Plaintiffs notified Sony BMG of its commission of unlawful acts under Civil Code section 1770, specifying the particular violations, and demanded that Sony BMG rectify its illegal acts within 30 days. The demand letter requested that Sony BMG compensate consumers for computer problems related to the XCP and MediaMax software.

151. On November 18, 2005, Sony BMG responded. In its response, Sony BMG did not agree to provide compensation or to discuss a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court deems proper.

SECOND CLAIM FOR RELIEF
(Violation of California Business and Professions Code Section 17200)

152. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.

153. Plaintiffs and the Class have suffered injury in fact and lost money or property as a result of such unfair competition. Such injuries and losses include, but are not limited to, computer damage, time and effort spent identifying and attempting to remove the damaging software, loss of use of the ability to listen to the music on the CDs, and the purchase price of the CDs.

154. Sony BMG has engaged in unfair, unlawful and fraudulent business practices as set forth above.

155. By engaging in the above-described acts and practices. Sony BMG has committed

25

156. Sony BMG's above-described deceptive and misleading acts and practices have and/or are likely to deceive Plaintiffs and other Class members.

157. Sony BMG's acts and practices are also unlawful because they violate Civil Code sections 1750 et seq (Consumer Legal Remedies Act); Business and Professions Code section 22947 (Consumer Protection Against Computer Spyware Act); and California Penal Code section 502.

158. Specifically, Sony BMG marketed and sold the XCP and MediaMax CDs in defective condition and deceptively failed to disclose their defects as described above; advertised its XCP and MediaMax CDs with intent not to sell them as advertised; represented that the purchase and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law; inserted several unconscionable provisions into the EULA that accompanies the XCP and MediaMax CDs infected with the XCP and MediaMax software; took control and modified the settings of user's computers, collected personally identifiable information about users, tracked users as they listen to the CDs and attempted to prevent users from blocking or disabling the XCP and MediaMax software; violated the implied covenant of good faith and fair dealing; and failed to comply with the implied warranty of merchantability.

159. Plaintiffs and the Class have suffered injury in fact and have lost money or property as a result of such unfair competition.

160. Plaintiffs, on behalf of themselves and on behalf of the Class, seek an order of this Court awarding restitution, disgorgement, injunctive relief and all other relief allowed under §17200, et seq.

26

THIRD CLAIM FOR RELIEF
(Breach of Implied Covenant of Good Faith and Fair Dealing)

161. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.

162. California law implies a covenant of good faith and fair dealing in all contracts between parties entered into in the State of California.

163. By engaging in above-described acts and practices, Sony BMG has violated the implied covenant of good faith and fair dealing in the consumer's purchase of the XCP and MediaMax CDs.

164. By engaging in the above-described acts and practices. Sony BMG has caused Plaintiffs and the Class to suffer damages in an amount to be determined at trial.

FOURTH CLAIM FOR RELIEF
(False or Misleading Statements)

165. Plaintiffs incorporate the allegations set forth above by references, as if set forth fully herein.

166. Through its advertising practices, promotional materials, packaging, EULA, public statements, and other acts and practices described herein. Sony BMG has made untrue and misleading statements and omitted material facts in violation of California Business and Professions Code §§17500, et seq.

167. The misrepresentations, omissions and other misleading conduct described herein concerning the XCP and MediaMax CDs were "likely to deceive." These misrepresentations and omissions continue to this date.

168. Sony BMG knows or should know that these misrepresentations and omissions concerning the XCP and MediaMax CDs are false and misleading.

169. Plaintiffs and the Class were actually deceived by the misrepresentations and omissions.

170. Plaintiffs and the Class relied on these misrepresentations and omissions to their

27

171. Plaintiffs and the Class have been harmed. Plaintiffs, on behalf of themselves and on behalf of the Class seek restitution, disgorgement, injunctive relief and all other relief allowable under §17500, et seq.

PRAYER FOR RELIEF

172. For compensatory damages in an amount to be proven at trial.

173. For restitution and disgorgement of profits realized as a result of the unlawful conduct of defendants.

174. For any treble and/or punitive damages to the extent permitted by law.

175. For equitable relief, including but not limited to, requiring Sony BMG to:

a) Notify consumers, through widespread publicity, of the potential security and other risks associated with the XCP and MediaMax technology, to allow consumers to make informed decisions regarding their use of those CDs. The notification process should include issuing a public statement describing the risks associated with both XCP and MediaMax software and listing every Sony BMG CD, DVD or other product that contains MediaMax software. In addition, Sony BMG must use the banner communication system incorporated in its software to advise consumers that refunds and uninstall software is available. The notifications much be reasonably calculated to reach all consumers who have purchased the products.

b) Cooperate fully with any interested manufacturer of anti-virus, anti-spyware, or similar computer security tools, and with security researchers, to facilitate the identification and complete removal of both XCP and MediaMax software from the computers of those infected. Among other actions, Sony BMG should publicly waive any claims it may have against such vendors or researchers under the

28

EULA, the Digital Millennium Copyright Act (DMCA) and any similar laws.

c) Refund the purchase price of the CDs containing XCP technology for those consumers who prefer a refund to a replacement CD.

d) Refund the purchase price of the CDs containing MediaMax technology or, at the consumer's election, provide a replacement CD that does not contain the MediaMax technology. For those consumers who choose to retain CDs containing the MediaMax technology, develop and make widely available a software update that will allow consumers to easily uninstall the technology without losing the ability to play the CD on their computers, without causing further damage to their computers, and without revealing any personally identifying information.

e) To avoid future abuses, prior to releasing any future product containing technology with similar functions, thoroughly test the software to determine the existence of any security risks or other possible damages the technology might cause to any user's computer AND certify in a statement included in the packaging of every CD containing the technology that the product does not contain any concealed software such as the XCP rootkit, does not electronically communicate with Sony BMG or any other party nor initiate the download of any software update or other data without informed consent of the consumer immediately prior to each communication, can be uninstalled without any need to contact and/or disclose personal information to Sony BMG or its affiliates and agents, does not present any security risks to any consumer's computer, and will not damage or reduce the functionality of the consumer's computer in any way.

29

176. For the award to Plaintiffs of their attorneys' fees and other costs of suit.

177. For such other and further relief as the Court deems just and equitable.

DATED: November 21, 2005

> GREEN WELLING LLP

By: Robert S. Greens

Jenelle Welling
Avin P. Sharma
[address, phone, fax]

Cindy Cohn
Fred von Lohmann
Kurt Opsahl
Corynne McSherry
ELECTRONIC FRONTIER FOUNDATION
[address, phone, fax]

Reed R. Kathrein
Shanna Scarlett
LERACH COUGHLIN STOIA GELLER RUDMAN & ROBBINS LLP
[address, phone, fax]

Lawrence E. Feldman
LAWRENCE E. FELDMAN & ASSOCIATES
[address, phone, fax]

Attorneys for Plaintiffs

30