The EFF's complaint [PDF] is now available, and it's a beaut. They filed it as a class action in California, with two California firms, (Green Welling, and Lerach, Coughlin, Stoia, Geller, Rudman & Robbins), and they include every charge you could think of. They even mention the warranty of merchantability. California has some laws that are useful, such as the Consumer Protection Against
Computer Spyware Act and the Computer Legal Remedies Act, so they throw them in too. But this is the sentence I have not seen in any other complaint that made me happy:
The CDs also condition use of the music on unconscionable licensing terms.
At last, a direct confrontation regarding EULAs. Perhaps you saw the joke on IRQ about throwing a brick through a window with a EULA attached:
I will write on a huge cement block "BY ACCEPTING THIS
BRICK THROUGH YOUR WINDOW, YOU
ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL
WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS
DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT,
CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE
INSTALLATION OF THIS BRICK INTO YOUR BUILDING."
That's an example of an unconscionable EULA, because no one except someone under improper pressure would say yes to such terms. That isn't all. EFF is suing not only over the rootkit, but over the MediaMax DRM too. That is a much bigger story than the rootkit, in that it affects, EFF says, over twenty million CDs -- ten times the number of CDs as the XCP software. Also, MediaMax wasn't written by the same firm as XCP, so it makes it harder for Sony to claim they didn't know the gun was loaded, so to speak. And EFF is asking the court to make Sony fix all the compromised computers.
EFF wrote Sony a letter asking them to rectify the mess they made, and Sony wrote back [PDF]. EFF wasn't satisfied with the Sony response, so they are asking the court to provide the relief they feel is due consumers:
In its response, Sony BMG did not agree to provide compensation or to discuss a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court deems proper."
They also ask for an order enjoining Sony from engaging in the methods, acts or practices alleged herein, including an order enjoining Sony from continuing to sell and martket XCP and MediaMax CDs and continuing to disclaim the risks of using such CDs.
One paragraph in the letter stands out:
Sony BMG encourages legitimate security research into copy protection technologies and, accordingly, Sony BMG will not assert claims under title 17 of the United States Code (or similar statutes in other countries) against legitimate security researchers who have been, are or will be working to identify security problems with copy protection technologies used on Sony BMG compact discs.
How do they define "legitimate security researchers"? And does the carefully worded statement mean they might sue illegitimate researchers? Is Mark Russinovich legimitate in Sony's eyes? I also note that Sony calls the CDs "enhanced" in paragraph 12. They still don't seem to get it.
I took some quick notes from the complaint, and I do mean quick, so don't expect word-for-word. Check the original for precision, please:
-- Sony BMG has engaged in deceptive practices, unlawful methods of competition and/or unfair acts as defined by Civ. Code Section 1770, to the detriment of Plaintiffs and the Class. Plaintiffs and members of the Class have suffered harm as a proximate result of the violations of law and wrongful conduct of Defendant alleged herein.
-- In violation of Civil Code section 1770(5), Sony has represented that its CDs have characteristics, uses or benefits which they do not have.
-- In violation of Civil Code section 1770(a)(9), Sony has advertised its CDs with intent not to sell them as advertised.
-- In violation of Civil Code section 1770(a)(14) Sony has represented that the purchse and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.
-- In violation of Civil Code section 1770(a)(19), Sony has inserted several unconscionable provisions into the end-user license agreement that accompannies the XCP and MediaMax CDs.
-- Sony concealed material information regarding the XCP and MediaMax CDs, including but not limited to the existence of the rootkit program and its effects on users' computers and the lack of a reasonable way to uninstall the software in the event of security or privacy violations.
-- 148. Sony BMG's policies and practices are unlawful, unethical, oppressive, fraudulent and malicious.
-- 149. Pursuant to Civil Code section 1780(a), Plaintiffs seek an order enjoining Sony from engaging in the "methods, acts or practices alleged herein, including an order enjoining the defendant from continuing to sell and martket XCP and MediaMax CDs and continuing to disclaim the risks of using such CDs."
-- 150. Pursuant to Civil Code section 1782, on November 14, 2005, Plaintiff notified Sony BMG of its commission of unlawful acts under Civil Code section 1770, specifying the particular violations, and demanded that Sony BMG rectify its illegal acts within 30 days. The demand letter requested that Sony BMG compensate consumers for computer problems related to the XCP and MediaMax software.
-- 151. On November 18, 2005, Sony BMG responded. In its response, Sony BMG did not agree to provide compensation or to discuss a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court deems proper.
Second Claim for Relief (Violation of California Business and Professions Code Section 17200)
-- 153. Plaintiffs and the Class have suffered injury in fact and lost money or property, such as computer damage, time and effort spent identifying and attempting to remove the damaging software, loss of use of the ability to listen to the music on the CDs, and the purchase price of the CDs.
-- 158. Specifically, Sony BMG marketed and sold the XCP and MediaMax CDs in defective condition and deceptively failed to disclose their defects as described above; advertising its XCP and MediaMax CDs with intent not to sell them as advertised; represented that the purchase and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law; inserted several unconscionable clauses into the EULA that accompanies the XCP and MediaMax CDs infected with the SCP and MediaMax software; took control and modified the settings of user's computers, collected personally identifiable information about users, tracked users as they listen to the CDs and attempted to prevent users from blocking or disabling the XCp and Media Max software; violated the implied covenant of good faith and fair dealing; and failed to comply with the implied warranty of merchantability.
-- Relief: an order awarding restitution, disgorgement, injunctive relief and all other relief allowed under Section 17200, et seq.
-- 3rd claim for relief, Breach of Implied Covenant of Good Faith and Fair Dealing
-- 4th: False and Misleading Statements
See what I mean? Very thorough. And here is the EFF press release.
SonyBMG Litigation and Rootkit Info
By including a flawed and overreaching computer program in over 20 million music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.
At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).
After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, Sony BMG has taken some steps to respond to the security risks created by the XCP technology. Sony BMG has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies.
Problems with XCP
Security researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines.
Problems with MediaMax
The MediaMax software, which is included on over 20 million Sony BMG CDs, has different, but similarly troubling problems. It installs on the users' computers even if they click "no" on the EULA, and does not include a way to uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you or your computer."
If users repeatedly request an uninstaller for the MediaMax software, they are eventually provided one. But they first have to provide more personally identifying information. Worse, security researchers recently determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did.
EFF's Open Letter
On November 14, 2005, EFF wrote an Open Letter to Sony BMG, asking the company to publicly commit to fixing the problems it has caused for its music fans and take steps to reassure the public that its future CDs will respect its customers' ownership of their computer. Among the make-good measures recommended by EFF: a recall of all XCP and SunnComm MediaMax-infected CDs, from both consumers and store shelves; a guarantee to repair, replace, or refund the purchase price of the CDs to anyone who bought the merchandise; and a major publicity campaign warning about the security risks of XCP and SunnComm MediaMax. EFF also asked Sony BMG to pay all consumer costs associated with the damage caused by the XCP or SunnComm MediaMax technology and compensate people for the time, effort, and expense required to verify that their computer was or was not infected with the rootkit.
Sony BMG's Response
Initially Sony BMG denied there was a problem, saying the the XCP rootkit "component is not malicious and does not compromise security." Thomas Hesse, President of Sony BMG's global digital business division, asked in an interview for a National Public Radio "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
After receiving harsh public criticism and EFF's Open Letter, Sony BMG took strong steps in acknowledging the security harm caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, including both privacy problems and fixing its outrageous EULA. See Sony BMG's November 18, 2005, written response to EFF's Open Letter here [PDF].
Critically, Sony BMG has still refused to refund the cost of CDs to consumers or even widely publicize its recall program using its powerful marketing abilities, or to compensate consumers whose computers have been affected. And, Sony has not agreed to eliminate the outrageous terms found in their EULA.
Moreover, Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over twenty million CDs -- ten times the number of CDs as the XCP software.