decoration decoration

When you want to know more...
For layout only
Site Map
About Groklaw
Legal Research
ApplevSamsung p.2
Cast: Lawyers
Comes v. MS
Gordon v MS
IV v. Google
Legal Docs
MS Litigations
News Picks
Novell v. MS
Novell-MS Deal
OOXML Appeals
Quote Database
Red Hat v SCO
Salus Book
SCEA v Hotz
SCO Appeals
SCO Bankruptcy
SCO Financials
SCO Overview
SCO v Novell
Sean Daly
Software Patents
Switch to Linux
Unix Books


Groklaw Gear

Click here to send an email to the editor of this weblog.

You won't find me on Facebook


Donate Paypal

No Legal Advice

The information on Groklaw is not intended to constitute legal advice. While Mark is a lawyer and he has asked other lawyers and law students to contribute articles, all of these articles are offered to help educate, not to provide specific legal advice. They are not your lawyers.

Here's Groklaw's comments policy.

What's New

No new stories

COMMENTS last 48 hrs
No new comments


hosted by ibiblio

On servers donated to ibiblio by AMD.


Sony DRM

What Sony Did:

  • Blogger Mark Russinovich Breaks Story:
  • J. Alex Halderman on Freedom to Tinker Discovers More Issues:
    • SCMagazine:
      MediaMax, a digital rights management system Sony has used on CDs in addition to the now-shelved XCP technology, automatically installs over 12 MB of software before an end user license agreement is displayed, J. Alex Halderman said Monday on the "Freedom to Tinker" blog.

      Not a rootkit like XCP, MediaMax remains on Sony CDs after XCP was withdrawn, Halderman said. Estimates of how many CDs contain MediaMax have ranged as high as 20 million.

      "Part of the software that MediaMax installs is a driver meant to interfere with ripping and copying from protected discs," said Halderman, whose blog disclosed vulnerabilities created by the XCP uninstaller program earlier this month. "I had believed that MediaMax didn't permanently activate this driver – set it to run whenever the computer starts – unless the user accepted the license agreement. As it turns out, this belief was wrong, and things are even worse than I had thought."


  • The State of Texas v. Sony
    • Texas complaint as text
    • SC Magazine:
      State Attorney General Greg Abbott said this month that Sony may have violated the state Deceptive Trade Practices Act because CDs containing MediaMax technology secretly install files on PCs even if a user rejects an agreement.

      "We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music," said Abbott, a Republican. "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes."

      The state's amended lawsuit asserts that New York-based Sony failed to warn consumers of the harm MediaMax could cause PCs. Texas' Consumer Protection Against Computer Spyware Act of 2005 allows for civil penalties of $100,000 for each violation of the law.

    • press release and video of announcement
    • online complaint form
    • Texas amends complaint, adds MediaMax claims
  • EFF class action litigation in California
  • New York:
  • Italy: Sony faces police investigation into DRM code, Robert McMillan, Techworld.

  • California (Alexander William Guevara v. Sony BMG) class action lawsuit:
    • Complaint [PDF]
    • Suit Labels Sony Root of Cyber Evil:
      A class action lawsuit filed in a California court against Sony BMG alleges the music publisher included hidden software on a number of music CDs capable of wiping out users’ information and crippling their computers.

      The suit, which was filed on Nov. 1 by Alexander William Guevara, claims CDs containing Sony’s new XCP2 anti-piracy program can damage users’ computers. The software, called a “rootkit,” automatically installs on computers with Microsoft’s Windows program and hides deep in the computer where it can monitor activity and cause system crashes.

      Sony didn’t inform customers that its CDs contained the “rootkit” and it can’t be removed without damaging the infected computer, the suit charges.

  • FTC: Settlement announced, Jan. 2007.

  • Private Attorney General Class Action, D.C.:
    Finkelstein, Thompson & Loughran file a class action lawsuit against Sony BMG:
    Nov. 29 -- Private Attorney General Suit Filed in the District of Columbia Against Sony BMG Entertainment, LLC

    Finkelstein, Thompson & Loughran filed a lawsuit against Sony BMG Entertainment, LLC ("Sony") yesterday in connection with its use of so-called Digital Rights Management software on their music CDs. This suit was filed by a resident of the District of Columbia on behalf of the general public of the District.

    Sony has encoded over 24 million CDs, sold worldwide, with "spyware" programs that act as copyright protection software. The software programs include MediaMax, created by SunnComm Technologies, and Extended Copy Protection ("XCP"), created by First4Internet. Through its use of these technologies on CDs, Sony has created an anti-burning scheme that permanently and irreversibly alters the core Windows operating system. These alterations to a computer can later be used by "hackers" -- or Sony itself -- to take control of the user's computer without the user's knowledge or consent. While Sony has consistently stated that the software will not be used to collect personal information, the software is also used to transmit data about users to Sony through the Internet, thereby allowing Sony to track users' listening habits.

    The lawsuit was filed in the District of Columbia Superior Court under a provision in the District of Columbia's Consumer Protection and Procedures Act that allows a resident to act as a "private attorney general" and to seek relief on behalf of the general public. The suit alleges that Sony deceptively installed software on users' computers, compromised the security of users' computers and that Sony's purported attempts to curb the damage caused by its spyware programs have created even greater security risks for Sony's consumers.

    By surreptitiously encoding its CDs with XCP and MediaMax software for the purported purpose of securing its intellectual property, Sony has endangered the security of personal information for computer users throughout the District of Columbia. To date, nearly 5 million copies of the XCP encoded CDs, and nearly 20 million of the MediaMax encoded CDs, have been sold. District of Columbia residents have played these disks on their personal computers and thus have had their systems unwittingly compromised. To date, several viruses have been reported that exploit the weakness that was created by the surreptitious installation of the spyware on their computers. Consumers are at risk from these and future viruses that will destroy software and steal personal information.

    Sony initially stated that it planned to have all major new releases encoded with Digital Rights Management software and copy protected in 2006. Due to the current public backlash, and news of the virus piggy-backing on the XCP technology embedded by their CDs, Sony has since opted to "halt" or "suspend" the production of new CDs bearing the XCP technology. Nevertheless, Sony has refused to widely publicize its recall program to reach millions of XCP-infected customers, has failed to recall the MediaMax-infected CDs, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA). Sony is also facing at least six class action lawsuits nationwide and an action by the Texas Attorney General.

    Counsel for the Plaintiff is the law firm of Finkelstein, Thompson & Loughran. With offices in Washington, DC and San Francisco, CA, FTL has more than a decade of litigation experience in representing defrauded consumers nationwide. For more information about this lawsuit, please visit

  • Canada:



Dramatic graphics of who got infected
Russinovich wrote a book for Microsoft
Tape Defeats Rootkit
DRM Discredited at Sony
Sony's Patent on "Protection of Legitimate Software"
Public Knowledge's "What Every Citizen Needs to Know About DRM"
Linux for PlayStation2 on GPL
First4 Internet patent application
Sony's problem could enhance MS sales of Xbox 360
MediaMax gets new CEO from Sony BMG


First4 Internet worked with Symantec:
Note that the article referenced was later [at least by November 23, 2005] changed. Originally it read: "The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said."

It later reads: "The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk. The company's team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said."

Also a correction appears at the bottom of the page, which reads: "Correction: This story originally implied that Symantec approved First 4 Internet's "rootkit" software. It did not."

Microsoft initial response:

"Microsofts Windows Defender and the Malicious Software Removal Tool [MSRT] have established objective criteria to determine what code will be classified for removal. We are evaluating the current situation to determine if any action from Microsoft is necessary," the spokesperson wrote in an e-mail statement.

However, Sony's actions have caught the attention of staff in Redmond, she said.

"We have invested considerable resources in the security of our products and processes. As such, we are concerned about any malware, including root kits, which targets our customers and negatively impacts the security, reliability and performance of their systems," the spokesperson said.

Sony's president of Global Digital Business, Thomas Hesse's immortal words:
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
CEO Howard Stringer Balancing Act.
Computer Associates to zap rootkit as malware
Sony to temporarily suspend
Sony provides uninstall instructions
Uninstall introduces security hole
Sony service pack
Sony Releases List of 52 CDs - also CERT advice about XCP: "Do not install software from sources that you do not expect to contain software, such as an audio CD."
Sony to Pull CDs
Amazon offers refunds
Sony's Misleading Apology by Michael Geist
Sony CDs and the Computer Fraud and Abuse Act, Ed Felten, Freedom to Tinker


Proposed Settlement Agreement in NY Class Action Litigation
EFF's Sony Complaint Includes MediaMax & Unconscionable EULA Claims - 11/21/05
Now It's Texas Suing Sony - 11/21/05
RIAA President on Sony's Rootkit: So What? Everybody Protects CDs - includes Cary Sherman, RIAA President statements
What About Sony's Downloadable Music? on Sony Connect- 11/19/05
More Sony DRM Hijinks - Now It's MediaMax - 11/15/05
MS' Reaction to Sony's Rootkit Raises Some Questions
Blogs, Customers & Sony's Rootkit

© Copyright 2005-2011 Pamela Jones

Last Updated Tuesday, February 22 2011 @ 11:57 PM EST

Groklaw © Copyright 2003-2013 Pamela Jones.
All trademarks and copyrights on this page are owned by their respective owners.
Comments are owned by the individual posters.

PJ's articles are licensed under a Creative Commons License. ( Details )