Posted on 11/22/2005 11:30:16 AM PST by ShadowAce
The EFF's complaint [PDF] is now available, and it's a beaut. They filed it as a class action in California, with two California firms, (Green Welling, and Lerach, Coughlin, Stoia, Geller, Rudman & Robbins), and they include every charge you could think of. They even mention the warranty of merchantability. California has some laws that are useful, such as the Consumer Protection Against Computer Spyware Act and the Computer Legal Remedies Act, so they throw them in too. But this is the sentence I have not seen in any other complaint that made me happy:
The CDs also condition use of the music on unconscionable licensing terms.
At last, a direct confrontation regarding EULAs. Perhaps you saw the joke on IRQ about throwing a brick through a window with a EULA attached:
I will write on a huge cement block "BY ACCEPTING THIS BRICK THROUGH YOUR WINDOW, YOU ACCEPT IT AS IS AND AGREE TO MY DISCLAIMER OF ALL WARRANTIES, EXPRESS OR IMPLIED, AS WELL AS DISCLAIMERS OF ALL LIABILITY, DIRECT, INDIRECT, CONSEQUENTIAL OR INCIDENTAL, THAT MAY ARISE FROM THE INSTALLATION OF THIS BRICK INTO YOUR BUILDING."
That's an example of an unconscionable EULA, because no one except someone under improper pressure would say yes to such terms. That isn't all. EFF is suing not only over the rootkit, but over the MediaMax DRM too. That is a much bigger story than the rootkit, in that it affects, EFF says, over twenty million CDs -- ten times the number of CDs as the XCP software. Also, MediaMax wasn't written by the same firm as XCP, so it makes it harder for Sony to claim they didn't know the gun was loaded, so to speak. And EFF is asking the court to make Sony fix all the compromised computers.
EFF wrote Sony a letter asking them to rectify the mess they made, and Sony wrote back [PDF]. EFF wasn't satisfied with the Sony response, so they are asking the court to provide the relief they feel is due consumers:
In its response, Sony BMG did not agree to provide compensation or to discuss a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court deems proper."
They also ask for an order enjoining Sony from engaging in the methods, acts or practices alleged herein, including an order enjoining Sony from continuing to sell and martket XCP and MediaMax CDs and continuing to disclaim the risks of using such CDs.
One paragraph in the letter stands out:
Sony BMG encourages legitimate security research into copy protection technologies and, accordingly, Sony BMG will not assert claims under title 17 of the United States Code (or similar statutes in other countries) against legitimate security researchers who have been, are or will be working to identify security problems with copy protection technologies used on Sony BMG compact discs.
How do they define "legitimate security researchers"? And does the carefully worded statement mean they might sue illegitimate researchers? Is Mark Russinovich legimitate in Sony's eyes? I also note that Sony calls the CDs "enhanced" in paragraph 12. They still don't seem to get it.
I took some quick notes from the complaint, and I do mean quick, so don't expect word-for-word. Check the original for precision, please:
-- Sony BMG has engaged in deceptive practices, unlawful methods of competition and/or unfair acts as defined by Civ. Code Section 1770, to the detriment of Plaintiffs and the Class. Plaintiffs and members of the Class have suffered harm as a proximate result of the violations of law and wrongful conduct of Defendant alleged herein.
-- In violation of Civil Code section 1770(5), Sony has represented that its CDs have characteristics, uses or benefits which they do not have.
-- In violation of Civil Code section 1770(a)(9), Sony has advertised its CDs with intent not to sell them as advertised.
-- In violation of Civil Code section 1770(a)(14) Sony has represented that the purchse and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.
-- In violation of Civil Code section 1770(a)(19), Sony has inserted several unconscionable provisions into the end-user license agreement that accompannies the XCP and MediaMax CDs.
-- Sony concealed material information regarding the XCP and MediaMax CDs, including but not limited to the existence of the rootkit program and its effects on users' computers and the lack of a reasonable way to uninstall the software in the event of security or privacy violations.
-- 148. Sony BMG's policies and practices are unlawful, unethical, oppressive, fraudulent and malicious.
-- 149. Pursuant to Civil Code section 1780(a), Plaintiffs seek an order enjoining Sony from engaging in the "methods, acts or practices alleged herein, including an order enjoining the defendant from continuing to sell and martket XCP and MediaMax CDs and continuing to disclaim the risks of using such CDs."
-- 150. Pursuant to Civil Code section 1782, on November 14, 2005, Plaintiff notified Sony BMG of its commission of unlawful acts under Civil Code section 1770, specifying the particular violations, and demanded that Sony BMG rectify its illegal acts within 30 days. The demand letter requested that Sony BMG compensate consumers for computer problems related to the XCP and MediaMax software.
-- 151. On November 18, 2005, Sony BMG responded. In its response, Sony BMG did not agree to provide compensation or to discuss a process for assessing claims. Therefore, Plaintiffs and the Class also request (a) actual damages; (b) restitution of money to Plaintiffs and Class members; (c) punitive damages; (d) attorneys' fees and costs; and (e) other relief that this Court deems proper.
Second Claim for Relief (Violation of California Business and Professions Code Section 17200)
-- 153. Plaintiffs and the Class have suffered injury in fact and lost money or property, such as computer damage, time and effort spent identifying and attempting to remove the damaging software, loss of use of the ability to listen to the music on the CDs, and the purchase price of the CDs.
-- 158. Specifically, Sony BMG marketed and sold the XCP and MediaMax CDs in defective condition and deceptively failed to disclose their defects as described above; advertising its XCP and MediaMax CDs with intent not to sell them as advertised; represented that the purchase and/or use of its XCP and MediaMax CDs confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law; inserted several unconscionable clauses into the EULA that accompanies the XCP and MediaMax CDs infected with the SCP and MediaMax software; took control and modified the settings of user's computers, collected personally identifiable information about users, tracked users as they listen to the CDs and attempted to prevent users from blocking or disabling the XCp and Media Max software; violated the implied covenant of good faith and fair dealing; and failed to comply with the implied warranty of merchantability.
-- Relief: an order awarding restitution, disgorgement, injunctive relief and all other relief allowed under Section 17200, et seq.
-- 3rd claim for relief, Breach of Implied Covenant of Good Faith and Fair Dealing
-- 4th: False and Misleading Statements
See what I mean? Very thorough. And here is the EFF press release.
************************
SonyBMG Litigation and Rootkit Info
By including a flawed and overreaching computer program in over 20 million music CDs sold to the public, Sony BMG has created serious security, privacy and consumer protection problems that have damaged music lovers everywhere.
At issue are two software technologies - SunnComm's MediaMax and First4Internet's Extended Copy Protection (also known as XCP) - which Sony BMG claims to have placed on the music CDs to restrict consumer use of the music on the CDs but which in truth do much more, including monitoring customer listening of the CDs and installing undisclosed and in some cases hidden files on users' computers that can expose users to malicious attacks by third parties, all without appropriate notice and consent from purchasers. The CDs also condition use of the music on unconscionable licensing terms in the End User Licensing Agreement (EULA).
After a series of embarrassing public revelations about security risks associated with the XCP software, including warnings issued by the United States Government, Microsoft and leading anti-virus companies, Sony BMG has taken some steps to respond to the security risks created by the XCP technology. Sony BMG has failed, however, to address security concerns raised by the MediaMax software or the consumer privacy and consumer fairness problems created by both technologies. Background
Problems with XCP
Security researchers have shown that the XCP technology was designed to have many of the qualities of a "rootkit." It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer's hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users' machines.
Problems with MediaMax
The MediaMax software, which is included on over 20 million Sony BMG CDs, has different, but similarly troubling problems. It installs on the users' computers even if they click "no" on the EULA, and does not include a way to uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits -- even though the EULA states that the software will not be used to collect personal information and SunnComm's website says "no information is ever collected about you or your computer."
If users repeatedly request an uninstaller for the MediaMax software, they are eventually provided one. But they first have to provide more personally identifying information. Worse, security researchers recently determined that SunnComm's uninstaller creates significant security risks for users, as the XCP uninstaller did.
EFF's Open Letter
On November 14, 2005, EFF wrote an Open Letter to Sony BMG, asking the company to publicly commit to fixing the problems it has caused for its music fans and take steps to reassure the public that its future CDs will respect its customers' ownership of their computer. Among the make-good measures recommended by EFF: a recall of all XCP and SunnComm MediaMax-infected CDs, from both consumers and store shelves; a guarantee to repair, replace, or refund the purchase price of the CDs to anyone who bought the merchandise; and a major publicity campaign warning about the security risks of XCP and SunnComm MediaMax. EFF also asked Sony BMG to pay all consumer costs associated with the damage caused by the XCP or SunnComm MediaMax technology and compensate people for the time, effort, and expense required to verify that their computer was or was not infected with the rootkit.
Sony BMG's Response
Initially Sony BMG denied there was a problem, saying the the XCP rootkit "component is not malicious and does not compromise security." Thomas Hesse, President of Sony BMG's global digital business division, asked in an interview for a National Public Radio "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
After receiving harsh public criticism and EFF's Open Letter, Sony BMG took strong steps in acknowledging the security harm caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, including both privacy problems and fixing its outrageous EULA. See Sony BMG's November 18, 2005, written response to EFF's Open Letter here [PDF].
Critically, Sony BMG has still refused to refund the cost of CDs to consumers or even widely publicize its recall program using its powerful marketing abilities, or to compensate consumers whose computers have been affected. And, Sony has not agreed to eliminate the outrageous terms found in their EULA.
Moreover, Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over twenty million CDs -- ten times the number of CDs as the XCP software.
"they include every charge you could think of" - GOOD !
I wouldn't say "nothing" -- we get some assurance that another company won't be trying this again, at least in the near future.
But if the lawyers get their hundreds of millions out of Sony's hide, the suit will do some good.
True but at least this is not a "I spilled coffe in my lap" lawsuit...
We have a right to make a backup copy of their defective product for personal use.
I personally could care less about "getting money" from this. OTOH, if there is malware being introduced to my machine (I would guess this is Windoze specific, so I am not sweating it much), then I want:
1) them to fix it by providing a removal tool that really works, and
2) them to pay out the wazoo to ensure that they don't try that kind of crap again, and that other companies don't do the same thing.
I would be happy with that even if I never got a dime.
Nope, the same CDs also have a file that installs Mac OS's own version of this virus/spyware: http://www.freerepublic.com/focus/f-news/1520354/posts
Though you are prompted to allow the installation on a Mac, but given how many people use to trust Sony, that could be quite a few people.
Not so, the Electronic Frontier Foundation who is leading the suit is a nonprofit advocate of computer rights, etc. They do good work and have made a fair amount of progress in other areas. Check them out at the above link.
They, I believe are also the only group attacking both of Sony's DRMs.
Electronic Frontier Foundation
From the Internet to the iPod, technologies of freedom are transforming our society and empowering us as speakers, citizens, creators, and consumers. These technologies are increasingly under attack, and the Electronic Frontier Foundation (EFF) is the first line of defense, protecting our civil liberties in the networked world. EFF broke new ground when it was founded in 1990—well before the Internet was on most people's radar—and continues to confront cutting-edge issues defending free speech, privacy, innovation, and consumer rights today. From the beginning, EFF has championed the public interest in every critical battle affecting digital rights.
Blending the expertise of lawyers, policy analysts, activists, and technologists, EFF achieves significant victories on behalf of consumers and the general public. EFF fights for freedom primarily in the courts, bringing and defending lawsuits even when that means taking on the US government or large corporations. By mobilizing more than 50,000 concerned citizens through our Action Center, EFF beats back bad legislation. In addition to advising policymakers, EFF educates the press and public. Sometimes just defending technologies isn't enough, so EFF also helps fund and build freedom-enhancing inventions.
EFF is a donor-funded nonprofit and depends on your support to continue successfully defending your digital rights. Litigation is particularly expensive; because two-thirds of our budget comes from individual donors, every contribution is critical to helping EFF fight —and win—more cases.
I hope they get a few million to advance the cause.
Actually, every 'artiste' who has an album released with this spyware on it should be sueing the bejezus out of Sony-san, too.
linux. nobody cares about us.
First time ever I have rooted for Lerach.
Actually, Sony/BGM has even screwed the open-source crowd because the spyware/virus program they use has pirated code from the famious open-source LAME-MP3 program.
So you linux users have not be left out in Sony/BGM's meddling.
Very good point. It would be interesting to know how many "artiste"s would understand just what is going on. Not the brightest bunch.
The most important aspect of this is the punishment of SONY. Everything else is relatively unimportant. Better a few lawyers make millions (which is a problem, but a different one) than for a standard to be set under which any company from which you buy a product may do anything it likes with your computer.
Oh they will when the lawyers are done making their calls.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.