• United States



Sony Agrees to Compensation for Rootkit Software

Jan 04, 20062 mins
CSO and CISOData and Information Security

Sony has agreed to pay limited compensation to U.S. and Canadian consumers who bought CDs containing the XCP rootkit-like copy protection software.

The agreement — yet to be legally finalized — will see the company offer a cash payment of US$7.50 plus one album download to any customer willing to return an affected CD to Sony, or who can provide proof of purchase.

Alternatively, customers can download up to three albums free of charge. Customers affected by a second copy protection system, MediaMax, are to be offered free downloads only.

Significantly, Sony has also agreed to submit to independent oversight of its digital rights management (DRM) development and the drafting of its end-user license agreements (EULAs) for a period of two years.

The settlement comes in response to a class-action lawsuit brought by a number of parties against Sony in November, after researcher Mark Russinovich revealed the company was installing copy protection software using cloaking or rootkit techniques

The software was extremely difficult to de-install, and could in certain circumstances make a user’s PC unstable and open to criminal hacking, it was claimed.

The total cost of the settlement is not known, but Sony BMG has admitted that 52 CDs used XCP, and 34 used MediaMax, all on CDs that shipped in the North America. All CDs affected by copy protection code will be recalled.

Sony BMG still faces legal action by at least one other plaintiff, the attorney general of the state of Texas. This suit alleges that Sony BMG broke the Texas Consumer Protection Against Computer Spyware (CPACS) Act.

It would also be possible to users who reckon their PCs have been rendered unstable or insecure by the copy protection system to sue individually.

By John E. Dunn –