Sony Pays $1.5M in Rootkit Lawsuits

Sony BMG Music Entertainment will pay US$1.5 million in penalties to settle lawsuits with two U.S. states over its controversial use of copy-protection software.

The settlements with the California and Texas attorneys general were announced Tuesday, seven months after the music giant settled a class-action lawsuit in the matter.

Sony’s trouble began in late 2005, when a computer science researcher disclosed that Sony had been shipping CDs with a copy-protection program that used dangerous “rootkit” techniques to cloak itself after installation. Sony licensed this software from First 4 Internet, based in Banbury, United Kingdom, but problems were also found with a second copy-protection program used by Sony. That software, called Media Max, was developed by SunnComm International of Phoenix.

Until Tuesday, Texas had been the only state with an outstanding lawsuit related to the rootkit fiasco, but other states’ attorneys general and the U.S. Federal Trade Commission had also been looking into the matter, according to Jeff McGrath, deputy district attorney with Los Angeles County, which participated in the California lawsuit.

Sony has now reached tentative settlements with more than a dozen other states, including Massachusetts and Nebraska, as well as the FTC, McGrath said. The FTC declined to comment on the matter.

The California lawsuit was both filed and settled on Tuesday.

Sony’s rootkit software shipped on an estimated 15 million CDs, bundled with music from artists such as Frank Sinatra, Celine Dion and Earl Scruggs.

Consumers were offered refunds as part of the May class-action agreement, but Tuesday’s settlements take additional steps by compensating them for damages caused by the rootkit code and “ensuring that this type of thing will not happen again,” McGrath said.

California and Texas consumers who believe that their computers were damaged by Sony’s software can receive up to $175 to cover repair costs. The agreements also force Sony to submit any software it ships with music CDs to third-party audits for the next five years.

Sony has created a website to address its rootkit settlement. That site is eventually expected to include instructions for consumers seeking refunds for their PC repairs.

These refunds will, for example, compensate users who had their CD drives trashed when AOL’s antispyware software tried to remove the First 4 files, said Paco Felici, a spokesman with the Texas attorney general’s office.

Since the rootkit fiasco, Sony has stopped shipping digital rights management software with its music CDs. However, if it does add this capability to future CDs, it must make this clear to customers.

“They’re requiring disclosures to consumers before sale on the CD packaging,” said Corynne McSherry, a staff attorney with the Electronic Frontier Foundation. “I think that’s really crucial. Part of the whole background of the rootkit fiasco was that consumers just didn’t know what they were getting into.”

A Sony spokesman declined to comment on investigations by the FTC and other states. “We are pleased to have reached agreements with the offices of the California and Texas Attorneys General,” he said, reading from a statement.By Robert McMillan, IDG News Service (San Francisco Bureau)Related content:• Rootkit Reality• Analyst Report: The Rootkit Problem• Digital Rights and Restrictions• Microsoft to Root Out Sony Spyware• Sony Patch Uncloaks Hidden DRM CodeKeep checking in at our Security Feed for updated news coverage.