Sony BMG Music Entertainment has agreed to settle charges with the U.S. Federal Trade Commission (FTC) related to the company’s inclusion of problematic copy-protection software in music CDs, the FTC said Tuesday.
The proposed agreement, which FTC commissioners approved unanimously, will be open for public comment between Tuesday and March 1. Then the FTC will decide whether to make it final.
The copy-protection software Sony shipped with music CDs created security risks for users and monitored their listening behaviour on their PCs without their permission, the FTC said.
The copy-protection software installed itself without users’ consent, was complicated to uninstall and limited the devices a CD could be played in, as well as the number of copies that could be made, the FTC said.
The FTC had alleged Sony BMG had violated federal law by selling music CDs with this type of hidden software.
Sony BMG agreed to settle the charges without admitting that it broke any laws. “We’re pleased to have reached this agreement with the FTC,” Sony BMG said in a prepared statement. A spokesman declined to comment any further.
An outcry erupted over Sony BMG’s inclusion of copy-protection software in music CDs in late 2005, when a security expert charged that the XCP (Extended Copy Protection) software used “rootkit” techniques, which are normally only used by hackers, to conceal itself on Windows systems.
Although Sony initially defended its use of the software, it eventually reversed its position, ceased production of XCP-enabled CDs and issued a recall for them after malicious “Trojan horse” programs were written to exploit the XCP code.
Also at issue was Sony’s use of another copy-protection software called MediaMax, which also installed itself on PCs without permission and surreptitiously collected and transmitted information about users’ activities. Sony didn’t recall MediaMax CDs, but issued a patch to remove it. An earlier version of MediaMax offered copy protection but didn’t create security risks nor monitored user activity.
In all, Sony shipped about 16 million music CDs containing either XCP or MediaMax software. First 4 Internet Ltd. made XCP, while MediaMax was created by SunnComm International Inc.
Under the proposed settlement, Sony BMG agrees to clearly disclose limitations on consumers’ use of music CDs and to never install software on consumers’ PCs without permission. The company also agreed to let consumers exchange the CDs in question until June 31, 2007 and reimburse consumers for up to CDN$177 to repair damaged caused by the software to their PCs. Consumers will be able to exchange CDs with the software purchased before Dec. 31, 2006 for new CDs free of content-protection software.
The settlement further forces Sony BMG to refrain from using the consumer information the software gathered for marketing purposes, like delivering ads to those consumers’ PCs. If Sony BMG CDs include this monitoring technology in the future, the company must clearly display on consumers’ PC screens how the technology works and ask for permission before transmitting any data back to Sony.
Sony BMG must also refrain from installing hidden copy-protection software and must provide a “reasonable and effective way” to uninstall any content-protection software. Furthermore, Sony BMG must, for two years, provide an uninstall tool and patches to repair the security problems the rootkit software created.
Finally, Sony BMG must give financial incentives to retailers to return the affected CDs, and for affected CDs it hasn’t placed with retailers yet, Sony BMG must disclose their restrictions and security vulnerabilities on the packaging.
Previously, Sony BMG settled a federal class action lawsuit in the U.S. covering related charges, as well as cases with U.S. states.
