The fallout over Sony BMG's XCP anti-piracy software continues. After the company agreed to recall millions of CDs with copyright-protection software that can leave computers vulnerable to hackers, it has been hit with two lawsuits over the issue, with several others potentially on the horizon.
On Monday, Texas became the first state to sue Sony BMG over the issue, claiming that the secretly embedded XCP software is basically spyware that leaves computers vulnerable to hackers.
According to the Houston Chronicle, Texas Attorney General Greg Abbott said the suit was filed under a new Texas state law forbidding such hidden tracking tools. Abbott said it's possible that tens of thousands of Texans might have been affected by the anti-piracy software.
Though the company claims the tracking technology was designed to prevent unlimited copying and unauthorized trading of music and doesn't track personal information, Abbott said he began to have suspicions about its real purpose when his investigation found that the hidden program remains active at all times.
"Sony has engaged in a technological version of cloak-and-dagger deceit against consumers by hiding secret files on their computers," Abbott said, citing the company's Web site, which lists 52 CDs with the software, including ones by everyone from former Phish leader Trey Anastasio to Switchfoot and Amerie.
"Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime."
On Friday, the company responded to the controversy by recalling all affected albums, but according to the Chronicle, Abbott's investigators could still find those discs in Texas stores as of Monday. Just over 2 million of the reported 4.7 million CDs embedded with the software have been sold.
A company spokesperson could not be reached for comment at press time, but Sony BMG's John McKay told the Chronicle, "While we don't comment on pending litigation, we are fully cooperating with the attorney general." The suit, which seeks $100,000 for each violation under the state's Consumer Protection Against Computer Spyware Act of 2005, is attempting to determine why Sony would have placed the software on computers for reasons other than tracking piracy violations. It is also possible that the suit could be amended to seek individual damage rewards for consumers under the Texas Deceptive Trade Practices Act, according to an aide to Abbott.
The Electronic Frontier Foundation, a nonprofit-free speech advocate, has filed a class-action suit against the company in Los Angeles County Superior Court — one of six class-action claims related to this software issue, according to The New York Times. The EFF suit demands that Sony BMG repair the damage done to consumer's computers by the software included in more than 24 million CDs, according to the organization's official Web site.
Even with the recall of CDs, EFF said, "These measures still fall short of what the company needs to do to fix the problems caused to customers by XCP," adding that another piece of potentially damaging Sony BMG anti-piracy software, MediaMax, affects more than 20 million CDs.
The suit claims that both technologies were installed on the computers of unsuspecting consumers when they put the CDs into machines running the Windows operating system. XCP was written in such a way that it hides itself on a computer's hard drive and, according to the EFF complaint, "degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG's servers."
Because the software is very difficult to remove, the only solution is to reformat the computer's hard drive, according to EFF. When Sony BMG offered a program to uninstall the XCP software, computer researchers found that the installer opened the machines up to even more dangerous security issues.
"Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers," the complaint states, adding that the company has also failed to compensate users whose computers were affected. The suit also claims that MediaMax installs files on user's computers even if they click "no" on the user agreement, and there is no way to uninstall the software.
More ominously, according to the EFF, "The software transmits data about users to [the software's maker] SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits — even though the [user agreement] states that the software will not be used to collect personal information and SunnComm's Web site says 'no information is ever collected about you or your computer.'"
"Music fans shouldn't have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they've legitimately purchased," EFF Legal Director Cindy Cohn said. "Regular CDs have a proven track record — no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG's experiments?"
Sony said it has stopped manufacturing the discs embedded with the software and has asked retailers to stop selling them. Sony also offered fans replacements for the affected discs and MP3s of all the albums, and has said it is working on new procedures to safely remove the software.
For complete digital music coverage, check out the Digital Music Reports.