Lawsuit Fights Back Against Sony DRM
Sony BMG's CD anti-piracy technology that sparked an outcry for its rootkit-like tactics has now entered the court system. A class-action lawsuit was filed on November 1 in California by consumers who say their computers were harmed by the hidden software, and a second suit was to be filed this week in New York.
The groups claim that Sony's digital rights management, which attempts to stop computer users from copying a CD's audio tracks to a hard drive, is invasive and damaging to computer systems. Sony employed technology from First 4 Internet that uses low-level Windows commands to hide the DRM and prevent its removal.
SysInternals' Mark Russinovich first reported on the software after his company's security tool recognized a "rootkit" on his machine. Rootkits are malicious applications that hide deep within an operating system to perform tasks without a user's knowledge. The technology can be used to cloak viruses and worms, or in this case, DRM.
Russinovich's report spread like wildfire across the Net and was quickly picked up by mainstream media. Sony responded with a statement claiming it no longer used the technology and offered instructions for customers explaining how to remove the hidden software from their PCs.
National Public Radio even covered the fiasco and interviewed Sony BMG's Global Digital Business President Thomas Hesse. But instead of apologizing for the snafu, Hesse only fueled the flames by commenting: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
The California lawsuit, filed in Superior Court for the County of Los Angeles by attorney Alan Himmelfarb, is asking the court to prevent Sony from using the technique in future CDs and requesting monetary compensation for all customers who purchased CDs containing the DRM rootkit.
Specifically, the suit claims that Sony has violated two California statutes designed to protect consumers from unfair and deceptive business practices, along with another law prohibiting the installation of spyware on an end-user's PC.
In a follow-up report, Russinovich discovered that Sony's DRM "phones home" to Sony's Web site. First 4 Internet responded saying, "No information is ever fed back or collected about the consumer or their activities." But Russinovich notes that, "Sony can make a record of each time their player is used to play a CD, which CD is played, and what computer is playing the CD."
Russinovich also discovered that the DRM software is poorly written and could cause system crashes -- often referred to as a Blue Screen of Death -- on Windows. "This flaw highlights my message that rootkits create reliability risks in addition to security risks," he said.
United States customers aren't the only ones upset with the situation. Italian digital rights advocacy group ALCEI-EFI has asked the Italian government to investigate Sony's actions.
Sony BMG is not commenting on the lawsuits.