Sony settles 'rootkit' class action lawsuit

Sony BMG has struck a deal with the plaintiffs in a class action lawsuit over copy-restriction software it used in music CDs, according to a settlement document filed at a New York court Wednesday.

The record label has agreed to compensate buyers of CDs that contained the XCP and MediaMax DRM programs and to provide software utilities to allow consumers to uninstall both types of software from their computer.

The furor over Sony's DRM software began at the end of October when a U.S. programmer discovered that XCP software on a Sony music CD had installed copy-restriction software on his computer that was hidden using a rootkit. Antivirus companies later discovered Trojan horses that exploited this software to avoid detection and found that another type of Sony DRM, MediaMax, also posed a security risk.

During November a number of individuals filed cases against Sony at courts across America. These cases were granted class action status Dec. 1.

Sony BMG met lawyers from the firm handling the class action suit in early December and engaged in "virtual round-the-clock settlement negotiations", according to the settlement filing, which has been posted on the Sunbelt Software Web site.

In the settlement filing, Sony states that it will immediately recall all XCP CDs and replace them with non-content-protected CDs. It has also agreed to offer incentives to U.S. customers to "ensure that XCP CDs are promptly removed from the market." Sony first released details about its CD recall scheme in late November.

Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album. To claim this compensation, customers must return their XCP CDs to Sony or provide the company with a receipt showing they returned or exchanged the CD at a retailer after Nov. 14.

Sony is not recalling MediaMax CDs, but has agreed to compensate buyers of these albums by allowing them to download one free album, as well as offering them MP3 versions of the music on the MediaMax album.

The settlement filing is awaiting approval by the U.S. District Court for the Southern District of New York.

Ingrid Marson of ZDNet UK reported from London.

[SqlserverCode]

Interesting

Sony is not recalling MediaMax CDs, but has agreed to compensate buyers of these albums by allowing them to download one free album, as well as offering them MP3 versions of the music on the MediaMax album.
??????
So If I buy 1 album I can download another album and get mp3's of the same album
What if I buy the album and don't put it in my PC that way I could get two CD's (+ rootkit) for the price of one (techically 3, but 2 are the same music)

http://otherthingsnow.blogspot.com/

[d0x]

this is a load of crap

I cant beleive they arent being punished, this is the biggest load of bull in recent memory. Sony should be fined, they broke the law, they lied and if average joe did the same thing he would probably get jail time and a hefty fine to go with it. Screw Sony, ill never buy a product made by them again no matter what it is.

[paulsecic]

CDS

Personally Ii don't buy any CDs anymore..... Most music is crap.

[Zymurgist]

Sony is far to big...

... a company to be held accountable for their actions (at least in the US).

[Dachi]

Don't spend the $7.50 all in one place

I wonder if I hacked one of Sony's computer systems and installed a rootkit on it if id also be fined $7.50.

[WarpKat]

$7.50???

When a typical CD costs $14.99 at the retail store?

WELL now...it appears that there may be room to say, "crappy music is over-priced," afterall!

[D-Baer]

Sony BAH!

I had to fix a family members computer after this Sony garbage. My hourly rate is $300, they owe me $600 not $7.50.
Sony, BAH!

[M C]

Class-action lawsuits blow.

The lawyers will undoubtedly receive a multimillion-dollar fee, while the "class" gets $7.50 each and Sony gets off without any real punishment.

[M C]

Oh, and I'm sure the artists get screwed in there somehow, too...

..."These CDs were returned, no royalties for you."

[nicmart]

The market will deliver punishement

I agree about the lawyers; they are always the big winners in class-
action suits. But Sony will pay a severe price in the market due to
consumer fury. The government doesn't always have to do the
punishing.

[D-Baer]

Agreed

Sony should compensate anyone who had to clean up this mess at their normally paid hourly rate.
Sony should be PUNISHED, not given a slap on the wrist!
I have bought my last Sony ANYTHING!

[D-Baer]

Agreed

Sony should compensate anyone who had to clean up this mess at their normally paid hourly rate.
Sony should be PUNISHED, not given a slap on the wrist!
I have bought my last Sony ANYTHING!

[herkamur]

oooh... MP3's to replace a CD

Wow, how generous. You can get inferior MP3 replacement versions of songs that you had on CD. Somehow I'm not impressed.

[Michael G.]

What's Missing in This Deal?

So let's get the facts straight here. If someone purchased an XCP rootkit CD for $15.00, this is what they get for returning it to Sony: $7.50(half the cost of the CD) and a $7.50 album download from a limited list of albums that they probably won't use, fearing that their computer will become infected again with the download. So what's missing in this deal? Compensation for the waste of time and effort that it took for anyone with an XCP CD to get rid of the rootkit, not to mention any damages that may have permanently occurred. In the end, Sony comes off with a sweet deal indeed. As for myself, I wouldn't let these weasels close to my computer with a download even if they paid me $750.00.

[heystoopid]

missing bit

The cyber terrorist called SONY CORP, are only offering the deal to North American residents period, and the rest of the world with 75% of the infection will be ignored totally and absolutely!

It gets better for Sony

Not only do they get away with a slap on the wrist but they also get to drive consumers to their craptastic music download service.
I wonder what the penalty would be if I installed a rookit on one of their servers? $7.50 and visits to my website? Highly unlikely.
I say jail time for the "genius" that thought this crap up and a REAL fine to Sony.

[jasonemanuelson1]

not quite as bad

They are getting the same cd in return without the rootkit and
then on top of that the other free three downloads or $7.50 +
one download. It is not great, but is not quite as bad. They are
also providing software so that end-users don't have to hire
someone to remove that crappy software. I think they should
have gotten more than they did, but it is still a reasonable
settlement.

[heystoopid]

cheap as always!

What a cheap solution, offer this for cheap solution to only north american residents, where as the bulk 75% of this illegal trojanware infection is in every other country in the world!

Also , who can forget the fictitious public recall announcement, of all 'XCP' disks, where only AMAZON.COM, did the recall, and all other retaillers, just kept on selling the junk to the unsuspecting public!

Further all, other country divisions, of SONY BMG, point blank refuse to accept any responsibility whatsover, for any division that include this very illegal security nightmare software!, on it's audio cd's sold at retail level, in either home country and/or if exported as well(probably expains the 'No export, delete at the border part of the EULA! as exposed by EFF').

Oh well, at least we now know, you the customer, in any country in the world is always last, will only ever remain so to be treated as either criminals or sheep to be fleeced at every opportunity!

For me, I will totally avoid the purchase of any new technology created by and/or sold by all that is SONY, for who knows what hidden unwanted extra's and software that compromises computer security comes with these devices?

To me the motto of SONY in this century is "BUY CHEAP at wholesale from other makers mostly & SELL AT MAXIMUM PREMIUM PRICES TO FLEECE THE PUBLIC!"

Ah choices, don't you love them!

[herkamur]

to be fair...

Well, to be fair, this agreement is the result of a class action suit carried out in the United States. Thus, recompense is limited to the United States due to the scope of the suit. If other countries' citizens wish to claim, they'll have to file their own suits. I'm not defending Sony here and I think they're definitely wrong, but I felt this was an important distinction.

[booboo1243]

This fascinating phenomenon

is called "inflation", my dear friend.

"Accept certain inalienable truths: prices will rise, politicians will philander, you too will get old"

[computerlegalexperts.com]

Columbia Records / What about the Artists?

After buying Harry Connick Jr.?s CD, "Harry for the Holidays," from the Columbia Records, which is a subsidiary of the Sony Corporation, I could not help but notice the "burn" on the CD was abnormal. An examination of the CD showed that there were no .cda files. When I loaded the CD onto my computer, the CD attempted to load a software program known as "CDExtra."

Mr. Connick's management company is surprised and did not authorize any DRM program to be loaded onto his CD. The question remains, "How will this affect the artists such as Mr. Connick, Jr.?"

The executives and all parties that are responsible for deploying this scheme to the general public should be held to the same standard as Kevin Mitnick.

Steven Moshlak
www.computerlegalexperts.com

[Eric W]

Commercial CDs are not "burned"

Mr. Moshlak,

Commercial CDs are not burned, they are manufactured with a
stamping process. Roughly, the way it works, a replication
company gets a master file (could be on a disc, tape, or hard
drive) which is then imported into a computer. The computer
then laser etches (or burns) a master disc onto a nickel or glass
master. Once all the data has been etched onto the master, the
disc is then closed (usually by writing "dummy" info into the
space not used).That master is then used as a mold in a Clean
Room environment to _stamp_ (or "press") the commercial discs
that we buy in stores.

Because the masters have been "closed" properly, it's usually
hard to tell without very close inspection where the useful data
ends and the dummy data begins. It's that professional looking
finish that distinguishes the manufactured CDs from what you
get on "burned" discs.

Economically speaking, if you're running more than 500 discs,
you should be getting them stamped, not burned. It's my guess
that Harry Connick's CDs are probably produced in larger runs
than 500. I couldn't even begin to tell you why Columbia's
Connick CD looked "abnormal," because if they were
manufactured correctly, you couldn't tell anything was wrong by
appearances alone.

Eric W.

[GrandpaN1947]

$7 for a trashed computer?

From a company like Sony this is not surprising. What will be surprising is the huge numbers of people that won't buy Sony products from now on.

A friend of mine got a nice new Sony CD for Christmas. I won't bore you with the horror story but let's just say it's costing him hundreds of dollars and lot's of time and lost data to recoup. He's really pissed off! He's also one example of a pissed off EX Sony product buyer.

I suggest you learn from his example and do the same.

[Lord_alda]

Boo-hoo!

Get over it people I don't really give a dam, unless they give me my album back which they did. So am all done with that, and I had already removed the rootkit with ease (granted I removed it when they released the help line on it). But if your going to blame someone why don't you blame the guy who exposed the whereabouts of the rootkit in full details (eventually leting hackers in on this little item), but more specifically why? would you let this stop you from buying their other products?(that simply absurd). If you want to quit buying something stop buying sony BMG products (even though you wouldn't get to listen to your favorite artisit). Its no different then napster suddenly embedding rootkits in their product, but most of all would you really go smash your SONY sxdr just because discovered a root kit!?

In the case of Magicd if your going to blame somebody blame windows, for being retardedly vulnerable to attacks.

[GrandpaN1947]

You're Right

From now on I won't blame the Republicans when they start an illegal war, outsource the economy, eliminate Social Security. I'll vote for them again because it's no big deal. Being broke, homeless, and without medical insurance is not a valid excuse to vote for someone else. Get over it people. If you're going to blame someone, blame the constitution for letting this happen.

[BennySax]

Boo Hoo!

The reason why I am lumping all SONY products in my boycott is
to send a message to all multinational giants that any
irregularities on their part towards its clientele will have
detrimental effects on all their business. It's the only recourse
that we, the consumer, have to curb the immense power these
companies have.
These companies have become so huge, we don't even know
what record companies are actually fronts for SONY/BMG (I
suspect that SONY themselves may not know that). There needs
to be balance in the marketplace, but with such gargantuan
companies who have immense lobying power, the only recourse
we have is to affect all related and non-related entities.
I am not happy about this kind of settlement. It a slap in the face
to anyone who has had to deal with fixing their PC.
A reasonable settlement should include the equivalent of a
couple of hours worth of technical support from a reputable PC
serviceman.

Why boycott?

I have never downloaded music, illegally or legally. I have legally purchased several hundred CD's which I listen to on my PC. In my opinion they cost more than they should but what the heck, it's my choice. No one has forced me to buy them. I buy blank Cd's & DVD's to back-up my personal data.... and a portion of their cost goes to the music industry to cover lost revenues due to the ability of people to copy music to said blank disc. I have never copied music to any of the disc I purchased so why should I have to pay this extra cost? That's the way it is, so again.... What the heck, it's my choice, no one forced me to buy them. I have three PC's in my household, a Dell and two that I built. They all have Sony CD and DVD drives...because I happen to like sony products, like the two Sony TV's I currently own and the many Sony walkman's and radios I have purchased in the past. btw most of the music CD's and quite a few DVD movies I own are Sony products. I personally have not encountered a CD which contained this rootkit....just lucky I guess. I'm sure glad "the guy who exposed the whereabouts of the rootkit" did expose it. If not we might still not be aware of it. Now I wasn't affected so should I not give a damn as you suggest? Granted, Windows may be vulnerable to attacks.... as is any OS, but Windows did not put the DRM software on the CD's...Sony/BMG did. Had I been affected, or infected in this case, I guess I would have to accept the removal process offered by Sony... but I would have to believe that I wouldn't trust that they would get it right or for that matter that it wouldn't install further unknown files. So what do I do now? I don't trust Sony Corporation anymore. I'm not going to replace the drives I already own, or the TV's, or the radios or the CD's or DVD's. But you can be "DAMN" sure I will never buy another Sony product again. I don't trust them enough to download any future firmware updates for the drives. I've cancelled my subscriptions to both the BMG music club and the Columbia House DVD club and sent e-mails to both with my reason for doing so. I've written letters to every division of Sony I know to let them know I will never purchase another Sony product again and will recommend to my friends and anyone else that they do the same. Why? Because, in the end this is all I can do. When corporations act irresponsibly and the legal system does not provide adequate punishment, boycott is the only recourse. Whether or not it is effective depends on the number of people willing to do without the products they provide. The alternatives are to do nothing as you seem content to do, to complain about it in forums such as this which invariably contain more rants against Microsoft, the author and other posters, which only confuses the real issues... or lastly, initiate your own lawsuit.

[wynnb]

Commerical Music CDs - Just say no!

What part of iTunes don't people understand? Just download the tunes and burn the CD.

[jbear]

LOW FI MUSIC-JUST SAY NO!

What part of sonic quality don't people understand? For those of us who still care about what the music sounds like, mp3's are a slap in the face, and iTunes,salt in the wound.

[heystoopid]

It's a Red Herring!

Until such time it is approved ratified and sealed by the Federal Court, it remains as unfinished business!

Be a red herring!

Man these, Karl Rove Clones are sure working overtime to convince the suckers, like the funny ha ha gotcha again non existent recall!

[LimpWicket]

Sony Dual Layer DVD format wows

Big deal, you can burn double layer 8.2Gb DVDs with Sony Nero express burner BUT (there is always the Big Butt) you can only read the DVD on a Sony ...sucks big time!!!
More Sony proprietary scams.

[skeptik]

Justice served

So the RIAA gets to collect thousands of $$$ from grandmothers and 12 yr olds for downloading even a single song, but Sony only has to pay $7.50 for actions that cost each consumer hundreds to repair their PC?
Keep in mind that the RIAA never proved any loss, just espoused the theory that loss was occurring. Shouldn't each consumer be granted the same assumption - that the highest loss possible actually did occurr and they need to be compensated for that loss to keep them economically viable?

[aabcdefghij987654321]

Only 1 suit settled so far - there's more still in litigation

Sony isn't in the free and clear yet, there's still the suit by the Texas Atty General and that one has criminal penalties unlike the class-action suit which was a civil penalties case.

[Anon-Y-mous]

Now time to sue Microsoft for allowing this in the first place

Sony is just the end-cause of this debacle.

The ROOT cause is Microsoft that knowingly ships an operating system that ALLOWS programs to be secretly installed without any warning to the user that a ROOT KIT is being installed. This wasn't even a "bug" or "exploit"--It is absolutely WRONG intended behavior.

What if your car computer accepted upgrades from a CD placed in your dashboard player? Then your car brake system fails due to 50% CPU use because of the root kit? Who's to blame then? -- Delco the CD player maker or GM the car maker..... GM would be blasted. MSFT is no different in this case and is 90% at fault and needs to be held accountable.

Therefore MSFT is next in line for damages, and I am betting will pay a heck of a lot more in the end than Sony did for destroyed computers.

Sony is a terrible company.

I am so frustrated by this. None of it makes any sense. In order to receive a settlement from Sony, you have to be delivered back into using their products? If anything, the settlement should entitle people to back out what will be their last interaction.

Where's the compensation for any service fees people had to pay while getting their computers fixed?!

This just smells of a bunch of greedy lawyers and high level executives having a well-fed meeting. In this meeting, they use the dark corporate arts to conjure a forced patronage campaign disguised as a settlement.

When questioned about it, all they have to do is shrug their shoulders and say "What's wrong?"
They made a "settlement", but it doesn't have any of the makings of a settlement. Evil and greedy people are at play here.

People of the Earth! Do not buy Sony. Put down your brand loyalty to an image. It's a wolf in sheep's clothing designed to sap you dry.

Sony is not the perfect consumer product provider they claim to be. Their products are designed to fail - forcing you to buy new almost every year. Products that have software have crippling restrictions that are never mentioned as the products are advertised.

Ever since the mid-90s, Sony shifted their policies and marketing towards the "Best Buy" segment and have never looked back.

This pretty much sums up Sony:
Mediocre, fault-prone products with invasive software where applicable.

[ckanithanon]

Sony is Not only terrible but UNETHICAL!!!

It is unethical to pay for a "new" PS3 that is defective out of the box and receive a "refurbished" unit that turned out also to be defective. There is no custumer appreciation in this practice and lack of vigilance. Only greed. A class action lawsuit will be in effect I am sure. Sony, listen to your loyal customers and change your deceptive and unethical business practice!

[the1kingarthur]

NOT GOOD ENOUGH!

This is a chance to send a message to all the corrupt greedy evil corporations that have raped the consumers, and stolen all our rights to privacy, and limited all other rights including freedom of speech. I say that no one should accept this settlement, and demand at the least $ 1000,00 per person plus 10 FREE Music CD's with NO COPY PROTECTION OR SPYWEAR. Some say it will bankrupt Sony. SO WHAT! This will force them to sell ownership of American Companies BACK TO AMERICANS.

Read and pass this along

[pottymouth]

EFF short changes consumers

I don't know how many of you have actually read the proposed settlement agreement but given my experience in these matters(yes I am a lawyer) it is very apparent to me that this was a behind the doors/secretive settlement that will only benefit the class action lawyers and SonyBMG, why do you think it serttled so quickly? As someone else pointed out, the settlement does nothing for consumers whose computers were damaged or that will be damaged in the future and in fact the only way a consumer who has been damaged is to file an individual lawsuit which we all know will never happen. This stinks. And on top of that, the organization that was at the settlement table and that was supposed to be protecting our rights, the EFF, sold out too. The only way to fight this is for there to be enough people to "opt-out" of the settlement which might cause Sony to back out of the agreement. Right now that threshold is 1000, surely we can get over 1000 people together to derail this thing? One last thing, note how the attorneys fees to be paid has not yet been disclosed, again very sneaky here.