Lawsuits, Lost Sales and Lessons: Fallout From the Sony DRM/Rootkit Disaster
Posted by Brian Wong
Sony BMG Music Entertainment's (Sony) woes resulting from its XCP digital rights management (DRM) software continue. New York Attorney General Eliot Spitzer announced on November 23, 2005, that his investigation found that several major music retailers in New York and online continue to sell Sony music CDs that contain XCP software. He deemed it "unacceptable that more than three weeks after this serious vulnerability was revealed, these same CDs are still on shelves." Spitzer urged consumers not to buy the affected CDs, or, if they do, not to play them on their computers, and said consumers who have bought them should seek refunds. He noted that Sony has asked its distributors to make refunds available regardless whether the package has been opened.
Elsewhere, Texas Attorney General Greg Abbott filed suit on November 21, 2005 alleging that Sony violated Texas antispyware laws. Texas Attorney General office investigators were able to purchase numerous Sony titles with XCP at Austin retail stores as recently as November 20, 2005.
The Electronic Frontier Foundation (EFF), along with two leading national class action law firms, filed a lawsuit demanding that Sony repair the damage done by both the First4Internet XCP and SunnComm MediaMax software. The EFF alleged that the MediaMax software installs files on the users' computers even if they click "no" on the End User Licensing Agreement (EULA); does not include a way to fully uninstall the program; and transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs on a computer, allowing the company to track listening habits, even though the EULA states that the software will not be used to collect personal information.
Sony artists whose CDs were released with XCP have suffered substantial lost sales, are unhappy with Sony's decision to include the software without their knowledge and are complaining to label heads. Cory Doctorow received an e-mail from a "high-placed source at Sony BMG" noting a "rising number of anti-DRM voices within in the company," and stating that least one of the label heads has threatened never to allow another CD to go out with DRM again. Many articles have noted the decline in XCP CD sales on Amazon, and Amazon has both posted a list of Sony CDs containing XCP and return instructions.
Questions have arisen regarding what Sony knew about the XCP software problems, when it knew it and what it did after learning of the security vulnerability. Writing in Wired, Bruce Schneier noted: "The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us." He pointed out that the XCP rootkit has infected half a million computers and has been spreading since mid-2004, but the computer-security companies did not issue warnings or virus protection until November, 2005.
The Sony episode will have both short term and long term implications for DRM, both for music companies and artists. There will be at least a short term setback in the use of DRM, with some analysts believing the incident will retard the music label use of DRM by years. In the long term, music labels will have to balance their use of DRM with consumer resistance, and may have to refine their business models to accept a world in which significant consumer copy restrictions are not possible. Analyst firm Gartner released a research note stating the XCP can be defeated by applying a small piece of tape to the discs, and observing that "[a]fter more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs."