Texas Expands Suit Against Sony BMG
Texas Attorney General Greg Abbott has expanded his state's lawsuit against Sony BMG that was filed in November over the use of illegal spyware in its XCP copy-protection mechanism. The new charges allege that Sony's other DRM software, SunnComm MediaMax, installs even if a user declines the license agreement.
In the initial filing, Abbott sued under Texas' Consumer Protection Against Computer Spyware Act of 2005, and sought civil penalties of $100,000 for each violation of the law, attorneys' fees and investigative costs. The additional allegations invoke the Texas Deceptive Trade Practices Act.
"We keep discovering additional methods SONY used to deceive Texas consumers who thought they were simply buying music," Attorney General Abbott said in a statement. "Thousands of Texans are now potential victims of this deceptive game SONY played with consumers for its own purposes."
Under the Texas Deceptive Trade Practice Act, Abbott can ask Sony to pay $20,000 for each violation of the law.
Abbott has also sent a letter to Texas retailers asking them to take all 52 CDs with SunnComm's MediaMax software off store shelves immediately. He also warned that the retailers could be just as culpable as Sony for continuing to sell the CDS.
"These CDs open the door for malicious hackers to target consumers' computers. Hackers may be using the SONY files to install viruses, malware or even commit identity theft," Abbott said. "Retailers that continue to sell these CDs may be just as liable under the law as Sony."
The Electronic Frontier Foundation is also suing Sony BMG over both the XCP rootkit software and SunnComm's MediaMax. "Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public's trust," said Corynne McSherry, EFF Staff Attorney.
The expansion of the Texas lawsuit against Sony follows news that SunnComm's MediaMax copy protection software does not properly protect a directory it installs. Thus, a restricted user account could replace the executables within the MediaMax directory with malicious code, which would then be executed by an administrator upon inserting a CD.
Sony attempted to issue a patch for the vulnerability, but the patch was found to be insecure as well by Princeton researchers Alex Halderman and Edward Felten. Halderman and Felten had previously discovered that SunnComm's software installs even if a user rejects the EULA.