EFF Pushes Consumers to Claim Rootkit Compensation

An anonymous reader writes "'It's time for music fans who bought Sony BMG CDs loaded with harmful XCP or MediaMax copy protection to claim their settlement benefits', says the EFF's Derek Slater in an awareness campaign that is urging those inflicted with one of Sony BMG's rootkit infected CDs to collect what is due to them. The compensation is a DRM-free version of the original CD, $7.50, and album downloads from iTunes, Sony Connect, and others."

Summary correction:

[tpgp (48001)]

is a DRM-free version of the original CD, $7.50, and album downloads from iTunes, Sony Connect, and others.

Should read:

is a DRM-free version of the original CD, $7.50, and DRM-laden album downloads from iTunes, Sony Connect, and others.

I'd also like to know if anyone is going to try for a real settlement - like a company having to audit their network after finding one PC rooted.

Re:Summary correction:

[Tim C (15259)]

To be fair, the DRM on iTunes songs isn't even in the same league as the DRM on the Sony CD in question, let alone the same ballpark - at least it only affects the affected song, and doesn't open the entire PC up to compromise.

Re:Summary correction:

[Grant29 (701796)]

True, and at least most everyone knows the iTunes DRM before buying. It's not as bad as someone sneaking some software onto your PC without you knowing.
--
Find the lowest price at PriceAge [priceage.com]. Comparison Shopping with online coupons.

Not true.

[babbling (952366)]

I'd argue that in some ways, the iTunes DRM is worse. At least with the Sony CDs, the DRM stayed the same. Apple has changed what you can do with the music AFTER you have purchased it.

Apple has changed the number of CDs you can burn it to, and the number of computers you can have the music on at the same time. Apple also force upgrades by requiring new software for new model iPods, so not updating iTunes isn't a viable way of escaping changes in the DRM permissions.

If Apple ever decided to build backdoors into iTunes, people would still have no choice but to upgrade and have all the backdoors affect all of their music, if they want iTunes to work with their latest iPod... or if they chose not to buy the latest iPod because of the backdoors, they would lose the ability to play all of their music on-the-go, since the music can't be played on any competing MP3 players.

Not as bad... up front, maybe.

[Kristoffer Lunden (800757)]

In a way it's even sneakier though, as it teaches the public that DRM is ok. Just watch how many who otherwise claim to love freedom who readily defends it whenever the issue comes up. As soon as the mindset it firmly in place, there will be no problem rolling out worse and worse protections, until we have "Trusted Computing" telling you exactly where you want to go today.

No thank you.

Re:Not as bad... up front, maybe.

[jb.hl.com (782137)]

In a way it's even sneakier though, as it teaches the public that DRM is ok.

Because people knowing about a fair(er) form of DRM and agreeing with it is SO evil.

iTunes' DRM is very acceptable to most people, as its limits aren't very strict, and it only applies to music. Trusted Computing or whatever bollocks they call it now isn't in the same ballpark.

Re:Not as bad... up front, maybe.

[mrchaotica (681592)]

Because people knowing about a [less intolerably unfair] form of DRM and agreeing with it is SO evil.

There, fixed that for ya. As we all know, DRM is unfair by definition because it is incapable of accounting for Fair Use.

Re:Not as bad... up front, maybe.

[mrchaotica (681592)]

You can't resell it.

Re:Not as bad... up front, maybe.

[mrchaotica (681592)]

Sorry, doesn't work. First of all, because the music is compressed, selling a CD of it is not the same as selling the AAC itself, and is inferior because when the buyer goes to make an AAC again he'll end up with lower quality.

Second, you can't transfer ownership of the AAC itself:

iTunes Music Store Terms of Service [apple.com], section 9c:

You agree that your purchase of Products constitutes your acceptance of and agreement to use such Products solely in accordance with the Usage Rules, and that any other use of the

Re:Summary correction:

[tpgp (48001)]

To be fair, the DRM on iTunes songs isn't even in the same league as the DRM on the Sony CD in question, let alone the same ballpark - at least it only affects the affected song, and doesn't open the entire PC up to compromise.

I completely agree with you - but itunes was not the only music service mentioned. From the EFF's site: CONNECT Music, f.y.e., iTunes, or Wal-Mart.

Whilst you might be prepared to trust Apple's DRM (and to be fair, I don't see much wrong with its terms either), read this thread [rokulabs.com] before trusting Wal-mart's. (I don't think I'd have to work hard to convince most people here that putting faith in Sony's DRM is a bad idea as well.)

The ultimate trouble with drm - any drm, is that it restricts your right to do what you want to do with your music. It's like giving a company the keys to your CD cabinet & trusting them to unlock it when you ask them.

Re:Summary correction:

[mrchaotica (681592)]

Yeah, but Apple could turn that chicken wire into Cheyenne Mountain at any time, simply by releasing an iTunes update that disables that ability. And you wouldn't be able to do a damn thing about it, especially if they neglected to mention it in the patch changelog.

Seriously, that "just burn a CD" argument is tired, old, and most importantly, invalid. Stop using it already!

Re:Summary correction:

[Tim C (15259)]

As you say, I have merely bought the right to listen to the music, not the music itself. That raises two points:

1) Unless otherwise clearly informed of the fact at the time of purchase, I have bought the licence in perpetutiy, not for a limited time - I do not expect to lose access simply because the company goes belly-up and the DRM prevents me from accessing it.

2) If I have bought the right to listen to the music, then I should be allowed to replace it if lost, stolen, destroyed or otherwise unusable to me for a nominal replacement fee. I should not be forced to buy a new CD at full retail simply because my daughter broke the old one.

Re:Summary correction:

[SlimFastForYou (578183)]

Because the record companies (rightfully) justify the high cd prices, monopoly on selling a song, and lawsuits against the general public by saying that you're buying the right to listen to the music.

Parent is pointing out that the record companies shouldn't have it both ways. If the record companies cause you to lose your ability to listen to the music (by preventing you from backing it up for instance), they should have to provide you a free replacement. Or at most a cd at cost but I personally think th

Re:Summary correction:

[Pofy (471469)]

>Except that it's not your music at all.

Not sure if you speak of a specific rental service (I have no idea about itunes or any of the others mentioned in the post you replied to) or about buying music in general. If we stick to music in general, yes it is yours, those specific copies of the music are. No idea why you have some other idea.

>The only thing you get by buying a movie, music, or game is the right to
>watch/listen/play.

No, if you buy it, you buy it, that is covered by normal sales laws, co

Re:Summary correction:

[plumby (179557)]

If we stick to music in general, yes it is yours, those specific copies of the music are.

Not as far as I can tell it isn't. Most CDs say somewhere on the case something along the lines of "no unauthorised copying, hiring, lending, reproduction, public performance or broadcasting of the work". If I was the actual owner of the music that I'd just purchased, why is anyone else able to put those restrictions on what I do with it?

If I buy a bottle of Coke, I'm not told that I wouldn't be allowed to serve it at

Re:Summary correction:

[Helios1182 (629010)]

2 Hours of PC repair at $100/hr. per computer affected. It seems reasonable. The average user doesn't have the tools/knowledge to un-root their system, so lets assume they had to pay someone to do it. Time is money anyway, having to spend an afternoon to fix it is worth something.

That would be a painful settlement. How many thousands/millions? of PCs were hit?

Apologize

[MyLongNickName (822545)]

They don't mention it here, but in A civil action [imdb.com], one of the quotes (paraphrasing) is "Corporations say they are sorry by paying money". If a corporation gets away with crap like this without a significant blood letting (law suits), they will try it again soon. It will be a more refined approach, you can be sure. But it will happen again.

Companies who pull this shit need to be punished. Badly. Not a public tounge wagging followed by a pseudo-aplogy. They hire people to do PR and deal with that. When the company's bottom line is hurt, they will be more cautious in the future. And if it takes months or years of cases hanging over their head, the stock will suffer. And when the stock suffers, so do the folks at the top.

Anything else is just the cost of doing business.

Re:Apologize

[mrchaotica (681592)]

Companies who pull this shit need to be punished. Badly.

Yeah, they need to be barred from doing business for a period of time, and have their board of directors and CxOs jailed.

Re:Apologize

[MyLongNickName (822545)]

I disagree. This only puts people out of business, putting people out of work. Like rats, CEO's find another place to make their millions. It only punishes the bottom -- much like our wonderful international sanctions. Ever notice how the dictators are the only ones who don't seem to suffer?

Re:Apologize

[joeljkp (254783)]

This wasn't a criminal case, it was a civil settlement.

Compensation...?

[Omaze (952134)]

Typically the EFF seems to be on the right course but, in this case, the EFF is promoting the idea that a major corporation can force its will on the consumers preemptively and then, when the consumers revolt, all they have to do is say,"Oh. Sorry 'bout that. Here's a lollipop. No go away."

There needs to be a clear signal. What we're seeing here is just a buyout.

Re:Compensation...?

[JFitzsimmons (764599)]

Which is worse than just going silently into the night?

Re:Compensation...?

[babbling (952366)]

The EFF explain their decision in this lecture at Google. [google.com]

Basically, they sent a letter to Sony before suing them outlining the steps that they should take to correct their mistake. Sony ignored the letter, and the EFF sued them. They came to a settlement that achieved most of the suggestions outlined in the original EFF letter.

The settlement wasn't too bad. Sure, they didn't hit Sony as hard as they could have, but everyone is getting replacement CDs and a small amount of compensation money. Anyone wh

Well...

[Captain Splendid (673276)]

Haven't bought any Sony CDs recently, but even if I had, I wouldn't bother. Recompense enough to see a megacorp lumbering toward extinction.

Very Little Compensation

[kabz (770151)]

This is very small compensation for machines that may have been damaged by this rootkit. Sony should allow people to claim actual damages if people can show that damage has been done.

The best thing that may come out of this is that the rules on what companies can and can't do have been clarified.

If I install software on my machine, I expect it to behave itself, providing I believe that the company itself is reputable. Sony have damaged themselves through this.

Re:Very Little Compensation

[CuriousKangaroo (543170)]

Please read the EFF FAQ regarding the settlement.

If you participate in this, you are NOT giving up your right to sue for damage to a computer or network!

Even if you get the small amount from this claim, you can still go on to sue for actual damages, should you have them.

http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq. php#8 [eff.org]

Re:Very Little Compensation

[jimicus (737525)]

Sony should allow people to claim actual damages if people can show that damage has been done.

Allow? Allow?! Surely the whole point of a lawsuit is that Sony don't get any say in what's allowed - that's down to the court.

Re:Very Little Compensation

[Scarletdown (886459)]

If I install software on my machine, I expect it to behave itself, providing I believe that the company itself is reputable.

And even more importantly, if you put what you were led to believe is an audio CD in your computer's CD-ROM drive, you should expect it to behave itself by simply playing the music encoded on it and nothing more.

Friends

[quokkapox (847798)]

I guess if I foolishly allowed a friend to stick one of their DRM rootkit-infected CD into my drive, I don't get a share of the settlement, because I can't provide the required proof-of-purchase documentation.

That doesn't seem fair. One CD could have infected multiple machines, but only the original owner gets "compensated" by Sony.

Re:Friends

[ZachPruckowski (918562)]

How many owners keep proof-of-purchase beyond maybe the CD and the little plastic thing it came in? I mean, most of these people could have paid cash, and not kept the receipet.

Re:Friends

[eMartin (210973)]

If it were up to them, you wouldn't be allowed to listen to your friend's CD in the first place.

Re:Friends

[Buran (150348)]

Sue 'em yourself. If you can prove their crap is on your computer, you have proof of damage. Go after them in small claims court. If enough people did the same thing, they'd be hit with too many tiny lawsuits to fight them all.

They didn't tell you or the original owner of the malware on the disk, so they are liable because they were aware of its existence.

Sony get off too lightly by half

[by Anonymous Coward]

I'm not sure about this. Here it costs at least 40/hour to have a decent engineer come over and reinstall windows, back up your data and restore the machine to working condition. Taking the settlement Sony offer might prejudice getting a proper settlement, which I estimate at between 60-80 per affected user.

Thats's the civil liability. Here in the UK what Sony have done is a *criminal* offence under the computer misuse act.

I hope we haven't even started to see the scale of damage this is going to cost Sony. Frankly I hope it bankrupts them.
If some 14 year old kid wrote this rootkit he would be staring at 10 years in jail.

Re:Sony get off too lightly by half

[penix1 (722987)]

"Here in the UK what Sony have done is a *criminal* offence under the computer misuse act."

It is supposed to be criminal here to under the CFAA (Computer Fraud and Abuse Act) [panix.com]. Of course, you will never see them charged like they are supposed to be.

B.

who is the ass master

[dubiousmike (558126)]

who decided that a free album was appropriate compensation? How about the cost to archive all important files and reinstall the afflicted OS at the very least. They could forgo the time lost without a shitted on computer

We can only hope

[DarthChris (960471)]

This will like set an important precedent w.r.t. rootkits and other commercial malware (Starforce anyone?). I only hope the result will be good for the customer and not the corporations. If Sony don't get the punishment they deserve for this, everyone else will jump on the bandwagon.

No thanks to ANYTHING from Sony

[erroneus (253617)]

I never bought one of these. Instead, I suffered at the office as the IT guy who had to clean up the mess that Sony left behind. I would like to sue them for the labor, time and frustration they caused... and continue to cause! Those things are still out there drifting about. Just last week I had to reverse the damage one of those CDs caused. A real pain in the ass it is. So far, that makes over 10 machines trashed because of that stupid crap.

And the "real" punishment, as far as I'm concerned, is that I had the opportunity to explain to a lay-person what Sony has done, why they did it and why they shouldn't trust Sony with their dollars ever again. I truly think it's a powerful thing since these people found out first-hand that it wasn't "their fault" and that trusting a big company like Sony to always do the right thing is pretty wrong. The opinion these people, and those they that hear their story, hold of a much lower opinion of Sony than they once did.

May Sony feel the wrath of the consumer!!

Re:No thanks to ANYTHING from Sony

[tomhudson (43916)]

Explaining it to the end users was probably a waste of time, since THEY didn't have to clean up their machines - they foisted it on you. Its the same as explaining to an IE addict why they should switch to Firefox ... over and over and over and ...

Besides, I see that there's a Celine Dion album on the list. I would argue that the world is a better place if everyone who bought that CD ends up with a non-functional computer.

Re:No thanks to ANYTHING from Sony

[Turn-X Alphonse (789240)]

"Sony put a virus on one of their music CDs. When you play it, it installs the virus and trashs your PC".

That's how I explained it to Joe sickpack, and it worked perfectly. They hated Sony as much as we do and it's the truth.

Remember "Virus" is a scary word for the uninformed, they think it means "everything gone" or "credit card details stolen". It also does it quick enough for them not to get bored, hence perfect solution and the truth in 1.

My reply from the EFF

[cove209 (681558)]

Greetings,

I just read on your website where the EFF has agreed to settle with Sony BMG.
What a pathetic settlement that does nothing to assist consumers with the costs of removing the rootkit software and in addition, fails to act as any sort of a deterrent to Sony BMG.
Way to knuckle under for the little guy.
Unhappy in California

Hi ,

I'm sorry you feel that way and there may be nothing I can do to
convince you otherwise, since I understand some people want Sony
BMG's head on a pike and nothing less will do. I don't necessarily
disagree, but the law limits what we can get in the context of a
class action settlement. But I hope you'll at least give me a hearing.

First, you understand that the settlement *preserves* the claims of
folks who have hardware damage due to the rootkit, right? They can
still sue to get more and we're happy to help. The scope of the
settlement is for a different harm -- the harm of merely having
bought these bad CDs.

The main reason that we didn't settle those claims is that we haven't
had enough people come forward with proof that the CDs harmed their
computers to constitute a sufficient number for a class action. Class
actions require "numerousity" and "uniformity" of claims. If you
know of such people, please send them our way. They can bring small
claims actions. If we do discover enough folks with a common pattern
of harm, we will consider another class action.

Second, as for whether this will serve as a deterrent to Sony in the
future, I guess we'll see in time. Even if we had taken the case all
the way through to a trial and been completely successful, a court
would not be able to order Sony to cease using all DRM under current
law. So as much as I'd like to see Sony do that, this case alone was
never going to accomplish that goal.

Right now they have stopped pressing *any* CDs with DRM on them,
agreed to independent review of any future DRM (with a report to the
lawyers involved in the case), and agreed to allow non-DRM/non-EULA
versions of all of the music that was affected by the bad DRM. The
cash cost of the settlement is hard to value but Sony says that the
value of album downloads are $10 per album. If the 5 million people
affected by MediaMax get a free album download that's a cost of $50
million to Sony. That's before the $7.50 per album for the 3 million
XCP users and the extra downloads that they get, or the replacement
music for the MediaMax 3 users.

While the settlement terms are the product of negotiation and so
aren't perfect, I do think we got a good deal in the settlement for
purchasers of the CDs. Believe me it was hard fought and there is
much in there now that Sony started out by flatly rejecting. I
certainly understand if you disagree and want to try for more on your
own. You absolutely have the right to opt-out of the settlement and
bring your own action. I'd be very curious to hear how that goes if
you choose to do it.

Most important for us was:
1. stop production of any more CDs with the dangerous DRM on it.
2. get people non-DRM'd/non-EULA'd versions of their music (this was
strongly resisted by Sony)
3. do it quickly
4. get people some free music (or in the case of XCP, money) for
their trouble.

There's much more in the settlement than that, of course, but for the
purchasers these were the core goals.
Again, I appreciate your feedback.
- Show quoted text -
On wrote:
                                                          ---- .org
                                    ---- www.eff.org
Electronic Frontier Foundation
454 Shotwell Street
San Francisco, CA 94110
(415) 436-9333 x

Re:My reply from the EFF

[rifftide (679288)]

At first I thought the EFF had sold us down the river, but now I think the settlement is reasonable. Sony agrees to cease and desist the practice, and they must provide a convenient mechanism for exchange of XCP disks. What it doesn't do is (1) provide reasonable compensation to people who suffered extensive system damage, or (2) blast Sony back to the Stone Age for having a corps of bozo executives running their music division. But as the EFF pointed out, those in the first category can opt out of the s

Re:My reply from the EFF

[gizmonic (302697)]

But as the EFF pointed out, those in the first category can opt out of the settlement and sue on their own dime

But, what the EFF said was:

First, you understand that the settlement *preserves* the claims of folks who have hardware damage due to the rootkit, right? They can still sue to get more and we're happy to help. The scope of the settlement is for a different harm -- the harm of merely having bought these bad CDs.

That means that the lawsuit applies only to buying the DRM'd CD. It has nothing to do ins

If you want more blood

[codepunk (167897)]

If you want more blood out of sony here you go.... Nothing at all stopping you
from taking them to small claims court and getting what you deserve. Most small claims courts have a very small fee like $10 for filing, 5 minutes in front of a judge and bingo you have got cash!

        * damage to a computer or network resulting from interactions between the XCP Software or the MediaMax Software and your computer (e.g., damage to your hard drive);
        * damage related to your reasonable efforts to remove the XCP Software or the MediaMax Software; or
        * copyright, trademark or other claims arising from the development of the MediaMax Software or the XCP Software, or any uninstallers or updates thereto.

You may still sue Sony BMG for any such claims, whether or not you choose to take advantage of the settlement benefits. As part of the settlement process, Sony BMG agreed to waive its overreaching New York forum selection clause and $5 limit on damages, so you can take them to your local small claims court for your damages.

See here for more information about the small claims process.

Re:If you want more blood

[Stevyn (691306)]

I think that people who feel they are not justly compensated by this lawsuit, going to a small claims court might be a good idea. However, they still need to show damages. They have to have evidence that Sony cost them money. Maybe that could be hiring some geek squad guy to come over and fix it. Maybe it could simply be their time.

It would be great if Sony was treated the same as some punk kid who hacks into a computer owned by MegaCorp and is fined thousands and given jailtime, but that's unlikely in

only the bad publicity harmed Sony

[Lazy Jones (8403)]

The settlement was a joke (sorry EFF). What kind of message is that - the typical guy who installs malware/spyware on a computer is fined heavily and sometimes goes to jail, while a big corporation Sony gets away with a ridiculous amount of cash per malevolent action? Where's the justice in that?

Fairness Hearing Scheduled for May 22, 2006

[marklyon (251926)]

SonySuit.com [sonysuit.com] has information about the fairness hearing on May 22, 2006 at 9:15 am at the Daniel Patrick Moynihan United States Courthouse for the Southern District of New York at 500 Pearl Street, Room 2270, New York, NY.

Don't forget -- claims MUST BE submitted by December 31, 2006. If you want to be excluded from the settlement, you MUST FILE before May 1, 2006. If you do not exclude yourself, you can attend the fairness hearing, at your own expense, and be heard by yourself or through your attorney.

I run the SonySuit.com website an plan to start collecting messages about the settlement to submit to the court as exhibits to my statement at the fairness hearing. If you have a comment about the settlement, send it to sonysuit@gmail.com [mailto].

Payment

[unix_core (943019)]

Can I please pay by paypal the next time I install a rootkit on one of Sony's workstations? $7,50 each, right? They pick some stuff from my mp3 collection too, if they want.

What this is really about....

[tverbeek (457094)]

Don't you people realize that this so-called "settlement" is just a trick to enable the courts to collect the names and addresses of people who listen to creatively bland corporate musick?!

The Linked article was bad

[sgent (874402)]

this is a claim merely for having bought the CD's in question -- it IS NOT COMPENSATION for damages that may have result from your network or computer. See http://www.eff.org/IP/DRM/Sony-BMG/settlement_faq. php [eff.org] for full information on the settlement.

exert...

Why does EFF think the settlement is a good deal for purchasers of the Sony BMG CDs?

EFF agreed to the settlement because we believe it provides a good compensation package for the group of people who purchased the CDs but did not experience any hardware damage as a result. This means purchasers whose claim is primarily based on their purchase of the CDs and experiencing the hassle of having to patch or uninstall their systems, or in the case of MediaMax 3, having had files installed prior to giving you a chance to agree.

EFF's goals for purchasers of the CDs were to :

1. Stop production of any more CDs by Sony BMG with the bad DRM on them.
2. Get people non-DRM'd/non-EULA'd versions of their music.
3. Get this relief to people quickly, rather than after years of legal wrangling. This is in part why some of things in the settlement, like uninstallers, were available before the settlement itself was announced.
4. Get people some free music, or in the case of those who were at risk from the XCP rootkit, a choice of some money for their trouble.
5. Ensure that people get notice. Sony BMG has agreed to use the banner functionality on some of its CDs to give individual notice to purchasers at the time they put the CD into their computers, as well as put notices on many artists websites and purchasing adwords giving notice more broadly. We're still working with Sony about what these will look like, but EFF believes that taking extra steps to give people notice of the need to patch their systems, and of the settlement, is important.
6. Ensure independent security testing and pre-launch EULA review of any future DRM, with a report to the lawyers involved in the case of at least the security testing.
7. Agree to a quick process for response by Sony BMG, involving independent security reviewers and enforced by the court, in the event of any future discovery of a security flaw in their DRM.

There's much more in the settlement than that, of course, but for the purchasers these were EFF's core goals and the settlement meets them all. That's why we think the settlement is a good deal and we endorse it.

Very Lame Compensation

[Nom du Keyboard (633989)]

This is very lame compensation. Sony got off just short of scot-free so far. The CD's cost well under a buck to press. The damage to your computer, time and efforts to clean it up, cost far more than this.

I don't see a single thing in this settlement that punishes Sony sufficiently to absolutely convince them to never even think of attempting this again.

Worse yet, I don't see anything here to scare off any other big music or movie company from trying the same thing.

Sony should have gone down big time over this one.

And the lawyers should have only gotten a replacement CD and 3 free downloads as well.

Are there still any other suits in any other state/countries pending that will hurt them more?