California Class Action Suit Sony Over Rootkit DRM 508
carre4 writes "Lawyers in California have filed a class-action lawsuit against Sony and a second one may be filed today in New York. The lawsuit was filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, CA attorney Alan Himmelfarb. It asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law,
which allows public prosecutors and private citizens to file lawsuits
to protect businesses and consumers from unfair business practices. EFF has released a list of rootkit affected CD's and Slashdot user xtracto also has a list."
By the way, here's another interesting tidbit... (Score:5, Interesting)
Quoth the EFF :
Now the Legalese Rootkit: Sony-BMG's EULA
November 09, 2005
If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.
First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.
Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:
1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them? No word yet about whether Sony-BMG will be offering a "patch" for this legalese rootkit. I'm not holding my breath.
Posted by Fred von Lohmann at 12:24 PM | Permalink | Technorati
Endquote. It's interesting to see just how far Sony will go to alienate the tech-savvy user base. It's been a few years since I religiously started forbidding people to buy Sony products, because I wouldn't be assed to "fix my vaio, please" or to "take a look at my LCD screen, there are, like black dots and stuff on it", but my brother-in-law still got himself a Sony DAP.
The first thing I thought was, "Wow! The salesman actually managed to sell him something that isn't an iPod.", but come on. What's you
Buying a new computer (Score:5, Interesting)
More from Mark (Score:5, Interesting)
Most Spyware has fewer hoops to jump through to uninstall it.
Serves them right (Score:5, Interesting)
In meatspace, this would be called "vigilante justice," but I'm not sure that large corporations qualify for that label.
Cashing in. (Score:1, Interesting)
Re:Serious work issue (Score:4, Interesting)
Problem "solved"
Caveat emptor! (read label, avoid zombie un-CDs)
ALCEI claims rootkit is a virus (Score:5, Interesting)
This opens another plan of attack which I think will have more chance of succeeding (at least for public mind-share. I can't judge the legal value of the argument).
Re:"Nothing for you to see here. Please move along (Score:2, Interesting)
ABSOLUTELY NO WAY.
None.
Red Book audio tracks have certain format. Said format supports no copy protections/DRM/whatever crap.
This format is easily readable by gazillions of CD ripping programs. Unless you create a new format that does not play on normal audio CD players (not gonna happen), there is absolutely no way to prevent this.
So, essentially, if you disable windows autorun, you are immune to all 'copyprotections' and 'DRM' on CD:s. Some 'add errors to audio' things might need a specialized program, but they are going out of fashion as those CDs do not play in great number of audio CD players.
DVD audio is protected, but the masses are not biting. I wonder why...
Sony etc. cannot possibly 'win' this battle, unless they can legislate a protection for their practice of hosing people's computers. DMCA pretty much does that, but this time their nice 'DRM' went few miles too far and ran into few other things that are in the law books, and now Sony is going to get so throughoutly PWNED by this (I *pray* this class action laywer wont settle, I want Sony to be convicted), that they'll hopefully remember it in the future when devising braindead schemes to 'protect' CDs that are, by definition, impossible to 'protect' from copying (another word for 'playing')
Two thoughts (Score:3, Interesting)
2) Here's a link [sonymusic.com] where you can communicate to Sony how you feel about the rootkit situation. I used this link to send the following to Sony: I didn't submit this anonymously. Here is the email reply they sent me (pretty much a form letter): The most helpful thing about the faq was seeing which record labels are Sony. Unfortunately, Columbia Records is one of them - so I won't be buying the new System of A Down album when it comes out in a couple of weeks. That hurts, but in good conscience I just can't do business with Sony. If people buy Sony products in spite of this, Sony wins. So, no System CD for me, no PS3 for you gamers, no Vaio for you Mac-wannabes, etc. Don't just complain - let them know why you're boycotting, then actually do it.
Not only it is Lame, it contains.... (Score:3, Interesting)
Copyright infringement? (Score:5, Interesting)
Also in the program go.exe their is an array called "largetbl", which is part of tables.c of libmp3lame. Can anyone confirm these findings?
LAME is licenced under the LGPL. Could this mean more trouble for Sony because of a license violation?
Re:Did you look at the list of "protected" CDs? (Score:3, Interesting)
Of course, one could argue that, people which know how to actually copy CD's are the ones that do not listen to that music (i.e. the not average J6Pack). But, some of them use their knowledge to pirate & sell the illegal copies. I presume (*I hope*) those are the persons which sony was aiming when applying this (or any other) kind of DRM security.
Now, they really messed it when they blocked the ability to copy the music to the iPod since it is one 100% legit use of a ripper/mp3-encoder (Kudos go to Apple on this) and it is very, very, VERY widespread.
I would really love to see some of these lawsuits continue until a nice end. I hope this serves as the spark that was needed to show the USA people how invaded your privacy is. And how have your government took your rights and introduced them into i-dont-tell-you-where.
As some other slashdotter said before, USA citizens are lazy, they wont be pissed off about something until it trasspases their "lazzyness-level", the cable-with-advetisments, the game-consoles-without-chips, the DMCA, etc etc...
I have been monitoring this Sony matter for some days, and I am glad to see it has escalated in the SciTech Google news [google.com] section, from an obscure search "intitle:Sony intitle:DRM" to a 3rd place in the list (just suprassed by bill gates self-leaked memo and some other digital election thing".
If the correct people (we) make things correctly, this could be that spark that we needed to shake those lazy sixpackers that are staring at the TV or at hallmark.com
Re:Misleadings, expansions, and lawsuits abound (Score:3, Interesting)
Second, a New York law firm will be next to join the bandwagon. Things are heating up faster than the article summary indicates
This is more important than you think.... Looking back to an earlier post, where the EULA was quoted, we have this:
THE VALIDITY, INTERPRETATION AND LEGAL EFFECT OF THIS EULA SHALL BE GOVERNED BY, AND CONSTRUED IN ACCORDANCE WITH, THE LAWS OF THE STATE OF NEW YORK APPLICABLE TO CONTRACTS ENTERED INTO AND PERFORMED ENTIRELY WITHIN THE STATE OF NEW YORK (WITHOUT GIVING EFFECT TO ANY CONFLICT OF LAW PRINCIPLES UNDER NEW YORK LAW). THE NEW YORK COURTS (STATE AND FEDERAL), SHALL HAVE SOLE JURISDICTION OF ANY CONTROVERSIES REGARDING THIS AGREEMENT; ANY ACTION OR OTHER PROCEEDING WHICH INVOLVES SUCH A CONTROVERSY SHALL BE BROUGHT IN THOSE COURTS IN NEW YORK COUNTY AND NOT ELSEWHERE.
So, as you can see, we here in New York have the ability to toast this thing.
At this point, because all of the legal boilerplate that Sony put in is in all caps, I am going to just blather on for a bit because Slashdot's fucking lameness filter kicked in. It really sucks that I can't get a legitimate post through. Really. I honestly had a solid point, but the lameness filter is, well, lame.
Re:I see stupid people. (Score:1, Interesting)
I remember that PC-Mag started publishing lists of copy protected games and non-copy protected games. It wasn't long after that, that there were no more copy protected games on diskette. I believe that was one of the reasons why the Original DOOM game was released as shareware.
Nathan
Re:Aim at foot, pull trigger (Score:3, Interesting)
Guess I'll get the next Nintendo Game Cube instead.
Oh, to be a lawyer (Score:5, Interesting)
Suppose you sign a contract with me in which for $100 I promise to fix things so your neighbors stop complaining about your dog barking at night. We agree in our contract that you will limit my liability from anything resulting from my attempts to stop Fido from barking to $50. I then drive up to your house and put a bullet through Fido's head.
Now, does any person reasonably believe that you authorized me to shoot your dog, even if it's the most convenient way to accomplish what I said I'd do? Does any person reasonably beleive that consumers authorized Sony to completely undermine the security of their systems?
Or how about this: I agreed to limit any damage due to my use of Sony's software, but my system crashed as a result of my placing a Deustche Grammaphone CD in the drive. That wasn't my use of Sony's software, that was Sony's use of Sony's software to check up on me. Or my system is compromised by a hacker. That wasn't my use of Sony's software, that was the hacker's use of Sony's software. And don't say I promised not to hold you responsible for negligence. This isn't negligence it's misrepresentation. This is not "YOUR USE OF ANY OF THE LICENSED MATERIALS"; nor is it "THIS EULA" (see point above).
Sony should just own up to the fact this was incredibly stupid and irresponsible rather than bulling ahead and piling up liability for itself. Even at $5.00 a CD, it's going to hurt when the hammer drops. They should offer to replace all existing CDs with this software and provide technical support for one year to users who are affected by it.
Re:I understand the first two... (Score:4, Interesting)
This, of course, leaves open the question of what happens if you DON'T have autorun on, or you decline the EULA and play the CD via other means.
Re:this sounds like a job for microsoft security (Score:3, Interesting)
Re:I understand the first two... (Score:5, Interesting)
I think it's foolish to let companies write (nearly) arbitrary contracts for public commerce. It's widely accepted that non-lawyers are unfit to interpret contracts (that why we make fun of people who ask legal questions on Slashdot), and yet the dozens of different contracts you can't go a day without consenting to are supposed to be binding. It's unworkable. I think everyday commerce with private individuals should be governed by a small, standardized set of contracts established by law. Then allow companies to select which they want for each product or service.
implementation? (Score:3, Interesting)
Well, that'd be a surefire way to get Microsoft to succeed in Japan :)
sony hits Macs too! (Score:4, Interesting)
A reader followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:
I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.
Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.
so, Mac users have been safe up 'til now......
A EULA is a Contract? (Score:3, Interesting)
Just curious.
Re:Two thoughts (Score:3, Interesting)
Dude, I used to be like you - only 5 years ago shifted. It was Tom was pissed that Napster users got kicked out for downloading their album tracks, and Zach did that and all.
Now, Tom is a fat sell-out on Audioslave and who knows where Zach is.
My point is how can you even trust someone whose music is being peddled by Sony? They're in the same list as Celine Dion and Van Zant.
Re:I understand the first two... (Score:3, Interesting)
Come to Germany, we've got something close to that.
The so-called AGB ("Allgemeine Geschäftsbedingungen", roughly meaning "general terms of doing business with us") are extremely common in Germany and regulate stuff like how to return stuff to claim warranty, how quickly to pay if you don't pay by cash or credit card, that the stuff remains property of the shop until paid in full, etc. etc.
It's usually 1-2 pages of legalese in small print. And it's put up somewhere in the shop, linked from the websites, etc.
But - that ain't the beauty. The beauty is that german courts have enforced a rule to forbid "surprising clauses". See, some companies tried to slip outrageous stuff in there, just the stuff you find in EULAs, or the like.
The courts have simply declared these clauses null and void. Anything that you wouldn't by common sense expect to find in the AGB is basically forbidden to be there.
Excellent measure. As a customer, I know I don't have to read the AGB unless I need to actually use them (i.e. return something, claim a refund, or check how long I can withhold payment before they want it back).
I didn't agree to the EULA if my wife plays a CD (Score:3, Interesting)
That is one point that I've never seen a good answer to: On PC's used by more than one person, there is only one person that "agreed" to the EULA.
How can the EULA be applied to the other users who may not even know that the EULA exists (let alone what is says)?
Anyone? Anyone? Bueller?
Re:By the way, here's another interesting tidbit.. (Score:5, Interesting)
http://news.com.com/Antivirus+firms+target+Sony+ro otkit/2100-1029_3-5942265.html?part=rss&tag=594226 5&subj=news [com.com]
Excerpts:
However, Computer Associates, which has a security division, said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly.
According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said.
"It will effectively insert pseudo-random noise into a file so that it becomes less listenable," said Sam Curry, a Computer Associates vice president. "What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool."
So, not only is it spying on you, it even prevents you from making good copies of the CD's WITHOUT any DRM!!! The BALLS!
Re:I didn't agree to the EULA if my wife plays a C (Score:2, Interesting)
No, I'm not.
I think that your analogy is wrong. It's more like if my wife gets caught speeding in our (community property) car. I don't get a ticket. I don't agree to show up in court. She has to accept responsibility for her actions. I am not bound by any agreement that she makes (Like: "Yes, officer I'll slow down...").
That is closer to the EULA that she agrees to on our (community property) computer. I don't know if an agreement was offered/made. And I have no idea what the contents of the agreement is. How does any court figure that I'm bound to the EULA?
Re:I didn't agree to the EULA if my wife plays a C (Score:4, Interesting)