Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Sony Your Rights Online

California Class Action Suit Sony Over Rootkit DRM 508

carre4 writes "Lawyers in California have filed a class-action lawsuit against Sony and a second one may be filed today in New York. The lawsuit was filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, CA attorney Alan Himmelfarb. It asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices. EFF has released a list of rootkit affected CD's and Slashdot user xtracto also has a list."
This discussion has been archived. No new comments can be posted.

California Class Action Suit Sony Over Rootkit DRM

Comments Filter:
  • by Hitto ( 913085 ) on Thursday November 10, 2005 @09:11AM (#13996792)
    Before this gets /.ed [], here's the text.
    Quoth the EFF :
    Now the Legalese Rootkit: Sony-BMG's EULA
    November 09, 2005

    If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.

    First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

    Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

    1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

    2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

    3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

    4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

    5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

    6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

    7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

    8. You have no right to transfer the music on your computer, even along with the original CD.

    9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

    So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them? No word yet about whether Sony-BMG will be offering a "patch" for this legalese rootkit. I'm not holding my breath.
    Posted by Fred von Lohmann at 12:24 PM | Permalink | Technorati

    Endquote. It's interesting to see just how far Sony will go to alienate the tech-savvy user base. It's been a few years since I religiously started forbidding people to buy Sony products, because I wouldn't be assed to "fix my vaio, please" or to "take a look at my LCD screen, there are, like black dots and stuff on it", but my brother-in-law still got himself a Sony DAP.

    The first thing I thought was, "Wow! The salesman actually managed to sell him something that isn't an iPod.", but come on. What's you /.er's take on this vast DRM-wing conspiracy?
  • by BushCheney08 ( 917605 ) on Thursday November 10, 2005 @09:11AM (#13996794)
    I know that Sony's actions here will make me think twice about buying a Vaio. I'm getting ready to buy a new laptop, and Sony does have some decent ones out there. However, I have no way of knowing that they're not gonna install this crap on the machine at the factory. Well done Sony. The actions of one arm are negatively affecting sales of another...
  • More from Mark (Score:5, Interesting)

    by Spad ( 470073 ) <slashdot AT spad DOT co DOT uk> on Thursday November 10, 2005 @09:12AM (#13996795) Homepage
    Looks like Sony aren't making it easy to get rid of their rootkit [].

    Most Spyware has fewer hoops to jump through to uninstall it.
  • Serves them right (Score:5, Interesting)

    by Nerdposeur ( 910128 ) on Thursday November 10, 2005 @09:13AM (#13996801) Journal
    I'm not sure how Sony arrived at the decision to take over people's computers, but I can't see the morality of it. "People are stealing from us, so let's damage their property."

    In meatspace, this would be called "vigilante justice," but I'm not sure that large corporations qualify for that label.
  • Cashing in. (Score:1, Interesting)

    by ivan kk ( 917820 ) on Thursday November 10, 2005 @09:17AM (#13996819)
    It'd be interesting if people after hearing of these lawsuits proceeded to buy a copy of the cds only to cash in on the lawsuits.
  • by RoboProg ( 515959 ) on Thursday November 10, 2005 @09:26AM (#13996854) Homepage
    Never mind: I see one of the other posters has kindly provided the EULA, which says I can't listen to (what otherwise would have been) my music at work anyway.

    Problem "solved"

    Caveat emptor! (read label, avoid zombie un-CDs)
  • by swissfondue ( 819240 ) <swissfondue@gmai[ ]om ['l.c' in gap]> on Thursday November 10, 2005 @09:31AM (#13996879)
    As linked through other Slashdot posts, the ALCEI (the Italian Electronic Frontiers organization) [], has a different tactic. They refer to F-Secure [] in order to sue Sony for propagating a virus named "XCP DRM Software".

    This opens another plan of attack which I think will have more chance of succeeding (at least for public mind-share. I can't judge the legal value of the argument).

  • by Jarnis ( 266190 ) on Thursday November 10, 2005 @09:42AM (#13996943)
    Problem: There is absolutely no way to prevent a computer from ripping audio CD tracks without interfering the abilities/programs of the computer.



    Red Book audio tracks have certain format. Said format supports no copy protections/DRM/whatever crap.

    This format is easily readable by gazillions of CD ripping programs. Unless you create a new format that does not play on normal audio CD players (not gonna happen), there is absolutely no way to prevent this.

    So, essentially, if you disable windows autorun, you are immune to all 'copyprotections' and 'DRM' on CD:s. Some 'add errors to audio' things might need a specialized program, but they are going out of fashion as those CDs do not play in great number of audio CD players.

    DVD audio is protected, but the masses are not biting. I wonder why...

    Sony etc. cannot possibly 'win' this battle, unless they can legislate a protection for their practice of hosing people's computers. DMCA pretty much does that, but this time their nice 'DRM' went few miles too far and ran into few other things that are in the law books, and now Sony is going to get so throughoutly PWNED by this (I *pray* this class action laywer wont settle, I want Sony to be convicted), that they'll hopefully remember it in the future when devising braindead schemes to 'protect' CDs that are, by definition, impossible to 'protect' from copying (another word for 'playing')
  • Two thoughts (Score:3, Interesting)

    by BigPoppaT ( 842802 ) on Thursday November 10, 2005 @09:45AM (#13996961) Homepage
    1) In organizations where security/privacy is mandated (due to HIPAA, SOX, and other legislation) I expect the ISOs (Information Security Officers) will begin prohibiting the use of audio CDs in PCs. This will probably help Sony's competitor Apple more than it will help Sony, because it will drive iPod sales.

    2) Here's a link [] where you can communicate to Sony how you feel about the rootkit situation. I used this link to send the following to Sony:
    I want you know that I will never purchase any Sony product again until: a) the VP who approved your rootkit is fired; and b) Sony promises not to do anything like this again. I have never pirated a CD, and I use Linux (so this rootkit would not affect me), but you have effectively declared war on your customers. So, I will refuse to be one of your customers from now on. I am giving you this feedback because I wanted you know why I am boycotting you. I believe that Sony should be accountable for its actions.
    I didn't submit this anonymously. Here is the email reply they sent me (pretty much a form letter):
    Thanks for visiting Sony Music Online and for your feedback. We appreciate (and encourage) all suggestions and comments. As you can imagine, we receive quite a few email messages every day. While we would like to respond to each of them individually, we often do not have the time and resources to do so. Be assured that I will pass your comments on to the parties most responsible for dealing with them. Have you checked out our FAQ page? Perhaps you will be able to find the answer to your questions there: [] Thanks again for your note and the time spent on Sony Music Online.
    The most helpful thing about the faq was seeing which record labels are Sony. Unfortunately, Columbia Records is one of them - so I won't be buying the new System of A Down album when it comes out in a couple of weeks. That hurts, but in good conscience I just can't do business with Sony. If people buy Sony products in spite of this, Sony wins. So, no System CD for me, no PS3 for you gamers, no Vaio for you Mac-wannabes, etc. Don't just complain - let them know why you're boycotting, then actually do it.
  • by onkl ( 930010 ) on Thursday November 10, 2005 @09:45AM (#13996962)
    In Dutch newslogs, it is mentioned now that the rootkit is using parts of the (LGPL) LAME-encoder. So, should their rootkit be open-source then? "Script kiddies unite, fight for your source code rights" I'd fear. Below some babelfished Dutch. (from Thursday 10 November 2005, 09.59 - the spyware which Sony on the computers of muziekfans install do not seem not only technical, but even also copyright in the hook. In the rootkit pieces code appear sit which is identical to LAME, open source mp3-encoder. The licentie is exceeded. Concerning software exercises the copyright with the so-called Lesser Gnu Public License (LGPL). According to this licentie Sony must satisfy requirements to a number of. Thus they must tell that they use software in a copyright notice. Also the company the source code of open-sourcelibraries must provide or available to make. Finally the tussenvorm between must make source code and feasible code, the so-calledobject traffic-jams, meeleveren or available, with which others can make similar software. Sony have only satisfied to none of these requirements, but provide a feasible programme. A computer expert, of whom the name is confessed at the redactie, discovered that on the cd Get Right With The man of Van Zant strings from the library version.c of Lame sits. This is make up from the string: "", "0.90", "LAME3.95", "3.95", "3.95". But the expert has more proof. This way there so-called array largetbl sit at a place in the programme go.exe. This is a part that is used in the module tables.c of libmp3lame. The discovery is possible far-reaching consequences has on the muziekgigant, which themselves claim only protect the copyrights. Rather judges in Germany forced several companies already make the source code public and the required spullen for compiling to provide. Also it is possible claim damageses. Meanwhile details also other become clearly and this way complain the Electronic frontier foundation which the spyware make also legal listening music on iPods impossible. The organisation is busy with a list of cd's which publishes hidden programmatuur meeleveren to make and these on the Internet site. Wouter Rutten of the NVPI emphasise that the commotie for Dutch a ' meaningless tale ' is because the aware cd's are only in the United States and in Mexico available. The organisation offers information on the beveiliging of First 4 Internet to by means of the site, however. Several phone calls to SonyBMG continued call back in spite of promises to unanswered.
  • by Anonymous Coward on Thursday November 10, 2005 @09:46AM (#13996970)
    According to this [] article (Dutch) on the CD Get Right With The Man of Van Zant there are strings from the library version.c of Lame []. The following strings are found: "", "0.90", "LAME3.95", "3.95", "3.95 ".

    Also in the program go.exe their is an array called "largetbl", which is part of tables.c of libmp3lame. Can anyone confirm these findings?

    LAME is licenced under the LGPL. Could this mean more trouble for Sony because of a license violation?
  • by xtracto ( 837672 ) on Thursday November 10, 2005 @09:50AM (#13996995) Journal
    Sure, you may think that music is really crapastic, but the reallity is that those artists are the ones that get the into the billboard 10 and get the platinium, titanium, uranium etc prizes for disc selling.

    Of course, one could argue that, people which know how to actually copy CD's are the ones that do not listen to that music (i.e. the not average J6Pack). But, some of them use their knowledge to pirate & sell the illegal copies. I presume (*I hope*) those are the persons which sony was aiming when applying this (or any other) kind of DRM security.

    Now, they really messed it when they blocked the ability to copy the music to the iPod since it is one 100% legit use of a ripper/mp3-encoder (Kudos go to Apple on this) and it is very, very, VERY widespread.

    I would really love to see some of these lawsuits continue until a nice end. I hope this serves as the spark that was needed to show the USA people how invaded your privacy is. And how have your government took your rights and introduced them into i-dont-tell-you-where.

    As some other slashdotter said before, USA citizens are lazy, they wont be pissed off about something until it trasspases their "lazzyness-level", the cable-with-advetisments, the game-consoles-without-chips, the DMCA, etc etc...

    I have been monitoring this Sony matter for some days, and I am glad to see it has escalated in the SciTech Google news [] section, from an obscure search "intitle:Sony intitle:DRM" to a 3rd place in the list (just suprassed by bill gates self-leaked memo and some other digital election thing".

    If the correct people (we) make things correctly, this could be that spark that we needed to shake those lazy sixpackers that are staring at the TV or at
  • by Phreakiture ( 547094 ) on Thursday November 10, 2005 @10:04AM (#13997070) Homepage

    Second, a New York law firm will be next to join the bandwagon. Things are heating up faster than the article summary indicates

    This is more important than you think.... Looking back to an earlier post, where the EULA was quoted, we have this:


    So, as you can see, we here in New York have the ability to toast this thing.

    At this point, because all of the legal boilerplate that Sony put in is in all caps, I am going to just blather on for a bit because Slashdot's fucking lameness filter kicked in. It really sucks that I can't get a legitimate post through. Really. I honestly had a solid point, but the lameness filter is, well, lame.

  • by Anonymous Coward on Thursday November 10, 2005 @10:13AM (#13997122)
    I don't know if may people here are old enough to remember computer games on floppy diskettes, but similar things happened back in the mid 1980's. I even remember a couple of articles by John Divorak stating that copy protected floppy diskettes should end.

    I remember that PC-Mag started publishing lists of copy protected games and non-copy protected games. It wasn't long after that, that there were no more copy protected games on diskette. I believe that was one of the reasons why the Original DOOM game was released as shareware.

  • by doublem ( 118724 ) on Thursday November 10, 2005 @10:22AM (#13997180) Homepage Journal
    Well, there go my plans to buy a PlayStation 3.

    Guess I'll get the next Nintendo Game Cube instead.
  • Oh, to be a lawyer (Score:5, Interesting)

    by hey! ( 33014 ) on Thursday November 10, 2005 @10:50AM (#13997485) Homepage Journal
    IANAL, but I would love to be the one kicking the shit of out this EULA.

    Suppose you sign a contract with me in which for $100 I promise to fix things so your neighbors stop complaining about your dog barking at night. We agree in our contract that you will limit my liability from anything resulting from my attempts to stop Fido from barking to $50. I then drive up to your house and put a bullet through Fido's head.

    Now, does any person reasonably believe that you authorized me to shoot your dog, even if it's the most convenient way to accomplish what I said I'd do? Does any person reasonably beleive that consumers authorized Sony to completely undermine the security of their systems?

    Or how about this: I agreed to limit any damage due to my use of Sony's software, but my system crashed as a result of my placing a Deustche Grammaphone CD in the drive. That wasn't my use of Sony's software, that was Sony's use of Sony's software to check up on me. Or my system is compromised by a hacker. That wasn't my use of Sony's software, that was the hacker's use of Sony's software. And don't say I promised not to hold you responsible for negligence. This isn't negligence it's misrepresentation. This is not "YOUR USE OF ANY OF THE LICENSED MATERIALS"; nor is it "THIS EULA" (see point above).

    Sony should just own up to the fact this was incredibly stupid and irresponsible rather than bulling ahead and piling up liability for itself. Even at $5.00 a CD, it's going to hurt when the hammer drops. They should offer to replace all existing CDs with this software and provide technical support for one year to users who are affected by it.
  • by Drachemorder ( 549870 ) <brandon@cCOMMAhr ... .org minus punct> on Thursday November 10, 2005 @10:53AM (#13997512) Homepage
    If you have autorun on, the EULA pops up when you insert the CD. If you agree to it, the rootkit gets installed (along with all the other Sony audio player stuff and what not).

    This, of course, leaves open the question of what happens if you DON'T have autorun on, or you decline the EULA and play the CD via other means.

  • by Grave ( 8234 ) <(awalbert88) (at) (> on Thursday November 10, 2005 @11:19AM (#13997783)
    I disagree. I think Microsoft would love nothing more than to issue a patch removing something from Sony. The amount of PR and publicity this would create two weeks before launching a product that directly competes with Sony's only real moneymaker would be worth far more than costs of a possible lawsuit that Sony might attempt to launch against them (which would get thrown out anyway).
  • by timeOday ( 582209 ) on Thursday November 10, 2005 @11:23AM (#13997822)
    That's right kids, you can't get away with murder simply by granting yourself the right to do so in some fine print legalize.

    I think it's foolish to let companies write (nearly) arbitrary contracts for public commerce. It's widely accepted that non-lawyers are unfit to interpret contracts (that why we make fun of people who ask legal questions on Slashdot), and yet the dozens of different contracts you can't go a day without consenting to are supposed to be binding. It's unworkable. I think everyday commerce with private individuals should be governed by a small, standardized set of contracts established by law. Then allow companies to select which they want for each product or service.

  • implementation? (Score:3, Interesting)

    by Ender Ryan ( 79406 ) on Thursday November 10, 2005 @11:40AM (#13997974) Journal
    I just cannot see Sony actually implementing this nonsense. I can't even imagine how many people would be turned away by that.

    Well, that'd be a surefire way to get Microsoft to succeed in Japan :)

  • sony hits Macs too! (Score:4, Interesting)

    by Anonymous Coward on Thursday November 10, 2005 @11:57AM (#13998144)
    From Macintouch today:

    A reader followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

    I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.
        Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

    so, Mac users have been safe up 'til now......

  • by computer_redneck ( 622060 ) on Thursday November 10, 2005 @12:28PM (#13998411)
    If this is so, isn't the law of the US that Children under 18 are not legally bound or able to enter into a contract with anyone without permission of the parent? If this is so and a EULA is a Contract then technically doesnt that mean that anyone under the age of 18 in the US is not bound by the EULA?

    Just curious.

  • Re:Two thoughts (Score:3, Interesting)

    by mochan_s ( 536939 ) on Thursday November 10, 2005 @12:43PM (#13998559)

    Dude, I used to be like you - only 5 years ago shifted. It was Tom was pissed that Napster users got kicked out for downloading their album tracks, and Zach did that and all.

    Now, Tom is a fat sell-out on Audioslave and who knows where Zach is.

    My point is how can you even trust someone whose music is being peddled by Sony? They're in the same list as Celine Dion and Van Zant.

  • by Tom ( 822 ) on Thursday November 10, 2005 @12:55PM (#13998684) Homepage Journal
    I think everyday commerce with private individuals should be governed by a small, standardized set of contracts established by law.

    Come to Germany, we've got something close to that.

    The so-called AGB ("Allgemeine Geschäftsbedingungen", roughly meaning "general terms of doing business with us") are extremely common in Germany and regulate stuff like how to return stuff to claim warranty, how quickly to pay if you don't pay by cash or credit card, that the stuff remains property of the shop until paid in full, etc. etc.
    It's usually 1-2 pages of legalese in small print. And it's put up somewhere in the shop, linked from the websites, etc.

    But - that ain't the beauty. The beauty is that german courts have enforced a rule to forbid "surprising clauses". See, some companies tried to slip outrageous stuff in there, just the stuff you find in EULAs, or the like.
    The courts have simply declared these clauses null and void. Anything that you wouldn't by common sense expect to find in the AGB is basically forbidden to be there.

    Excellent measure. As a customer, I know I don't have to read the AGB unless I need to actually use them (i.e. return something, claim a refund, or check how long I can withhold payment before they want it back).

  • by vinn01 ( 178295 ) on Thursday November 10, 2005 @02:06PM (#13999505)
    My wife might have played one of these Sony CDs on our computer. I didn't agree to the Sony EULA. But I'm the one who will have to spend my time cleaning up Sony's mess.

    That is one point that I've never seen a good answer to: On PC's used by more than one person, there is only one person that "agreed" to the EULA.

    How can the EULA be applied to the other users who may not even know that the EULA exists (let alone what is says)?

    Anyone? Anyone? Bueller?
  • by SeattleGameboy ( 641456 ) on Thursday November 10, 2005 @03:19PM (#14000387) Journal
    It is even worse than that. otkit/2100-1029_3-5942265.html?part=rss&tag=594226 5&subj=news []


    However, Computer Associates, which has a security division, said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly.

    According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said.

    "It will effectively insert pseudo-random noise into a file so that it becomes less listenable," said Sam Curry, a Computer Associates vice president. "What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool."

    So, not only is it spying on you, it even prevents you from making good copies of the CD's WITHOUT any DRM!!! The BALLS!

  • by vinn01 ( 178295 ) on Thursday November 10, 2005 @03:38PM (#14000582) are accepting responsibility for their actions.

    No, I'm not.

    I think that your analogy is wrong. It's more like if my wife gets caught speeding in our (community property) car. I don't get a ticket. I don't agree to show up in court. She has to accept responsibility for her actions. I am not bound by any agreement that she makes (Like: "Yes, officer I'll slow down...").

    That is closer to the EULA that she agrees to on our (community property) computer. I don't know if an agreement was offered/made. And I have no idea what the contents of the agreement is. How does any court figure that I'm bound to the EULA?

  • by WhiteKnight07 ( 521975 ) on Thursday November 10, 2005 @05:19PM (#14001802)
    I've got an intersting queestion. Since these are music CD's it stands to reason that a good portion of them will be purchased by minors. (people under 18) Since minors can't legally agree to a contract or other legally binding agreement is the EULA enforcable if a minor buys the CD, puts it in there computer, and unknowingly hits "I agree."? Is the EULA simply not enforcable or are they technically not allowed to play the CD by virtue of not being able to agree to the lisence?

Nothing succeeds like the appearance of success. -- Christopher Lascl