New York Joins Nationwide Settlement With Sony Bmg Over Hidden Files

Attorney General Spitzer today announced that New York and 39 other states have reached a settlement with Sony BMG over the distribution of hidden anti-copying software programs through audio CDs.

According to legal papers, Sony BMG installed digital rights management (DRM) programs which:

  • Were not clearly disclosed to consumers, and significantly limited consumers’ use of the music contained on the CDs;

  • Altered computer operating systems to make the programs undetectable, leaving consumers’ computers vulnerable to attacks by malicious hackers; and

  • Contributed to computer malfunctions and, at times, left the CD-ROM drives of some computers inoperable when consumers tried to remove the hidden software.

In resolving the investigations, Sony BMG agreed to pay a total of $4.25 million to the settling states, including approximately $315,000 to New York. As part of the settlement, Sony BMG also agreed to provide restitution to consumers whose computers were damaged by its DRM software. Just one year ago, Sony BMG had agreed with the New York Attorney General’s office to recall its CDs with DRM software and to offer consumers refunds or exchanges for previously purchased CDs.

Prior to the December 2005 recall, Sony BMG had distributed over 12 million audio CDs containing deceptive DRM software. One program, called XCP, utilized "rootkit" technology to fundamentally alter the computer operating system in order to hide the DRM software from the consumer. This rootkit subsequently left the consumer’s computer vulnerable to third party exploits, designed by hackers to take advantage of the security hole created by Sony BMG’s software.

Another DRM program, called MediaMax, allowed subsequent users of the computer unauthorized access and the opportunity to run malicious software programs.

Both DRM programs were installed without clear and conspicuous notice to, or consent from, consumers.

As part of the settlement, Sony BMG also agreed to provide refunds of up to $175 to all
consumers who experienced harm to their computers when they sought to remove the DRM software. Refund claims should be submitted to Sony BMG within 180 days through a claims process which Sony BMG will publicize on its website.

Under the terms of the settlement, Sony BMG has agreed that any future DRM software must not make consumers’ computers vulnerable to outside attack, and must be clearly and conspicuously disclosed to consumers prior to purchase, to allow consumers to make an informed choice as to whether to purchase music CDs with certain use limitations.

Joining New York in today’s settlement are: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Mississippi, Montana, Nebraska, Nevada, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Dakota, Tennessee, Vermont, Virginia, Washington, West Virginia, Wisconsin and Wyoming, and by the Attorney General for the District of Columbia.

This case was handled for New York by Assistant Attorney General Justin Brookman with assistance from Investigator Vanessa Ip, under the direction of Jane Azia, Assistant Attorney General in Charge of the Internet Bureau.