Sony BMG settles rootkit cases on the cheap
What is the penalty for selling spyware masquerading as Celine Dion, Susie Suh and Neil Diamond CDs to more than two million unsuspecting consumers? If you're Sony BMG, the world's second largest music label, the answer is a slap on the wrist. Oh, and a promise not to do it again.
As any outraged Celine Dion fan recalls, the whole problem started a year ago when, during the Christmas rush, Sony BMG began issuing copy-proof CDs with a piece of technology commonly referred to as a rootkit, a piece of code favoured by malware writers who want to spy on a computer user stealthily. Rootkits are handy if you want to know what types of files a person is downloading, or, in particularly nasty cases, if you want personal details such as credit card info or anything stored on the computer. In its zeal to prevent consumers from copying CDs, Sony BMG went to the extreme measure of using two types of software – XCP and MediaMax – that also function as rootkit baddies. Making matters worse, Sony BMG never notified the consumer. Cue the attorneys.
Fast-forward to this week. The first two state settlements have come down in California and Texas. In each state, Sony must pay fines of $750,000 (£385,000) and pay $175 (£90) to each consumer who can demonstrate damages. More state suits are pending, but in the history of damaging product recalls, this case is proving to be nothing more than a mild distraction for the music giant.
Also, it must be noted that in the settlement Sony BMG is not expressing wrongdoing. While the technology would make it very easy for a company to spy on its customers' computing and web surfing habits, Sony BMG insists it would never do such a thing. To wit, the company says, "SONY BMG has not used the MediaMax or XCP Software, or any enhanced content on XCP CDs or MediaMax CDs, to collect, aggregate, or retain personal data about individuals who listened to XCP CDs or MediaMax CDs on computers, without such person’s express consent."
There is a lesson here, dear consumer. Be wary of that next Celine Dion CD.
As I understand it, in both the USA and the UK, it is illegal to access any computer system without the owner's permission. If Sony has broken the law by depositing spy software on music lovers PCs, why have the governments in these countries not taken Sony to task and applied the law as vigorously as they do to those defendants accessing defense and Nasa computer systems?
Or is there one law for the people and one for commercial companies with the bucks to tie courts up for years?
Posted by: James Hendry | Dec 30, 2006 9:37:53 PM