An advocacy group has asked the Italian government to investigate whether Sony BMG Entertainment broke any of the country's laws when it included what has been called a form of spyware on some of its CD-Roms.
The Milan-based Association for Freedom in Electronic Interactive Communications – Electronic Frontiers Italy (ALCEI-EFI) requested Monday that the Italian government's cybercrime investigation unit investigate Sony's reported use of a rootkit application to spy on the listening habits and shopping venues of software users.
"This is the preliminary phase of an action that means to arrive to a penal denunciation against" Sony, reads a translation of the complaint on the organization's website, adding that the company "had become responsible of illicit actions in."
Long Island, N.Y.-based Computer Associates, which is now classifying the unauthorized Sony download as spyware, warned this week that the application could cause the compromise of personal or corporate information. A 3MB patch Sony issued to remove the download also contained a broken uninstall feature that could cause PCs using Windows to crash, according to CA.
The software company also warned of the Sony website's process for removing the rootkit, which forces users to reveal email addresses, musical tastes and where they bought the CD-Rom. The site has also attempted to install an ActiveX control, designed to send out data to First4Internet, a British-based partner of Sony.
Sony has not issued a statement about the CD-Rom firestorm, but company officials had said in media reports that the technology was only used on about 20 CDs.
Sam Curry, CA's vice president of eTrust Security Management, said he did not know Italian privacy laws, but expected calls for an investigation.
"It doesn't surprise me that this is starting," he said. "I think you're going to see a wave of consumer advocacy."
Curry said his company received on Monday the patch software that it had requested from Sony last Thursday. The patch removed the application, except for a cdproxyserver.exe file, according to Curry. Instructions for disabling the program are available at www.ca.com/securityadvisor/.