Critical Infrastructure Security

Sony BMG settles with FTC

Sony BMG Entertainment has settled with the Federal Trade Commission (FTC) over charges the entertainment giant violated federal law when it surreptitiously installed digital rights management software on CDs last year.

Under the agreement, Sony BMG must exchange CDs containing the rootkit-like technology through June 31 and must compensate affected consumers up to $150 to repair computer damage that may have occurred when trying to remove the software, according to an FTC news release.

The FTC said the software, designed to prevent users from copying music, posed a security risk.

"Installations of secret software that create security risks are intrusive and unlawful," FTC Chairwoman Deborah Platt Majoras said. "Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content."

"Not only did (the software) allow Sony's code to hide, it also created space for other malicious software to hide," Edward Felten, a Princeton University professor of computer science and public affairs, told SC Magazine for its December issue.

He and a graduate student specifically studied the two rootkit uninstallers Sony offered as a solution.

"They both installed an ActiveX control that could be invoked by a webpage," Felten said. "It could be told by any page on the web to download code. Any webpage could install whatever software. It was about as serious as a vulnerability could be."

In December, Sony BMG agreed to pay $4.25 million in a settlement with 39 states, agreeing to reimburse end users whose PCs were damaged when trying to uninstall the rootkit-like technology. In addition, Sony said it will no longer distribute CDs containing copyright protection that is difficult for users to locate or remove.

On its website, Sony BMG lists "CD Copy Protection Principles" that state its record labels "are not currently releasing to the public any music CDs that limit copying of the music through software that installs from the CD to the computer. We have no current plans to do so."

The company said in a statement that it was "pleased" to settle with the FTC.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.