Complain about a product or service

Texas Sues Sony for Violating Spyware Law

By Martin H. Bosworth
ConsumerAffairs.com

April 8, 2005

Sony • Sony: Dust Voids PlayStation 3 Warranty • Sony BMG Settles FTC "Rootkit" Charges • Sony BMG Settles Root-Kit Suits for $4.25 Million •: Sony BMG Settles California Case • PlayStation 3 Takes the Field • PlayStation 3 Brings Big Bucks on eBay • Court Approves Sony BMG CD Settlement • Sony Reaches Tentative Settlement in Spyware Cases • New Charges Against Sony's Use of Stealth Software • New York Joins Sony CD Investigation • Recalled Sony CDs Still On Sale • Consumer Group Sues Sony BMG • Texas Sues Sony for Violating Spyware Law • Sony Withdraws CDs With Copy-Protection Software • Sony Slammed for Hidden CD Software • Sony Loses Playstation Suit • Digital Camera Buyers Give Kodak, Sony High Marks • Sony Agrees to Stop Payola Payments to Radio Stations • Sony Playstation 2 Defective, Class Action Charges --- Complaints • Playstation 2 • Playstation 1 • Cameras, Camcorders • Computers • Computer Monitors • Computer Rebates • Home Electronics Rebates • TVs • WebTV

Sony BMG's bad few weeks are turning into a bad month, as the state of Texas filed suit against the corporation for violating the state's new laws against spyware.

The suit stems from Sony's use of a copy-protection software "rootkit" that installs hidden files on a user's computer, which can cripple it and leave it vulnerable to outside attacks.

In a press conference announcing the suit, Texas Attorney General Greg Abbott accused Sony of "acting illegally" in hiding secret files on computers, and engaging in a "high-tech cloak and dagger" enterprise.

"This would be the most outrageous form of invasion of privacy…that the new spyware act was created to prevent," Abbott said.

Although Sony has publicly stated that it is recalling all CD's that contain the copy-protection software, the Attorney General's investigators claim to have found CD's containing the software at retail stores throughout the Austin area.

In addition to the Texas lawsuit, private attorneys are investigating the possibility of a class action lawsuit against Sony for violating California's spyware-prevention laws as well.

The Association for Freedom in Electronic Interactive Communications-Electronic Frontiers Italy (ALCEI-EFI), a Milan, Italy-based digital rights advocacy group, filed a complaint with Italy's cybercrime authorities over Sony's usage of the software. The investigation may lead to criminal charges being filed against Sony.

The complaint, issued on Nov. 4, states that "It is…unacceptable that any products containing invasive software are sold, especially when its presence is not properly disclosed and notified to the users. Furthermore, it is unacceptable that, after committing such serious offenses, anyone can believe that 'releasing a patch' can be enough to relieve the offender's responsibility."

Patch Criticized

The "patch" Sony issued to users has come under intense criticism as well. The "patch" does not actually remove the rootkit from an affected computer, but merely renders it visible to the user.

The patch itself was found to open an even bigger security hole, thanks to a flaw that enables an outside attacker to command the "patched" machine to download any code desired to the user's hard drive.

Several computer security analysts advised against downloading Sony's Web-based uninstaller until a suitable version was released, or to use alternate methods of removing the copy-protection software.

As if that weren't enough, the rootkit was found to contain elements identical to "LAME," an open-source software MP3 encoder. First4Internet, the British company that created the rootkit for use on Sony CD's, was alleged to have used the LAME code without indicating its origin or sharing their alterations to the code.

In other words, software designed to prevent copyright infringement was itself being used in violation of copyright.

Sony's recall encompasses approximately 5 million CD's that contain the rootkit. Although the number of affected computers is still unknown, security expert Bruce Schneier has said it may be as many as "half a million."

Schneier criticized computer security companies such as McAfee and Symantec for not responding quickly enough to provide tools for detecting and removing the rootkit.

"What happens when the creators of malware collude with the very companies we hire to protect us from that malware?" he said. "We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything."

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.