FTC seeks public comment on Sony rootkit settlement

IDG News Service - Sony BMG Music Entertainment Music has agreed to settle charges with the Federal Trade Commission (FTC) related to the company's inclusion of problematic copy-protection software in music CDs, the FTC said Tuesday.

The proposed agreement, which FTC commissioners approved unanimously, will be open for public comment between Tuesday and March 1. Then the FTC will decide whether to make it final.

The copy-protection software Sony shipped with music CDs created security risks for users and monitored their listening behavior on their PCs without their permission, the FTC said.

The copy-protection software installed itself without users' consent, was complicated to uninstall and limited the devices a CD could be played in, as well as the number of copies that could be made, the FTC said.

The FTC had alleged Sony BMG had violated federal law by selling music CDs with this type of hidden software.

Sony BMG agreed to settle the charges without admitting that it broke any laws. "We're pleased to have reached this agreement with the FTC," Sony BMG said in a prepared statement. A spokesman declined to comment any further.

An outcry erupted over Sony BMG's inclusion of copy-protection software in music CDs in late 2005, when a security expert charged that the XCP (Extended Copy Protection) software used "rootkit" techniques, which are normally only used by hackers, to conceal itself on Windows systems.

Although Sony initially defended its use of the software, it eventually reversed its position, ceased production of XCP-enabled CDs and issued a recall for them after malicious "Trojan horse" programs were written to exploit the XCP code.

Also at issue was Sony's use of another copy-protection software called MediaMax, which also installed itself on PCs without permission and surreptitiously collected and transmitted information about users' activities. Sony didn't recall MediaMax CDs, but issued a patch to remove it. An earlier version of MediaMax offered copy protection but didn't create security risks nor monitored user activity.

In all, Sony shipped about 16 million music CDs containing either XCP or MediaMax software. First 4 Internet Ltd. made XCP, while MediaMax was created by SunnComm International Inc.

Under the proposed settlement, Sony BMG agrees to clearly disclose limitations on consumers' use of music CDs and to never install software on consumers' PCs without permission. The company also agreed to let consumers exchange the CDs in question until June 31, 2007, and reimburse consumers for up to $150 to repair damaged caused by the software to their PCs. Consumers will be able to exchange CDs with the software purchased before Dec. 31, 2006, for new CDs free of content-protection software.