The Root of the Problem

Continued from page 1

Now government officials and watchdog groups are joining forces with consumers in legal actions against Sony. And potential judgments against the company could send a strong message to commercial software companies and the music industry: they are accountable for actions that violate personal privacy and damage property.

"Consumers have the right to expect to listen to music without companies spying on them," says Kurt Opsahl, staff attorney for the Electronic Frontier Foundation (EFF). At least six lawsuits have been filed over the spread of the XCP vulnerability, he says. The Attorney General in the state of Texas filed a complaint, claiming Sony violated the state's anti-spyware laws, and requested $100,000 in damages per violation. And civil complaints against Sony have been filed in California, New York, and the District of Columbia.

The EFF's class action suit, filed on November 21, asks Sony to launch a campaign to alert consumers that they may have installed software containing security vulnerabilities, according to Opsahl. Sony should also be required to stop distributing the MediaMax software, he says, that reports information about CDs being played on computers to SunnComm, the company that developed the software. Opsahl says even if consumers decline the end-user licensing agreement when the CDs is placed in their computers, MediaMax will be installed; the complaint also takes Sony to task for not including a utility for uninstalling MediaMax.

For its part, Sony has been slow in reacting. In response to mounting negative publicity, Sony has offered to exchange CDs with the XCP software for "clean" versions. The company also posted a utility for uninstalling the software -- but it included more vulnerabilities, and therefore was quickly removed from Sony's website.

Currently, the company's website offers a program that removes the rootkit vulnerability, but does not eradicate the software that sends user data to Sony's servers. According to a message posted there on November 15, the company is still developing an uninstall utility. Sony has also recalled the CDs from its retail music partner stores. The company did not return phone calls for this article.

According to Harvard law student Ben Edelma, Sony could automatically alert consumers who listened to the CDs while online. "When a CD's player checks in with Sony's Web servers, the Web servers have an opportunity to send the player a banner message for display within the player program," Edelman explained in an e-mail. "In this way, Sony could easily send users more information about the software they have (unwittingly) installed on their PCs. But so far Sony has refused to send such messages."

Dissatisfaction over Sony's response has prompted several efforts to boycott the companies products, as well as a stern warning to the music industry from Stewart Baker, assistant secretary for policy at the Department of Homeland Security, about being too aggressive in pursuing piracy.

Since the rootkit was discovered, however, "there hasn't been a noticeable impact on sales from [Sony]," according to Geoff Mayfield, senior analyst at music sales tracking firm Billboard. "I didn't see anything out of the ordinary in terms of an album's regular selling pattern."