Sony BMG Music Entertainment’s troubles over anti-piracy technology on music CDs deepened Monday as Texas’ attorney general and a California-based digital rights group said they were suing the music company under new state anti-spyware laws.
The Texas lawsuit said the so-called XCP technology that Sony BMG had quietly included on more than 50 CD titles leaves computers vulnerable to hackers. Sony BMG had added the technology to restrict to three the number of times a single disc could be copied, but agreed to recall the discs last week after a storm of criticism.
The Electronic Frontier Foundation said Sony BMG needs to further publicize the recall and compensate consumers for costs associated with removing the software, an onerous process. It filed its suit Monday evening in California Superior Court in Los Angeles.
When XCP-enabled discs are loaded into a computer — a necessary step for transferring music to Apple Computer Inc.’s iPods and other portable music players — the CD installs a program that restricts copying and makes it extremely inconvenient to transfer songs into the format used by iPods. Critics say consumers aren’t adequately told what the program actually does.
Security researchers say XCP is spyware because it secretly transmits details about what music the PC is playing. Manual attempts to remove the software, which works only on Windows PCs, can disable the PC’s optical drive.
Texas Attorney General Greg Abbott accused Sony BMG of surreptitiously installing spyware because XCP masks files that it installs. This “cloaking” component can leave computers vulnerable to viruses and other security problems, Abbott said, echoing the findings of computer security researchers.
“People buy these CDs to listen to music,” Abbott said. “What they don’t bargain for is the computer invasion that is unleashed by Sony BMG.”
Sony executives have rejected the description of their technology as spyware. Officials for the New York-based label would not comment Monday, saying the company does not discuss pending litigation.
The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation. Abbott said there were thousands of violations, and that any money would go to the state.
The California law under which the EFF sued bans collecting personally identifiable information through deceptive means and lets consumers can sue for damages.
The EFF also invoked state laws on consumer protection and unfair business practices.
Cindy Cohn, the EFF’s legal director, said Sony BMG should announce the recall using the same marketing tactics they had used to sell CDs, including advertising and radio promotions.
“Just putting a little something up on their Web site I don’t think is sufficient,” she said.
The EFF complaint also covered another anti-piracy technology that Sony BMG has used, MediaMax from SunnComm Technologies Inc., which was introduced first in markets outside the United States. SunnComm was not named in the lawsuit.
The EFF said it also would seek better disclosure about both technologies used by Sony BMG and an end to what it considered “outrageous, anti-consumer” licensing terms over which CD buyers have little choice.
Sony BMG’s Web site offers information on the XCP technology, the CDs that use it and ways consumers can mail them back, postage-free, for a replacement.
Sony BMG initially rejected the uproar over XCP as technobabble. But after security experts discovered that XCP opened gaping security holes in users’ computers — as did the method Sony BMG offered for removing XCP — Sony BMG agreed last week to recall the discs.
Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.