The Sony Boycott Blog

An interesting open thread at Freedom to Tinker is developing two competing points of view: that Sony BMG got off lightly in their settlement agreement, and that the settlement is a fair and reasonably complete redress of customer grievances.

My $0.02 is that, with the exception of some of the MediaMax provisions, the settlement does not require Sony BMG to do anything that they have not already done themselves. The recall, compensation, offer of free downloads, and stopping XCP production were all in place well before the settlement was reached.

There are some interesting links in one of the comments suggesting that the status of both SunnComm and First4Internet as continuing viable businesses may be in doubt, as they never did that much in revenue to begin with and are facing substantial liability. That is an interesting prospect.

News on a sleepy post-Christmas day, courtesy the Washington Post’s Security Fix blog: Sony BMG has apparently agreed to settle the New York based class action lawsuit. Terms of the settlement include a permanent cessation of the use of XCP and MediaMax on Sony BMG CDs, a pledge not to collect personal information from customers who already have CDs with the affected DRM systems without an explicit opt-in, and settlement benefits to members of the class action suit including “clean” replacement CDs, free downloads, and cash payments. More nebulously, there is a requirement to “implement consumer-oriented changes in operating practices with respect to all CDs with content protection software that Sony BMG manufactures in the next two years.” The relief portion of the suit would take place immediately upon preliminary approval of the settlement. The Post says that PACER shows a hearing order that indicates that Sony BMG and the plaintiffs actually reached an agreement on the 27th.

This is certainly good news for Sony BMG, as it gets them out of the New York courts without drawing a lawsuit from the state attorney general, Eliot Spitzer, who has been making threatening throat clearing noises over Sony BMG’s conduct in the case. But without some teeth around “consumer-oriented changes” in Sony BMG DRM, I’m concerned that there will be no real changes. After all, XCP and MediaMax are hardly the only DRM technologies on the market.

One piece of good news: the settlement requires Sony BMG to pull MediaMax from the market just as it has already done with XCP.

Thanks to commenter Mike for the tip.

Update: another article at CNET News.com, which clarifies a few points, including the note that purchasers of MediaMax CDs are not entitled to any cash, only to a free album download and MP3 versions of the tracks on the CD they purchased.

Yahoo! Finance: Texas Expands Lawsuit Against Sony BMG. This is the sound of another shoe dropping, from what at this point appears to be a herd of well shod lawyers. Texas Attorney General Greg Abbott has decided, along with suits filed in Oklahoma, the District of Columbia, and California (the latter by the EFF), that Sony BMG’s other DRM scheme, MediaMax, also violates Texas’s anti-spyware and deceptive trade practices laws.

Sony BMG says that because they have provided a software update to address the problem, that they have “completely addressed” Abbott’s concerns. It is not clear what remedy they intend to provide customers who declined to accept the installation but got the MediaMax software installed anyway.

PCWorld: Winners and Losers of 2005. On a fairly evenhanded list (both Apple and Google are listed as both winners and losers), Sony BMG manages the distinction of being cited as a loser. Twice.

LOSER: Sony BMG Entertainment

Adding copy protection to CDs is onerous enough, but Sony BMG Entertainment and its tech partner First 4 Internet went completely beyond the pale. Insert certain Sony BMG CDs into your PC’s disc drive and they would secretly install First 4 Internet’s XCP software, which not only limited the number of copies you could make, but also made your system vulnerable to hack attacks. Sony BMG then posted a “fix” that made matters worse, before issuing a recall of the music CDs, offering refunds, and promising to discontinue using XCP. It turns out the record company knew about the vulnerability for at least two weeks before blogger Mark Russinovich made the news public last Halloween. Thanks for sharing, Sony.

EXTREME LOSER: Sony BMG Entertainment

Researchers at Information Security Partners recently identified a security flaw with SunnComm’s MediaMax, an alternative copy-protection scheme found on other Sony BMG CDs. The flaw could allow a remote attacker to hijack a user’s PC. This time, Sony responded with a patch almost immediately–which was quickly found to have the exact same flaw. Can you say “consumer boycott?”

Why yes, we can. Although around here, we pronounce that customer boycott. A consumer is a gullet that gulps products and craps cash, in the famous formulation, and I hope this whole episode has demonstrated that we customers are much more than just a gullet.

According to Betanews, the newest release of the Malicious Software Removal Tool from Microsoft, which is available through Windows Update, removes the XCP rootkit and the vulnerable ActiveX control from the XCP uninstaller. Microsoft still hasn’t stepped up to the plate to uninstall all of XCP, though; you still have to go to Sony BMG for that. Interesting point in the article about how the lifespan of a DRMed CD is much longer than the lifespan of a particular Windows release, and how that almost certainly dooms the disc to unusability in the future.

The Register: Sony BMG shortlisted for “Internet villain” gong. Heh. I didn’t even know that there was an Internet Villain award, but the trade group ISPA UK now has my undying appreciation. Sony BMG was shortlisted for “compromising the security of its customers’ PCs with its copyright-protecting rootkit technology.”

Interesting post on the faculty blog of the University of Chicago Law School, by professor Doug Lichtman, that argues that the end of DRM would be disastrous for the music industry and music lovers. He suggests that without DRM, the industry will have no incentive to invest in music or will develop some other draconian response to piracy, such as streaming music to proprietary players. He also argues that improvements in labeling law or changes to the law to prevent the use of DRM as draconian as Sony’s would backfire, as this would lead to legislating over what types of DRM are permissible.

It’s good to see someone even try to argue the value of DRM after the whole Sony rootkit fiasco, but in this case Professor Lichtman has it wrong.

First, as Doug Lay points out in the comments, imagining the major labels moving to supporting only a single proprietary player leads to some interesting speculative schadenfreude. Certainly it’s easy to imagine the major labels continuing their downward spirals by fragmenting the playback market and alienating their channel. But just because the solution to come might be further detrimental to the labels’ interests is no reason to keep an antipiracy solution that has been proven harmful.

Second, Professor Lichtman suggests that the law needs not only to require better labeling for DRM but also to identify what is and is not allowed:

DRM of the sort adopted by SonyBMG might similarly be so bad as to beimpermissible. But then we need to say more about what forms of DRMwould be permissible, just as we similarly today allow shopkeepers toput locks on their doors, call the police in the event of a burglary,and so on.

If I’m not mistaken, there are a few lawsuits out there that point out ways in which Sony BMG’s DRM is in violation of existing laws against spyware, computer fraud, false or misleading statements, trespass, false advertising, unauthorized computer tampering, and other generally consumer hostile acts. I think this point of Professor Lichtman’s is a red herring. As Doug Lay points out, we don’t need new laws, we need Sony to be punished for violating the laws they’ve already done. In fact, I’m not sure I’d say that legislation against DRM is needed at this point even after this case, and perhaps on this point I do agree with Professor Lichtman, though for different reasons. I think we still need to see what the market, competitive pressures, and general customer awareness will do to address the labeling problem, and in the meantime the fallout from lawsuits will hopefully force Sony BMG and other labels to reconsider their choices.

Finally, Professor Lichtman assumes that the major labels’ investment in music somehow creates value for the musician and the customer. I’m not going to comment except to point out that the list of XCP infected discs contained albums by Celine Dion and Our Lady Peace. And I’m not sure how anyone could construe putting XCP on discs of reissued material by Dexter Gordon, Louis Armstrong, Art Blakey, Shel Silverstein, Horace Silver, Gerry Mulligan, or Dion, all on the XCP list, as constituting protecting an ongoing investment in music.

According to the St. Petersburg Times, the count of Sony BMG discs with the vulnerable SunnComm MediaMax DRM software is 5.7 million. But there’s no recall plan, and nowhere near the level of noise there should be to make customers aware of the problem. Good to see Sony is continuing to learn from its past mistakes.

Talk about a non-statement: Thomas Hesse, of “nobody knows what a rootkit is” fame and President of Sony BMG’s Global Digital Business unit, says that the company is reconsidering how it employs DRM “because of the bad publicity” around its two badly flawed systems. But he says that the company is still committed to blocking copying of its discs because “copyright infringement is a huge issue for the record industry as a whole.”

In other words, no news here. The company still won’t acknowledge the realities of its new market, still won’t acknowledge that DRM fundamentally devalues its product in the eyes of customers in addition to exposing them to hazards (particularly when that DRM is badly written), and still won’t own up that its second DRM system is a problem.

These clowns need to really sit down and think about what they’re doing to their position with their audience.

Talk about a non-statement: Thomas Hesse, of “nobody knows what a rootkit is” fame and President of Sony BMG’s Global Digital Business unit, says that the company is reconsidering how it employs DRM “because of the bad publicity” around its two badly flawed systems. But he says that the company is still committed to blocking copying of its discs because “copyright infringement is a huge issue for the record industry as a whole.”

In other words, no news here. The company still won’t acknowledge the realities of its new market, still won’t acknowledge that DRM fundamentally devalues its product in the eyes of customers in addition to exposing them to hazards (particularly when that DRM is badly written), and still won’t own up that its second DRM system is a problem.

These clowns need to really sit down and think about what they’re doing to their position with their audience.