Sony rootkit sparks legal onslaught

The tangled web woven by music giant Sony BMG is getting bigger by the minute.

The label is already facing a class action lawsuit in California over its use of copy-protection software on its CDs that hides itself when the CD is played on a Windows-based PC.

And now at least two other suits are on the way, one in New York and another in Italy. The legal and PR nightmare stems from Sony BMG's use of a particular type of digital rights management copy-protection software on at least 20 of its CDs. Those CDs include Trey Anastasio's Shine, Celine Dion's On ne Change Pas, Neil Diamond's 12 Songs, Amerie's Touch, Pete Seeger's The Essential Pete Seeger, and Ricky Martin's Life. Partial lists of CDs are at Slashdot and the Electronic Frontier Foundation.

The software in this case, designed to prevent a user from copying a CD more than twice, was created by First 4 Internet. It is called a "rootkit," and once a CD is loaded onto a computer, a watchdog program is installed, and then hides itself deep in the core of the operating system.

That's where the trouble begins, first uncovered by programmer and blogger Mark Russinovich. A side effect of the software is that it can be used to hide any files with a certain string of characters in the file name. Already reports have surfaced of World of Warcraft hackers using the program to make their cheats impossible for Blizzard's Warden anti-cheating program to detect.

The California suit, filed last week in Los Angeles Superior Court by a Southern California attorney on behalf of all California consumers "who purchased or acquired one of the rootkit-installed CDs," claims Sony BMG broke three state laws--the Consumer Legal Remedies Act, the Consumer Protection against Computer Spyware Act, and the California Unfair Competition law--according to the filing.

It asks the court to force Sony to stop selling any more CDs containing the rootkit and seeks compensation for damage already incurred by users. The suit centers on the matter of user notification and the rootkit's removal. The filing claims that the license agreement that pops up when a protected CD is loaded does not indicate the potential damage caused by the software.

The agreement says, "The software is intended to protect the audio files on this CD. It will reside on your computer until it is removed or deleted." It does not say that the software hides itself.

The California lawsuit also charges that the agreement does not say that the computer will be damaged--the CD player becomes inoperable--if the user tries to uninstall it.

Sony has since released a patch that makes its software visible again. Sony has also sent the rootkit-cloaking information to antivirus software companies so they know to look for it.

The company has also said it has abandoned the rootkit strategy, but not, of course, the use of other forms of DRM copy protection.

In a related and considerably ironic matter, Sony has been providing a work-around at the same site that lets you copy the protected songs to a portable music player.

The California lawsuit was filed before even more problems emerged. Virus maker Sophos reported today that it has spotted an e-mail going around that tries to exploit the controversial file-hiding abilities of antipiracy software embedded on some of Sony BMG's music CDs.

So unless the owner of one of those CDs has already downloaded Sony's patch to make the software visible again, and antivirus software companies beat virus creators to the punch, some music fans have been hit with a Trojan horse virus as a result of listening to a legally purchased CD on their computers.

More suits are expected to follow the California filing.

A second nationwide class action lawsuit is expected to be filed against Sony in a New York court this week, and the Electronic Frontier Foundation in Italy has filed papers with the Italian police alleging Sony is guilty of "illicit acts" and calling for an investigation.

Another Italian consumer group, Altroconsumo, sent a cease-and-desist letter to the Italian division of Sony BMG, the group announced. The letter asks Sony to not distribute the rootkit CDs in Italy.

Sony BMG did not return calls seeking comment.