Slashdot Mirror
Texas Sues Sony BMG over Rootkit
Mr. Sketch writes "According to Yahoo!, Texas Attorney General Greg Abbott 'filed a civil lawsuit on Monday against Sony BMG Music Entertainment for including "spyware" software on its media player designed to thwart music copying. [...] Texas is seeking civil penalties of $100,000 per violation of the state's Consumer Protection Against Computer Spyware Act, which was enacted earlier this year. "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.'"
Lets also do it the "Texan way" with some Death Penaltys
Don't mess with Texas?
According to Yahoo!, Texas Attorney General Greg Abbott 'filed a civil lawsuit on Monday against Sony BMG Music Entertainment for including "spyware" software on its media player designed to thwart music copying. [...] Texas is seeking civil penalties of $2 * 2 * 2 * 2 * 2 * 5 * 5 * 5 * 5 * 5 per violation of the state's Consumer Protection Against Computer Spyware Act, which was enacted earlier this year. "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said in a statement.
from the link:
Can anyone verify this on their own disks?
I'll just use my special getting high powers one more time...
Guess we really neednt worry about the president getting on this band wagon since he cant even load songs on his ipod.
EFF has launched a class-action suit against Sony.
Man is a slave because freedom is difficult, whereas slavery is easy.
it still benefits the consumers, does it not, if the huge amounts of money going to lawyers and the bad publicity act as a disincentive to such behavior?
Unfortunately, his opponent in the next election can back the Brinks truck up to Sony HQ at his convenience.
Here's a link to the official Texas AG's press release.
= 1266
http://www.oag.state.tx.us/oagNews/release.php?id
They even have an online complaint form. Be the first on your block to get in on the lawsuit!
Heck is a place for people that don't believe in gosh.
IANAL but it seems to me that criminal rather than Civil penalties is the way to go here.
Of course, the correct answer is both.
Call me naive, but I'm just not seeing action on the criminal side of things. Whatever happened to "equal protection under the law" principal where I would face jail time if I did this, even if I did it through my own 1-man consulting corporation?
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
RIAA: "Sony BMG did nothing wrong. We love Sony BMG. They clean our pool."
Texas Lawyers: "Pardner, yer full o' bull puckey."
Sony BMG: "Can't you sue any better than that?"
Consumers: Yeah, you can all go screw yourselves. Give us some cash.
I am scientifically inaccurate.
It's a good feeling when it doesn't even take a month for a major state's state government to sue over a consumer issue that has so many people I know riled up. No, it's not just us getting ourselves worked up, it really was that slimy and abusive a thing for Sony to have done.
Last week there were complaints here and elsewhere that class-action and criminal prosecutions were slow in coming, with only California and I think New York having responded promptly. This is great news* that this is starting to be prosecuted more widely (as it should be), and encouragement to everyone lobbying elsewhere for lawsuits in their own states/countries.
[*] Technically it's not "great news", it's simply the just application of the law. But when a mega-corporation such as Sony is the spyware distributer, it doesn't take a cynic to fear that justice come second to capital, as was the case for a certain monopolist...
The PDF is available here. The press release is here.
:) )
(cough
If you have been damaged in any way, shape or form, it's time to call their bluff!
Well today I felt a bit better about the situation. First my wife asked me about it which surprised me. She hasn't shown much interest in stuff like this in the past. And then a little later on when I went over to Stars and Stripes to read todays news they had a story about the rootkit and that they are pulling them out of the BX/PX's.
The more word of this gets out the more DRM will come to light. Eventually most people will know how bad DRM is and maybe, just maybe Sony and the rest will start to feel some pressure to stop trying to push it on us.
"Armed forces abroad are of little value unless there is prudent counsel at home" - Cicero
For $100,000 per violation, I don't know. My guess is that a violation is a provable installation of the software, which can add up fast if they had as many sales as were reported. Even if there is only 100 cases of the rootkit being installed, that's $10,000,000. Add in the image damage and that's a hefty tag. But we all know image damage can be fixed with a few donations to the right charities.
$100,000 per rootkit'd CD times 20,000,000 million CDs = $2,000,000,000,000 (2 trillion dollars)
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
It's the statutory penalty for the violations: $100K per infraction. The Texas AG was just on TV (CNBC) and suggested that the fines came out to hundreds of millions of dollars.
If you want your life to be different, live it differently.
In Canada, the levy allows you to make copy of music CDs, even your friends CDs for you own personnal use without restriction. The 3 limit per CD is a clear restriction that goes against what Canadians pay for. I feel another law suit comming.
I realize--in your rush to post first--that "facts" are irrelevant to you..
/. makes me wish there was an 'idiot' moderation, or at least a 'first post' moderation. In this case, a mere glance at the first sentence of the article would've made it clear that this was an action taken by the state to protect its citizens.
But the State of Texas (you know, the State Attorney General, in representation of the State of Texas and its citizens) is suing Sony. If the lawsuit is won, than the money goes into the coffers of the state of Texas, which will result in an increase in public works, which *does* benefit us.
Sometimes
I currently have no clever signature witicism to add here.
So basically, the rootkit would install itself on your PC even if you clicked NO on the popup that appears after inserting the disk? Wow... Now re-read this (different article, posted on Slashdot earlier):
"Most people, I think, don't even know what a rootkit is, so why should they care about it?" the head of Sony BMG's global digital business, Thomas Hesse, told National Public Radio.
I don't know... So they are counting on tricking gullible PC users into installing something which will ultimately harm their PC, which is heinous in itself, but somewhat legally "murky" enough for them to get away with it. But when your answer to the EULA actually has no effect whatsoever on whether the r00tkit is installed or not, that is beyond words. It shows how much these corporations disrespect their customers. We are sheep. With cash they gave us for working for them... and they want it back.
It's the AG's office, not a private law firm. The lawyers are public servants on salary, not working for a percentage. They are constrained by law to work in the public's (the people who provide their salaries) interest.
They're prosecutors.
When the NY Attorney General's office nailed Song BMG for "payola" the settelement included a $10 million grant to the Rockefeller Philanthropy Advisors to New York State, a non profit, to promote music education.
The EFF has also filled a rootkit suit against Sony BMG in LA. I guess you can decide for yourself whether these guys are just after a big paycheck.
KFG
Assuming a computer counts as tangible, movable property, and I do believe the rootkit at least counts as "criminal mischief", and the Texas AG has a legal duty to protect people's computers (or people ask him to), the use of lethal force against Sony BMG would be authorized. 9.43. PROTECTION OF THIRD PERSON'S PROPERTY. A person is justified in using force or deadly force against another to protect land or tangible, movable property of a third person if, under the circumstances as he reasonably believes them to be, the actor would be justified under Section 9.41 or 9.42 in using force or deadly force to protect his own land or property and: (1) the actor reasonably believes the unlawful interference constitutes attempted or consummated theft of or criminal mischief to the tangible, movable property; or (2) the actor reasonably believes that: (A) the third person has requested his protection of the land or property; (B) he has a legal duty to protect the third person's land or property; or (C) the third person whose land or property he uses force or deadly force to protect is the actor's spouse, parent, or child, resides with the actor, or is under the actor's care
At $100k per offense and the highest distributed CDs figure I have seen being 24 million installations from 50 different DRM infected CDs, that'd be quite a big number, even if you only count Texas installations.
In fact the upper limit (assuming conservativly only 1 infected PC per CD) is:
2,000,000,000,000 or 2 trillion dollars. Of course what percent are provably installed in Texas? is it Five percent? even if it's two percent that's $50,000,000,000 or 50 Billion dollars.
Lets take a conservative estimate.
In the 2000 census, Texas had a population of 20,851,820 http://en.wikipedia.org/wiki/Texas
and the whole US has a population of 281,421,906. http://en.wikipedia.org/wiki/United_States
So Texas had 7.4% of the US population.
Sony claims that all DRM disks where sold domestically, but lets be kind and say that 80% of the disks were sold domestically so 19,200,000 disks in the US.
Lets assume that the consumers in all states have similar buying habits.
So 7.4% of 19,200,000 US disks is 1,420,800 Texas sold disks.
1,420,000 times $100,000 max fine per disk is: $142,100,000,000 or 142 Billion Dollars.
I have seen estimates as low as 500,000 DRM infected disks sold in the US.
That number is much lower.
500,000 * 80% * 7.4% * 100,000 max fine is: 2,960,000,000 or 2.96 Billion dollars.
Any way you spin it, this is going to get ugly for Sony.
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
What is the state of Texas going to do with 5 million coupons for a free Sony CD?
So the spyware has to be pretty deadly!
Unfortunately, that only works if killing them will prevent your property from getting damaged/stolen. Inapplicable in this case.
Have any companies disallowed playing CD's at work computers because of potential security risks? Can someone be fired for unknowing installing rootkits and can fired employees sue the music distributors for costing them their jobs?
From http://www.oag.state.tx.us/
Yeah, this guy's really a shark. Stupid frickin lawyers always screwing everything up enforcing laws. God dammit. Imagine how great the world would be without lawyers making sure everyone follows the rules. </sarcasm>
It breaks my pluginses, my precious!
I heard Sony management got a great deal on this book: Rootkits : Subverting the Windows Kernel.
That recommendation is just... the glazing on the pig
Belief is the currency of delusion.
I hope the Texas Attorney General extracts hundreds of millions from Sony. And then that the other states' attorneys general smell blood and jump on the bandwagon, just like the tobacco settlement. Imagine Sony forced to fund a foundation that makes commercials warning youth of the dangers of DRM :).
I too have felt the cold finger of injustice.
If some college student had pulled this stunt they would be sitting in jail as we speak. Why is Sony getting away with this crap? I also can't believe that they stole code from LAME and violated the LGPL without a second thought. These people are criminals in every sense equally as bad as those they are trying to keep from copying their CDs.
I will never, never ever buy another product that says SONY on it again.
Your estimates are not at all conservative, especially 1 infected PC per CD.
I have two hunches that would put the number well below that:
1) Most people aren't going to play it on their computer, and
2) There are going to be more instances of one computer having multiple CDs played on it than instances of one CD infecting multiple computers. In the case of multiple CDs on one computer, almost certainly that would only count as one violation.
I'd put the number probably at 1/10 of an infected PC per CD.
Though that's still by your latter estimate almost $300M, which is still a nice chunk of change.
Here's a torrent of the news conference video.
Judging by the map of infected computers, theres alot more than 100 infections in the state of texas.
In Soviet Russia the insensitive clod is YOU!
That the AG, like basically all state employees, is paid salary. So it doesn't matter how many of what kind of cases he wins, he gets the same amount of money, it's not a contenginecy basis like private lawyers. So ALL the money goes to the state, not just a certian percentage. You don't get rich working as a lawyer for the state.
I don't know how this all works, but will this result in any money going to the people who bought the cds? Or will the lawyer and the texas authorities pocket it all?
No, this sentence refers to SunnComm MediaMax, not First4Internet XCP. MediaMax doesn't use a rootkit, but installs even if you reject the EULA, phones home when you play a CD, does not include a functioning uninstaller--but if you jump through a bunch of hoops, SunnComm will give you an ActiveX uninstaller that opens a huge security hole on your computer, kind of like XCP's.
Sony recalled XCP CDs but didn't say a word about MediaMax. The EFF is pressuring them to recall those CDs as well, which have been on the market for two years and number at least ten times as many as XCP.
OK I typed way too fast and my calculator converted these fines to exponential notation, so i got some numbers slightly (ha!) wrong.
n ess/14rights.html>
e &symb=SNE
24 Million times 1000000 is 2.4 Trillion not 2 Trillion.
But that is irrelevant because I did more/better research and the lower bound is 568,000 CDs (based on Dan Kaminsky's network DNS cache analysis) http://www.doxpara.com/?q=sony
A good conservitive higher bound is 2.1 Million sold (based on Sony's statements)http://www.nytimes.com/2005/11/14/busi
The revised maximum fine numbers would then be $3,362,560,000 to $14,208,000,000.
So its just $3 to $14 Trillion in potential fines.
Sony has total corporate value (Market Cap) of $36,358,000,000. http://money.cnn.com/quote/quote.html?shownav=tru
My guess is that having a fine of (approx) 40% of your net worth hanging over your head is not gonna be good. Of course this is just Texas we're talking about here, 49 more states to go (and many many countries).
Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
Come on - everyone stop posting for a bit...
This isn't a scenario regarding a purchase though, it's a scenario involving a hacking incident. If I take my Sony CD to a friend's house and it r00ts their machine, that is an instance of hacking, regardless of who bought the CD.
The proof is in the computers themselves, not in anything on paper. The number of infractions will likely be estimated. I'm not familiar with the details of the rootkit--does it phone home? If it does phone home then they can subpoena the "phone home records" and determine which connections originated from Texas.
Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
Whoa there cowboy. This is Texas we're talkin' about. Stand down with all that high-falutin' legal talk there. Sony obviously just needs some killin', let it be.
Returned Peace Corps IT Volunteer
A la how the SSSCA changed into the CBDTPA, the TCPA changed into the TCG, and Palladium morphed into NGCSB, DRM will be needing a new name now that everyone knows what it is. Please post your entries in this thread.
I too have felt the cold finger of injustice.
- Using random or deceptive filenames to make it difficult for the consumer to find and uninstall the program, in violation of CPACSA 48.053(5).
- Inducing the consumer to install software by falsely claiming that it is necessary to play the media, in violation of CPACSA 48.055(1).
Seems pretty weak, but I imagine they'll tack on additional charges once they've had the chance to do some discovery.How the *fuck* did they ever conclude that installing a rootkit on their "enhanced" CDs was a financially sound legal tactic that came with no fear of being sued by Sony shareholders for causing loss of profit?
Loose change? They should be so lucky. They'll probably just get lots of unwanted CDs again. Only these will be more unwanted than ever before.
You cannot truly appreciate Dilbert until you read it in the original Klingon.
Let's stab him in some of the lesser-known organs.
Since he doesn't know what they do, he shouldn't really care about it, right?
I tried attaching the permanent marker to the CD as you suggest, but I was unable to get it into my slot-loading CD drive. I did manage to get it into a tray-loader, but there was a problem. Apparently autorun still executes the CD if you attach a marker to it. I'm sticking with tape.
I had sent a friend information about this Sony thing last week and it got not a lot of attention. However same friend was trying to de-lous another persons PC yesterday and called me for support (Note: I'm not particularly qualified for Windows support at this point, but I can do Google searches and say things like "hang in there" from time to time). I think by that time I was called many of the virus and spyware elements had been cleaned by conventional means, but there seemed to be some persistent problems. Just in case, I asked whether they had played any of those Sony BMG music discs in the machine. Apparently I was on a speakerphone setup, and I heard several denials of the form "We never use our machine for such things" while my friend asked me what I was talking about.
After refreshing his memory, and in turn having the family involved talk among themselves for a while, it turned out that some Sony BMG discs HAD been played in that machine, and some of the remaining questionable files had Sony all over them even though the family didn't own a Sony camera, Sony music player or any other Sony device that they could think of. Finally someone remembered that the little girl in the family HAD played, or ripped, or SOMETHING some music CDs in the machine and off they rushed to find them. In the mean time I was looking for the list of Sony BMG discs affected, originally numbered 20 and widely circulated at that count, but subsequently updated to 50, and listed on a Sony website. I found the list of 50 at about the same time that they found their played/ripped/inserted/whatever CDs and sure enough, several of them had the Sony BMG label on them. Now the catch was that (a) none of the CDs they had found were on the list and (b) none of the CDs they had found had the warning that they contained copyright protection software, and my understanding was that the affected discs did contain such a warning.
Well, by getting rid of the Sony BMG stuff they seemed to be back to a clean machine, and they swore to never insert a music CD into their machine again or to buy a CD from Sony. So, congratulations should go out to Sony BMG and First4Internet for accomplishing their objectives. Now to round out the picture:
(1) I suspect that Sony BMG, Sony alone, and BMG alone have in the past used other protection schemes and while they haven't been vocal about it, other companies are doing the same experimentation. All of these programs have their own ways and means of hiding themselves and controlling what YOU do with YOUR PC. But NONE of them have exhaustively looked into the legal, much less technical ramifications of what they do. They think that by merely relying on third party companies like First4Internet they can claim ignorance of the consequences.
(2) Rumor has it that by the time you are asked for your permission to install software when you insert these disks SOME software has already been installed.
(3) Sony/BMG isn't the only company doing this, they are just the only company that has been caught.
(4) These discs have been out for a year, and some people say two years, or maybe more.
(5) There is no quick and easy way to uninstall these programs, either from Sony BMG or the s
The proper punishment for Sony out of this must be sufficient that that Sony, and every other record company will absolutely never any use any kind of DRM that changes even one bit on your computer again. Anything less is not enough.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
at least we can kill -9 them.
https://www.gnu.org/philosophy/free-sw.html
A corporation actually managed to piss off Texas enough to take legal action? I mean, come on. It's Texas.
I'm just surprised one of the little puppy or some liberal states didn't act first.
(If they did, ignore the previous line plzkthx.
Sony changed their name to "Sorry", and were promptly sued by Parker Brothers.
Just because you can mod me down, doesn't mean you're right. Shoes for industry!
Well, that would be okay* because if they fine Sony enough, they could pay for the roads without charging tolls!
*except, of course, for the inherent stupidity in building roads instead of rails, when we really need to be transitioning towards electric-powered transportation
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Sounds like a John Lennon song...
except for the killin' part.
I guess anyone who runs Linux/BSD/etc. would be in violation as well.
That this is a STATE Attorney General, suing on behalf of the citizens of his (MY) state, the State Of Texas. Considering that any statutory penalties would go into the state coffers and NOT into the AG's pockets (He's a salaried employee of the State of Texas, not your lawfirm type attorney...) your claims of 33% of this going into his pockets would be dead wrong. Your rant, nice though it was, was like a tale told by an idiot, full of sound and fury, signifying nothing. (With apologies to Wm. Shakespeare...)
But then, this IS Slashdot, afterall...
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
When I read the submission, I knew that the first 50 posts or so would probably involve a hick accent and killing people. What I didn't expect was the fact that NOBODY would say anything about that characterization.
/. readers. Austin is part of the San Francisco - Seattle - Austin Axis of Technology. Screw the rest of you guys.
Look, Texas has hick parts. There's strong concentrations of them in East Texas around the Louisiana border and also in West Texas starting from Abilene west and north. But, it is unfair to characterize this entire state as being uncultured cowboy gun slingers, nor is it fair to generalize people who live in the more rural parts as hicks. This state is as cultured as any others, and when it comes to the South, we stand far and above. We have the largest and one of the most prestigious university systems in the world, we represent one of the most diverse cultural melting pots in the country, we have probably the best music and independent film communities outside of New York and LA, and the list goes on.
What disturbs me most is that not one person from Texas wants to dispute any of that bullshit the rest of these comments are flinging about. And it's not that there aren't Texan
As far as the AG sueing Sony, hats off to him. It's not exactly a secret that this state is pretty damn laissez-faire. That was a damn impressive move.
Also, by the way, you know that Texan accent that you have been using mentally to read this post? Stop that... now.
... are the other recording corporations.
Europe has traditionally taken a very strong stance against corporations who abuse their power. While I suspect you may be trying to incite Republicans with your anti-European sentiment, the fact of the matter remains that Europe has the guts to stand up to corporations who want no-good.
They're the only ones who had the balls to truly take on Microsoft, for instance. They also had the guts to say "No!" to the manufactured war in Iraq.
Cyric Zndovzny at your service.
Unfortunately, that only works if killing them will prevent your property from getting damaged/stolen. Inapplicable in this case.
Perhaps one could argue deterrment value? I'll bet a few Sony execs getting shot would shure make them think twice about doing it again!
Its been proven to be ineffectual time and time again.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Gee, I hope the lesson Sony learns is more about what not to do, instead of how not to hide it.
"he drew his sword Ringil that glittered like ice... and he wounded Morgoth with seven wounds..."
Its been proven to be ineffectual time and time again.
I shoulda put a smiley in. However, WRT the death penelty in general, I agree for different reasons.
For the insane or those who have lost hope, it fails to deter. For those who feel they have something to lose, it's not necessary, A long prison term is enough for them.
Lawsuits :-)
$100,000 per violation, multiplied by how many people may have been rooted by this rootkit?
I'm hoping at least 1000, as $100,000,000 would be a noticable sum even to Sony, and certainly serve as a deterrant to them and others against future idiocy. Even if it were just Texas that put a few extra nails in Sony's coffin. Such a lawsuit will seem profitable, which will probably engage the interest of more states, which will be baaaad news for Sony. Blood in the shark filled waters.
Ah well, live by the buck...
what are evil companies to do in the future. Not sell their wares in Texas? It would become pretty identifyable which wares were infested if they excluded them all from the Texam market. This is a case where the mariad of individual state laws is going to possibly be good for everyone.
So close to the PS3 release date, now we'll have to boycott it. Are we sure Microsoft had nothing to do with this? :)
Shucks!
There's also another benefit, showing lawyers that there's money to be made suing large media companies can only be good for us.
Actually Texas didn't give you Bush. Connecticut gave you Bush. He lived in Texas for a bit before moving back to New England for high school, college and then graduate school. His mom is from New York and his dad is from Massachusetts. I'm half-way convinced that the accent is faked.
Texas did however produce Ann Richards, the democrat governor of Texas prior Bush and David Cobb, 2004's Green Party candidate.
Sorry -- I know the above was an attempt at humor, but I do get sick of the assumption that everyone in Texas is far-flung Bush-lovin' right wingers.
That would be billion, not trillion.
//not trying to be an ass...
$3,362,560,000 ($3 billion, 362 million, 560 thousand, 000.00)
Just thought I'd clear that up, since you made the mistake twice in your post.
Of course, I may be wrong...if the whole counting thing was changed recently.
BDR Gear
Outdoor gear, MREs, and more!
Sony obviously just needs some killin', let it be.
Sounds like a John Lennon song... except for the killin' part.
Sounds like a Pantera song... except for the let it be part.
Star Pirates
Or disband them? The problem is that shareholders don't see a need to appoint a board that operates ethically. If we were to disband a corporation or two, I think that perhaps shareholders might start seeing things differently.
Of course, there is a lot of negative economic impact, but that is precisely the bargaining chip they've been using to extort for years.
Engineering and the Ultimate
Indeed. Live by the ridiculously high fine; die by the ridiculously high fine.
And, today's PSA:
Copyright Office Taking DMCA Comments. Clearly, the rules need to make it 100% unambiguously clear that, yes, it's legal to remove malware from your computer.
/. If the government wants us to respect the law, it should set a better example.