|In re: Sony BMG CD Technologies Litigation
Case No. 1:05-cv-09575-NRB (2006)
Motion And Memorandum Of Law In Support Of Plaintiffs’ Application For Preliminary Approval Of Class Action Settlement
. . .
II. BACKGROUND OF THE LITIGATION
A. The Nature Of SONY BMG’s Content Protection Software
In August 2003, SONY BMG, the second largest owner and distributor of record labels, began including MediaMax, a content protection software program from SunnComm, on some of its CDs. In January 2005, SONY BMG introduced XCP, a second copy protection software program designed by F4I.
XCP and MediaMax limit the number of copies of a CD a user can make. XCP and MediaMax also make audio files and digital content on the CDs compatible only with Sony or Microsoft products and software. The CDs can only be played and copied on a computer using XCP or MediaMax. The software does not allow audio file compression in the dominant nonproprietary MP3 format or other file formats like Apple Computer, Inc.’s “iTunes.”
SONY BMG impedes removal of XCP and MediaMax from a user’s computer by (1) preventing the software from being listed in the commonly accessed “Add/Remove Programs” utility in the Microsoft Windows operating system, and (2) failing to provide an uninstall program for the software. The only way to uninstall XCP or MediaMax is for the user to visit one of Defendants’ websites, fill out a form that requires a user to disclose his or her e-mail address, then wait for an e-mail, download additional software, and install a program that removes the files. Any attempt to uninstall the software manually will damage the user’s computer.
XCP and MediaMax also raise potential privacy concerns, because the software can and does exchange information between the users’ computer and SONY BMG’s computer servers. The information sent to SONY BMG includes the user’s Internet Protocol (“IP”) Address. The software does not inform the user that his or her computer is providing information to SONY BMG’s servers.
XCP and MediaMax are subject to highly restrictive and misleading EULAs [End User License Agreements]. When a user inserts a XCP CD or a MediaMax CD into a computer, a EULA appears on the computer screen and requires that the user to accept its terms to access the audio files or digital content on the CD. If a user accepts the EULA for one CD, the EULA is not displayed when subsequent discs containing the same software are loaded onto the computer. According to Plaintiffs, the EULAs are contrary to federal and state law in that they fail to or inadequately disclose certain material facts about XCP and MediaMax software, including the following: (1) the programs cannot be readily removed by the computer user; (2) the programs collect information about the computer user and his or her computer; (3) the programs exchange information between the user’s computer and SONY BMG’s computer servers; (4) the programs are only compatible with Sony’s and Microsoft’s digital music file formats (5) the programs are not compatible with iTunes or MP3 audio file formats; and (6) the programs manage all XCP CDs or MediaMax CDs subsequently inserted in the computer. SONY BMG also inadequately discloses material facts about the nature and function of XCP and MediaMax software on the jewel cases of SONY BMG CDs containing such software.
B. XCP CDs And Software Expose Computers To Security Vulnerabilities
In October 2005, Mark Russinovich, a computer security research specialist, discovered that he had a hidden software program running on his system. Upon further investigation, Mr. Russinovich traced the installation of the hidden software program to an XCP CD he had purchased and used on his computer. Mr. Russinovich discovered that XCP employs a variety of software techniques typically used by “spyware” and other virus software programs to conceal its existence from the user. Most notably, XCP installs a “rootkit” on the user’s computer. The XCP rootkit hides its existence by integrating itself deep in the architecture of a computer’s operating system, thereby forcing the computer’s operating system to conceal any file, directory or process that begins with the computer code, “$sys$.” XCP Software has no mechanism to ensure that other software programs cannot employ the “$sys$” cloaking mechanism, however. In other words, any application can make itself virtually invisible to the user by renaming its files so that they begin with “$sys$.”
Consequently, the XCP rootkit makes the user’s computer more susceptible to unwanted intrusion from third parties, as it effectively disables any firewall, anti-spyware and anti-malware protection programs previous installed on the computer. Indeed, in November 2005, Symantec Corporation, a leading maker of anti-virus software, public announced the discovery of the first virus to use SONY BMG’s XCP CD software cloaking mechanism.
In response to the criticism sparked by Mr. Russinovich’s findings, SONY BMG released a software utility to remove XCP software from a user’s computer, and a program intended to allow XCP software to be visible on the user’s computer. Almost immediately, Mr. Russinovich found that these SONY BMG software programs, themselves, created additional security vulnerabilities. As part of settlement, SONY BMG has agreed to and has stopped distributing these programs in the United States.
On November 18, 2005, after class action litigation was commenced in this Court, SONY BMG issued a statement acknowledging that its XCP software created security vulnerabilities for computer users. Thereafter, SONY BMG announced that it would institute a program to remove all SONY BMG XCP CDs from retailers’ shelves and inventory, and begin an XCP CD “recall” effort, to allow consumers to exchange their SONY BMG XCP CDs for “clean” CDs containing the same music, but which were free of XCP software.
C. MediaMax CD Software Installs Without Consent And Exposes Computers To Security Vulnerabilities
SONY BMG’s MediaMax CDs and software also contain characteristics not fully disclosed to consumers at the time of purchase.
Among other things, MediaMax software contained on SONY BMG CDs installs on the user’s computer, even if the user does not consent to installation.
Additionally, when a MediaMax CD is inserted into a computer, a EULA is displayed, which the user may accept or decline. Before the EULA even appears, however, MediaMax automatically installs approximately one dozen files on the computer’s hard disk. These files remain installed and active on the user’s computer, even if the user declines the MediaMax EULA. This installation-without-consent feature is present in MediaMax 3.0 and MediaMax 5.0, the two versions of the software contained in SONY BMG CDs.
Furthermore, the most recent version of the SONY BMG contention protection software, MediaMax 5.0, renders a user’s computer more vulnerable to security breaches by third parties, by causing a file folder to be installed on a user’s computer, which allows third parties to gain enhanced permissions over the user’s computer running the Windows operating system. While SONY BMG recently issued a software “patch” and uninstall program in an effort to remedy the discovered security vulnerabilities, the day after SONY BMG issued the program, a computer specialist found that the MediaMax 5.0 patch and uninstall program, itself, posed an additional security vulnerability for computer users.
D. The Class Action Litigation
. . .
On December 28, 2005, Plaintiffs filed a Consolidated Amended Class Action Complaint (the “Complaint”) on behalf of all natural persons or entities in the United States who purchased, received, came into possession of, or otherwise used one or more MediaMax CDs and/or XCP CDs. The Complaint alleges that Defendants engaged in unlawful, unfair and deceptive conduct in designing, manufacturing and selling CDs with XCP and MediaMax software and without adequately disclosing the limitations the software imposes on the use of the CDs and the audio files contained on such CDs, and the security vulnerabilities the XCP and MediaMax software creates for computer users. Plaintiffs bring claims against Defendants for violating the Computer Fraud And Abuse Act, 18 U.S.C. § 1030, et seq.; Section 349 et seq. of the New York General Business Law; and Section 350 et seq. of the New York General Business Law. Plaintiffs also assert common law claims for breach of the implied covenant of good faith and fair dealing, trespass to chattels, and fraud.
III. THE PROPOSED SETTLEMENT
. . .
B. The Settlement Consideration
As consideration for the settlement, Defendants have agreed to provide a broad package of benefits to Settlement Class Members. The settlement benefits include:
• Compensation for buyers of XCP CDs and MediaMax CDs;
• Software utilities to update and uninstall XCP and MediaMax software from consumers’ computers;
• An agreement by SONY BMG to immediately recall of XCP CDs, and not manufacture MediaMax CDs for a period of at least two years;
• A series of injunctive measures governing any SONY BMG CDs manufactured with content protection software over the next two years;
• Defendants’ agreement not to collect personal information on Settlement Class Members through XCP, MediaMax and future content protection software, without their express and affirmative consent;
• Defendants’ agreement to waive certain rights currently contained in the EULAs for XCP and MediaMax CDs and software; and
• A “most favored nations” provision that would enhance the benefits available to all Settlement Class Members if Defendants provide additional benefits to a subset of Settlement Class Members through an agreement with any government authority.
Notes and Questions
1. Suppose that some gained unauthorized access to Russinovich computer by exploiting flaws in the SONY BMG’s MediaMax software. Should Sony be liable for damage caused by the access?