Sony BMG is the world's second largest music company, responsible for approximately one-quarter of all album sales in the United States. Among the CDs that it has been selling in 2005, however, are millions that include copy-protection software. If the owner of one of these CDs wants to play or copy these CDs on her Windows computer, she must first install software intended to restrict the number and kind of copies that her computer can make.

After quietly distributing these CDs for months, Sony BMG was caught flat-footed when computer security professionals in early November 2005 discovered that its copy-protection software creates serious security risks. At least one variant¹ of the protection software installs itself even if users decline the pop-up end-user license² agreement and eject the CD. Moreover, when the CDs are played, the software phones home to servers controlled by Sony BMG, reporting details regarding the user's listening habits. Finally, once installed, the copy-protection software is difficult, if not impossible, to uninstall.

The response from customers, musicians and consumer journalists has been swift and merciless. A reporter for Stereophile magazine put it this way: In other words, Sony installs files on its consumers' computers without their permission, does not allow the files to be removed, and spies on its customers. His verdict: Weasels, we calls 'em. On the opinion pages of The New York Times, a working musician urged the music industry to recognize that copy-protection software is bad for everyone, consumers, musicians and labels alike. At online retailer⁴ Amazon.com, the reviews of Sony BMG's copy-protected CDs are filled with customer complaints.

But the public relations meltdown was only the beginning of Sony BMG's troubles. Within weeks, more than 10 class action lawsuits⁵ in both state and federal courts had been filed against Sony BMG (including two in which this author serves as counsel). Texas Attorney General Greg Abbott has also filed an action against Sony BMG, and the attorneys general of New York, Illinois and Massachusetts have expressed concern about the CDs in question.

Sony BMG's experience is quickly shaping up into an object lesson in the legal risks that companies can face when they distribute faulty software and mislead the public.

THE PROBLEM AND SONY BMG'S RESPONSE

All of Sony BMG's copy-protected CDs include one of two protection technologies, either First4Internet's Extended Copy Protection (XCP) or SunnComm's MediaMax software.

The initial security revelations, published on the SysInternals Web log in early November 2005, related to the XCP software. The Web log reported that the XCP software automatically installed a rootkit on Windows computers. A rootkit is essentially⁶ the computer equivalent of Harry⁷ Potter's invisibility cloak, permitting software to render itself invisible to a computer's operating system, anti-virus and anti-spyware software, thereby⁸ hiding itself from the computer user. Rootkits are generally associated with viruses, spyware and other malware that wants to burrow⁹ deep into a computer in order to avoid discovery and removal. The XCP rootkit posed a serious security risk because, once installed on a user's computer, it could be used by other third parties to hide their own malicious¹⁰ software.

Sony BMG initially¹¹ responded to the XCP revelations by attempting to downplay the risks, with one senior Sony BMG executive opining that most people, I think, do not even know what a rootkit is, so why should they care about it? While typical computer users may not have appreciated the vulnerabilities created by XCP's rootkit feature, virus writers responded within days by developing and releasing viruses designed to exploit it. Soon thereafter, the leading makers¹² of anti-spyware and anti-virus tools, including Microsoft, Symantec and Computer Associates, branded XCP a security threat. Their concerns were soon echoed by the U.S. Computer Emergency Readiness Team (US-CERT), an arm of the Department of Homeland Security charged with the task of protecting the nation's Internet infrastructure¹³.

Security woes¹⁴ were only part of the problem. Having paid full retail³ price for the CDs, music fans got them home only to discover that using them on a computer was subject to a bewildering and outrageous¹⁵ array of contractual conditions imposed by a mandatory¹⁶ end-user license agreement (EULA). For example, the EULA includes provisions purporting¹⁷ to require the immediate¹⁸ deletion of all copies if a user files for personal bankruptcy¹⁹ or parts with possession of the CD (including, presumably, if the CD were stolen from your car). The EULA also attempts to limit Sony BMG's liability to no more than $5, well short of a refund²⁰ of the purchase price, and to force consumers to litigate in New York if they have any disputes with Sony BMG. In short, when it came to using these CDs on their computers, music fans are getting far less for their money than they had with traditional CDs.

Sony BMG's initial efforts to address the problem were half-hearted, at best. An early uninstaller, offered to customers only after completing a complex request procedure, created new security vulnerabilities. Nearly two weeks elapsed before Sony BMG finally announced that it would halt further production of the XCP CDs. Ultimately, Sony BMG announced that it would offer to exchange XCP-protected CDs for unprotected replacements²¹. More than a month after the initial public revelations, a revised XCP uninstaller was finally released.

The other copy-protection technology, SunnComm's MediaMax, presented its own problems. Researchers discovered that the MediaMax software installed itself on Windows computers even when users declined the pop-up license agreement. When Sony BMG released an uninstaller for MediaMax, it created additional security risks. The Electronic Frontier Foundation (EFF) subsequently commissioned an examination of the MediaMax software, revealing a potentially dangerous security vulnerability. When Sony BMG released a patch to address this flaw, another vulnerability was discovered, necessitating²² the withdrawal²³ of the patch.

Both XCP and MediaMax are also troubling from a privacy perspective, as they routinely transmit information over the Internet to servers controlled by Sony BMG, sending information about a user's listening habits. This phone home feature is not disclosed to CD buyers, who are instead told by Sony BMG that no information is ever collected about you or your computer without your consenting.

THE LEGAL CLAIMS

The numerous lawsuits filed against Sony BMG in the wake of the protected-CD debacle provide an illuminating²⁴ overview²⁵ of the kinds of claims that companies may face when distributing faulty software.

One set of claims is rooted in statutes²⁷ forbidding computer intrusion. For example, a number of the class action complaints rely on the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, which forbids accessing a computer without, or in excess of, the authority of the owner of the computer. Private civil litigants²⁸ are entitled to bring suit where the prohibited computer intrusion causes losses exceeding $5,000, threatens public health or safety, or damages a computer system used by government entities²⁹ for judicial³⁰, national security or defense³¹ functions. Similar state laws have also been invoked³³, including California's Penal³⁴ Code §502, which prohibits the unauthorized introduction of a contaminant into a computer that transmits information about a computer to third parties without authorization³⁵.

Recently enacted³⁶ state laws aimed at spyware and adware are a second basis for legal claims against Sony BMG. Class actions filed in California, for example, allege³⁷ violations³⁸ of recently enacted California Business & Professions Code §22947.3, which prohibits deceptively taking control of a user's computer, modifying computer settings or preventing users from uninstalling software. Similarly, the Texas attorney general relied on the Consumer Protection Against Computer Spyware Act, Texas Business & Commercial Code §48.053, which prohibits manipulating software in order to prevent a computer user from detecting, locating and removing the software. The Texas statute²⁶ also prohibits intentionally⁴⁰ misrepresenting that the installation of software is necessary for security or privacy reasons. §48.055(1). In addition to California and Texas, 10 other states have enacted laws aimed at spyware, many of which may reach Sony BMG's conduct.

Several complaints brought in California also articulate claims based on the Consumer Legal Remedies Act (CLRA), California Civil Code §1770, a state consumer protection statute applicable to consumer transactions involving goods. This statute forbids, among other things, the imposition of unconscionable contractual terms on consumers, misrepresentations about a product and misleading advertising⁴¹.

Some class action complaints have also included common law trespass⁴² to chattels⁴³ claims, alleging⁴⁴ that Sony BMG's copy-protection software constitutes unauthorized intermeddling with the possessory interests of computer owners, resulting in damage to their computers. While this theory of liability has proven controversial when applied⁴⁵ in Internet contexts, several courts have indicated a willingness to entertain such claims. See Register.com v. Verio, 356 F.3d 393, 404 (2d Cir⁴⁶. 2004); eBay v. Bidder's Edge, 100 F.Supp.2d 1058 (N.D. Cal. 2000).

Finally, many of the complaints include allegations that Sony BMG's conduct amounts to an unfair or deceptive³⁹ trade practice, fraud, or false advertising under applicable state statutes. The class actions filed in California, for example, invoke³² California's Business & Professions Code §§17200 and 17500, while those filed in New York invoke General Business Law §§349 and §§350.

From a legal perspective, the many suits against Sony BMG will raise a welter of questions of first impression for the courts on whose dockets they appear. Whether those courts have an opportunity to rule on all of them may depend on whether Sony BMG opts⁴⁷ to seek an early and comprehensive settlement aimed at repairing the damage that already has been done by its ill-considered copy-protection strategy. But irrespective of the outcome in these cases, counsel advising companies that distribute software with their products have been afforded a sneak preview of the kinds of legal actions that can be brought against clients that release defective software into the national marketplace