Sony Settles Rootkit CD Suit With Texas, California

Sony BMG Music Entertainment settled lawsuits with California and Texas Tuesday that stemmed from the November 2005 disclosure that the company's audio CDs were planting spyware-style rootkits on users' PCs without their knowledge.

Under terms of the agreements, each state will receive $622,000 in damages and $128,000 to cover legal costs and fees. Sony BMG will also refund up to $175 to each resident of Texas and California who spent money to repair computers damaged by attempts to uninstall the rootkit code used to mask Sony's CD copy-protection software.

The Attorneys General of both states had filed lawsuits last year charging Sony with unfair business practices and/or violations of anti-spyware statutes.

"Texans deserve to be protected from harmful, hidden files that threaten their privacy or the integrity of their computer systems," said Texas Attorney General Greg Abbott in a statement. "Our first-in-the-nation action against Sony BMG shows that consumer privacy will be vigorously protected."

California's head law enforcement officer also weighed in. "Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," said Attorney General Bill Lockyer in a rival statement.

According to Lockyer, some 450,000 Californians purchased Sony BMG CDs that used rootkit technologies, but he didn't estimate the number eligible for refunds under the settlement. Texas estimates pegged the number of rootkit CD buyers at 130,000.

The brouhaha began in November 2005 when independent researcher Mark Russinovich, who has since gone on to work for Microsoft, disclosed that Sony BMG had used a rootkit to "cloak" digital rights management software on PCs that had played the company's CDs. Later analysis by Russinovich and others found that uninstalling the code could damage the computer, and that hackers could exploit the rootkit to plant other malicious code.

Sony's first attempt to deal with the problem was a debacle; the patch it issued made some computers crash. Earlier this year, Sony settled several class-action lawsuits, including one filed by the Electronic Frontier Foundation. The California settlement judgment can be downloaded as a PDF from here, while the Texas settlement is available here.