p2pnet - rss feed: EFF deadline for Sony BMG
p2p news / p2pnet: EFF staff lawyer Fred von Lohmann has already take a huge bite out of Sony BMG’s fast disintegrating credibility with tis dissection of its EULA.
Now the association completes the job >>>>>>>>>>>>>>>>>>>>>>>>
An Open Letter to Sony-BMG
To: Andrew Lack, CEO of Sony-BMG
Cc: Rolf Schmidt-Holtz, Chairman of the Board, Sony-BMG
Cc: Howard Stringer, CEO of Sony Entertainment
Cc: Gunter Thielen, CEO of Bertelsmann AG
Dear Mr Lack,
The Electronic Frontier Foundation (EFF) has viewed with growing concern the revelations regarding the XCP Content Protection Software and the SunnComm MediaMax software that your company has chosen to include on at least two dozen of your music CD releases. We are also concerned by your company’s limited response to the concerns of your customers and the computer security community.
As has been documented by independent researcher Mark Russinovich and many others, the XCP software appears to have been designed to have many of the qualities of a “rootkit.” It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, elements of the software run continuously — even when no Sony-BMG music CD is in use. It provides no clear uninstallation option. Additionally, without notifying users, the software appears to contact a remote machine under your control. The MediaMax software is somewhat different, but similarly has no true uninstall option and an undisclosed ongoing communication from the users’ computer to SunnComm.
You must be aware that the discovery of this software has shocked and angered your customers. Software that deceives the owner of the computer it runs upon and opens that computer up to attacks by third parties may be expected to come from malicious cyber-attacks; it is certainly not expected nor acceptable to be distributed and sold to paying customers by a major music company. Accordingly, EFF welcomes your company’s decision to temporarily halt manufacturing CDs with XCP and to reexamine “all aspects” of your “content protection initiative.”
But if you truly intend to undo the harm you have caused, your company should immediately and publicly commit to the following additional measures:
* Recall all CDs that contain the XCP and SunnComm MediaMax technology. The recall must include removing all infected CDs from store shelves as well as halting all online sales of the affected merchandise. We understand from a recent New York Times article that well over 2 million infected CDs with the XCP technology are in the marketplace and have yet to be sold.
* Remove from all current and future marketing materials statements like that on http://cp.sonybmg.com/xcp/english/updates.html that say the cloaking software “is not malicious and does not compromise security.”
* Widely publicize the potential security and other risks associated with the XCP and SunnComm MediaMax technology to allow the 2.1 million consumers who have already purchased the CDs to make informed decisions regarding their use of those CDs. The publicity campaign should include, at a minimum, issuing a public statement describing the risks and listing every Sony CD, DVD or other product that contains XCP or SunnComm MediaMax. The publicity campaign should be advertised in a manner reasonably calculated to reach all consumers who have purchased the products, in all markets where the CDs have been sold.
* Cooperate fully with any interested manufacturer of anti-virus, anti-spyware, or similar computer security tools to facilitate the identification and complete removal of XCP and SunnComm MediaMax from the computers of those infected. In particular, Sony should publicly waive any claims it may have for investigation or removal of these tools under the Digital Millennium Copyright Act (DMCA) and any similar laws.
* Offer to refund the purchase price of infected CDs or, at the consumer’s election, provide a replacement CD that does not contain the XCP or SunnComm technology. For those consumers who choose to retain infected CDs, develop and make widely available a software update that will allow consumers to easily uninstall the technology without losing the ability to play the CD on their computers. In addition, consumers should not be required to reveal any personally identifying information to Sony in order to access the update, as Sony is currently requiring.
* Compensate consumers for any damage to their computers caused by the infected products, including the time, effort, and expenditure required to remedy the damage or verify that their computer systems or networks were or were not altered or damaged by XCP or SunnComm MediaMax products.
* Prior to releasing any future product containing DRM technology, thoroughly test the software to determine the existence of any security risks or other possible damages the technology might cause to any user’s computer.
* Certify in a statement included in the packaging of every CD containing DRM technology that the product does not contain any concealed software such as the XCP rootkit, does not electronically communicate with Sony-BMG or any other party, does not initiate the download of any software update or other data without informed consent of the consumer immediately prior to each communication, can be uninstalled without any need to contact Sony or disclose personally identifying information to anyone, does not present any security risks to any consumer’s computer, and will not damage or reduce the performance of the consumer’s computer or data in any way.
We look forward to hearing that you are in the process of implementing these measures by 9:00am PST on Friday, November 18, 2005.
Sincerely,
Electronic Frontier Foundation
=============
There’s a November 18 deadline in the EFF’s open letter, but doesn’t say what anything about its plans for non-compliance.
Any ideas?
Meanwhile, stay tuned.
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local political representatives. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance.
See:-
SunnComm - SunnComm falls for p2pnet spoof, November 9, 2005
huge bite - You think Sony’s DRM is bad?, November 13, 2005
EULA - Sony DRM rips off L.A.M.E., November 14, 2005
November 15th, 2005 at 1:47 pm
The chances of this remedy actually being implemented with or without court assistance is practically nil. Of course this remedy is the right thing to do. As for me, all Sony products are off my purchase list.
November 15th, 2005 at 4:45 pm
the’re going to laugh in the EFF’s face behind closed doors.
Sony: “Compensate consumers, muhahaha, what are they thinking? We’re trying to squeeze every last dollar out of them, not give it back!”
November 15th, 2005 at 4:58 pm
That’s what I think the EFF are planning.
November 15th, 2005 at 8:04 pm
Sony has had plenty of time to do the right thing. Hoping all this would blow over and die down is why your not hearing much from Sony. (Personally, I can’t believe how much crap Sony has pulled over the years.) EFF is making sure that Sony, who apparently has no concept of what is the right thing to do, is informed of it. Since they lack the moral integrity to figure out what to do or how to do it to make it right, EFF is taking the oppurtunity to tell them publicly, so there is no mistake that they know. Shame such a large corporation has to be told, “This is how you do it.”
Setup for possible future litigation? Very possible.
November 15th, 2005 at 10:18 pm
Where would we be without the EFF looking out for us all? I don’t know of any other organization that works for the greater good of the people in respect to technology and privacy.
They are definiatly on my list of donations.
November 16th, 2005 at 5:57 am
Has anyone bothered to read the complete EULA Sony tried to force on an unsuspecting public? I believe it should be made known far and wide! That EULA insists that the end user agree to allow Sony to download and install on the user’s computer ANY SOFTWARE UPDATES it (Sony) feels like installing. This could include ANYTHING! IT WAS NOT QUALIFIED OR CONDITIONAL. The EULA quite literally required the end user to allow Sony unrestricted access to his P.C.
All of this reeks of criminal intent. We consumers need to start rebelling against those intrusive, coercive EULAs. I believe a court of law (if one could find a judge who, for reasonable consideration, has not already predisposed himself to the entertainment cartel’s highly questionable motivations) would rule such agreements and contracts as unenforceable.
Consider: no private citizen can be barred from shopping or browsing at a mall or shopping center, without first having been served with an injuction for unacceptable behavior or crimes. A person cannot be required to provide personal information prior to being allowed access to the mall or shopping center. Businesses that are open to the public may not selectively deny access for whimsical, arbitrary, or prejudicial reasons. As such, and with ample legal precedent having already been established, challenges to “Terms of Use” or “Terms and Conditions”, etc., in conjunction with “Privacy Policies”, which serve to bar anyone who does not agree to the unrestricted and wholesale distribution of his personal, private information, should be successful and should turn the tables on these blood-sucking parasites.
We are the consumers — we are the ones they WANT to reach, in order to sell their products or services, in order to generate profits. We are the ones who should dictate the terms under which we are willing to patronize their web sites. We most definitely should not allow ourselves to be cowed into submission!
November 17th, 2005 at 6:07 pm
Sony will see our responses in lose of sales for their CD and proprietary PS3 with the famous “no resale or trade software” (expensive junk).