The Sony Spyware Scandal

January 13, 2015

Sony’s attempt to spy on its customers and limit their fair use of the music they buy is outrageous. It speaks to the worst in corporate greed and contempt for the customer – not to mention outright stupidity.

Sony’s bad behavior isn’t just irresponsible and contemptible – it’s also illegal. At least that’s the opinion of the EFF (Electronic Frontier Foundation) and the State of Texas Attorney General’s office – both groups filed lawsuits against Sony last week. A half a dozen other class action suits against Sony are also rumored to be in the works. And Sony’s current legal woes may just be the beginning of a maelstrom of lawsuits, PR nightmares, and consumer alienation.

Here’s what the brouhaha is all about: Sony secretly placed the extremely hazardous XCP software on an estimated 2 to 3 million music CDs and a less dangerous but still problematic MediaMax software on over 20 million CDs. Both of these programs install themselves on your computer without your knowledge when you play one of the infected audio CDs in your computer’s CD drive and they both violate your privacy rights by collecting information about you and sending it back to Sony without your permission.

The XCP program is a type of spyware called a “rootkit” that hides itself on your computer. Not only does it let Sony secretly spy on you, it opens up a gaping security hole that can be exploited by almost any clever hacker to open up your system for nefarious purposes such as vandalism, destruction of data, or stealing your personal information to use for identity theft.

Even the Department of Homeland Security’s US-CERT division, in its self-proclaimed role of “protecting the nation’s Internet infrastructure” and coordinating “defense against and responses to cyber attacks across the nation” slams Sony’s XCP spyware saying that it can pose a significant security threat.

XCP also slows down your system, robbing you of performance in addition to your data. To make matters worse, when Sony provided customers with a program to uninstall the dangerous XCP software the uninstaller opened even more security holes in the systems it was run on. Because rootkit spyware is designed to hide itself from the system it can be almost impossible to fully uninstall – in some cases you have to reformat your hard drive and re-install all your software and data to completely get rid of it. And to top it off, the XCP spyware program illegally stole some of its code from another program called LAME.

The other spyware program Sony snuck onto customers’ systems is MediaMax. This software lets you know that it is being installed, but claims that it will not send any personal information back to Sony – even though it does exactly that. And, like the XCP spyware, if you try and uninstall it using the program provided by Sony you open up your system to hackers and crooks.

In the Texas case, Attorney General Greg Abbott filed a civil lawsuit seeking penalties of $100,000 per violation under the state’s recently-enacted Consumer Protection Against Computer Spyware Act. “Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” said Abbott when announcing the lawsuit.

The EFF lawsuit, filed in Los Angeles County Superior Court on behalf of California residents, claims that Sony broke several California laws, engaged in unfair and deceptive business practices, violated the stated terms of its own licensing agreements with its customers, and as a remedy demands that the Sony repair the damage done by the XCP and MediaMax.

If you’re in Sony’s legal, marketing, or PR departments you’re already overwhelmed. But wait! There’s more! The Texas and EFF lawsuits are based on state law, but Sony may have also violated federal and international laws as well.

If Sony’s malware made it on to any computers owned by the government, which seems likely, it is in violation of the federal Computer Fraud and Abuse Act which prohibits: “fraud and related activity in connection with computers knowingly causes the transmission of a program,  information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.” This law has some real teeth, with penalties of up to 10 years in jail for a first offense and 20 years for a second offense.

And across the Atlantic ocean, in jolly old England, customers are also outraged, claiming Sony has violated the U.K.’s Computer Misuse Act of 1990 which states that is an offense to make either an an “unauthorised access” or an “unauthorised modification” to a computer – and Sony is guilty of both.

It’s doubtful that any Sony exec’s will find themselves facing jail time, unlike some hackers and spammers who have been charged under similar laws. We all know that O.J., Michael Jackson, and Robert Blake have shown us the legal benefits of Hollywood connections. But guess what? This isn’t Sony’s first trip to the courthouse. In fact, it almost seems like they are working on becoming corporate career criminals.

Just this past July, Sony reached a settlement with the State of New York where it agreed to end the widespread and corrupt practice of bribing radio stations to play their music, a practice given the well-known nickname “payola.” As Sony knows, payola violates both state and federal laws.

As New York Attorney General Elliot Spitzer said in announcing the settlement: “Our investigation shows that, contrary to listener expectations that songs are selected for airplay based on artistic merit and popularity, air time is often determined by undisclosed payoffs to radio stations and their employees. This agreement is a model for breaking the pervasive influence of bribes in the industry.”

And three years ago Sony settled with the State of California, which had accused it of participating in an illegal price-fixing scheme. Here’s what California Attorney General Bill Lockyer said back in 2002 when he announced the settlement with Sony: “Our antitrust investigation found illegal sales agreements being used to stifle competition and fix the prices of music CDs. Instead of benefiting from a competitive marketplace, consumers looking for music entertainment had their pocketbooks squeezed by these secret deals to artificially inflate prices.”

The supreme irony in all of this is that Sony put the spyware on its music CDs to help stop illegal copying and distribution of its music, and stole some code from another program in the process. But it seems like the ultimate hypocrisy – Sony seems to have a history of breaking serious federal and state laws, and then goes and breaks more laws to go after a bunch of petty theft. It’s almost like the Mafia putting out a hit on someone for stealing office supplies.

Sony has plenty of lawyers and PR people to help it stomp out the current wildfire, but it may take a while to win back the trust of its customers. I’m already hearing disquieting things from Sony customers – most troubling of all are some who now feel that downloading music from an unauthorized file-sharing service is actually safer than buying the CD. Hey Sony, how’s that for backfiring?

You Might Also Like

No Comments

Leave a Reply