Texas Sues Sony BMG Alleging Violation of Texas Spyware Statute

November 21, 2005. The state of Texas file a complaint [8 pages in PDF] in state court in Texas against Sony BMG Music Entertainment alleging violation of its state statute titled "Consumer Protection Against Computer Spyware Act", or CPACSA. The complaint alleges that Sony has sold audio CDs with software, some of which is related to content protection, which software also degrades the consumers' PC performance, and exposes the PC to certain virus threats, without disclosure to consumers.

Greg Abbott, who is the Attorney General of the State of Texas, stated in a release that "Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers ... Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime."

The complaint states that Sony has sold CDs that contain "its own proprietary media player designed to play audio tracks on a personal computer (as opposed to a consumer using third-party programs such Microsoft Windows Media Player). These audio CDs utilize XCP Technology (``XCP创) which Sony BMG represents is designed to ``protect the audio files embodied on the CD.创" (Parentheses in original.)

The complaint adds that Sony marked the CD packages with the notice "Content Protected", but that it made "no disclosures on the packaging that anything will be installed on the consumer's computer".

The complaint elaborates on the details of the software installed on consumers' PCs. "During the installation of its media player, Sony BMG creates and installs components of its XCP technology in a folder it names ``C:/Windows/System32/$sys$filesystem.创 Unbeknownst to the consumer, Sony BMG also installs a file named ``Aries.sys创 in the same folder which conceals the XCP files and the folder in which they are installed, such that the owner of the computer performing a search of the file system would not be able to locate and remove the XCP technology. Essentially, the Aries.sys driver masks any folder or file name on a consumer's computer that begins with the characters ``$sys$,创 which are the first characters of the folders, files, and registry entries associated with the XCP technology. Moreover, these hidden files and folder are installed within the consumer's Microsoft Windows ``System32创 subfolder, such that a consumer may confuse that software with essential files needed to run the computer's operating system."

The complaint also states that "The Aries.sys file is not required to play Sony BMG抯 copy protected CDs; rather its purpose is to conceal the copy protection software installed by Sony BMG.", and that "Sony BMG does not disclose the fact that its technology includes this cloaking component to consumers on either the CD itself or in its licensing agreement." It adds to that Sony's proprietary media player is not required to play the CDs.

The complaint then addresses how this undisclosed installation of software can harm consumers. First, it consumes system memory. The complaint states that "Sony BMG抯 XCP technology remains hidden and active on a consumer抯 computer at all times after installation, even when Sony BMG抯 media player is not active. During the installation process, Sony BMG installs another hidden file named, ``$sys$drmserver.exe创 which is cloaked and constantly consumes system memory, resulting in a reduction in a consumer抯 available system resources."

"In addition, a consumer attempting to remove the XCP technology finds that Sony BMG has made it extremely burdensome if not impossible to do so -- Sony BMG does not make an uninstall utility readily available. The consumer must first contact customer service via email to receive a patch that will ``uncloak创 the hidden files (in part by deleting the Aries.sys file), and then requiring the consumer to contact customer service again if he/she wants to remove the XCP software."

The second type of possible harm to consumers is increased vulnerability to virus threats. The complaint states that "Despite Sony BMG's assertions, various news sources have recently reported the spread of newly created viruses which exploit Sony BMG抯 cloaking technology. As a result, a consumer without knowledge of the installation of the Aries.sys file on their computer may be vulnerable to new security risks, and given the cloaked nature of these files, and the extremely burdensome impediments to removing them, that consumer may find it difficult or impossible to protect themselves from future risks."

The complaint seeks injunctive relief and damages in the amount of $100,000 per violation.

This case is State of Texas v. Sony BMG Music Entertainment LLC, District Court of Travis County, Texas.

Texas is developing a record as a regulator of information technology. In addition to the present action, on March 22, 2005, Texas filed a complaint [14 pages in PDF] in state court in Texas against Vonage alleging violation of the Texas Deceptive Trade Practices Act (DTPA) in connection with Vonage's marketing and sale of voice over internet protocol (VOIP) service. See, story titled "Texas Sues Vonage Over Marketing of VOIP Service" in TLJ Daily E-Mail Alert No. 1,101, March 23, 2005.

Also, in 2004, Texas was a plaintiff in the failed lawsuit against Oracle seeking to block Oracle's acquisition of PeopleSoft on antitrust grounds. See, February 26, 2004, complaint. See also, stories titled "DOJ Loses Oracle Case" in TLJ Daily E-Mail Alert No. 974, September 10, 2004, and "Antitrust Division Sues Oracle to Enjoin Its Proposed Acquisition of PeopleSoft" in TLJ Daily E-Mail Alert No. 846, March 1, 2004.

Disclosure. One of the attorneys for the state of Texas whose name appears on the complaint is a former law school classmate and roommate of the publisher of TLJ. Readers may wish to take this into consideration in assessing the accuracy and objectivity of any TLJ coverage of this lawsuit.