RFC on Sony BMG Covert DRM Spyware

A Cryptome DVD is offered by Cryptome. Donate $25 for a DVD of the Cryptome 10+-years archives of 39,000 files from June 1996 to December 2006 (~4.1 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

22 March 2007

[Federal Register: March 21, 2007 (Volume 72, Number 54)]
[Notices]
[Page 13286-13288]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr21mr07-60]

[[Page 13286]]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 062 3019]

Sony BMG Music Entertainment; Analysis of Proposed Consent Order
To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.

DATES: Comments in response to this notice must be received on or
before March 23, 2007.

ADDRESSES: Interested parties are invited to submit written comments.
Comments should refer to ``Sony BMG Music, File No. 062 3019,'' to
facilitate the organization of comments. A comment filed in paper form
should include this reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission, Office of the Secretary, Room 135-H, 600 Pennsylvania
Avenue, NW., Washington, DC 20580. Comments containing confidential
material must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with Commission Rule 4.9(c). 16 CFR
4.9(c) (2005).\1\ The FTC is requesting that any comment filed in paper
form be sent by courier or overnight service, if possible, because U.S.
postal mail in the Washington area and at the Commission is subject to
delay due to heightened security precautions. Comments that do not
contain any nonpublic information may instead be filed in electronic
form as part of or as an attachment to e-mail messages directed to the
following e-mail box: consentagreement@ftc.gov.
---------------------------------------------------------------------------

\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See Commission Rule 4.9(c),
16 CFR 4.9(c).
---------------------------------------------------------------------------

The FTC Act and other laws the Commission administers permit the
collection of public comments to consider and use in this proceeding as
appropriate. All timely and responsive public comments, whether filed
in paper or electronic form, will be considered by the Commission, and
will be available to the public on the FTC Web site, to the extent
practicable, at http://www.ftc.gov. As a matter of discretion, the FTC

makes every effort to remove home contact information for individuals
from the public comments it receives before placing those comments on
the FTC Web site. More information, including routine uses permitted by
the Privacy Act, may be found in the FTC's privacy policy, at http://www.ftc.gov/ftc/privacy.htm
.

FOR FURTHER INFORMATION CONTACT: Matthew Daynard (202/326-3291), Bureau
of Consumer Protection, 600 Pennsylvania Avenue, NW., Washington, DC
20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 of
the Commission Rules of Practice, 16 CFR 2.34, notice is hereby given
that the above-captioned consent agreement containing a consent order
to cease and desist, having been filed with and accepted, subject to
final approval, by the Commission, has been placed on the public record
for a period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for January 30, 2007), on the World Wide Web, at http://www.ftc.gov/os/2007/01/index.htm.
A paper copy can be obtained from the FTC Public

Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW., Washington,
DC 20580, either in person or by calling (202) 326-2222.
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.

Analysis of Agreement Containing Consent Order To Aid Public Comment

The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order from Sony BMG Music
Entertainment (``Sony BMG'' or ``respondent'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement or make final the agreement's proposed
order.
This matter involves respondent's use of content protection
software, also known as Digital Rights Management (DRM) software,
embedded on its music CDs and the use of a proprietary media player on
many of these CDs that must be used to listen to them. When played on a
Windows-based computer, Sony BMG's DRM software is installed on
consumers' computers and restricts the use of the audio files and other
digital material on the CDs. In addition, the ``XCP'' and ``MediaMax
5.0'' versions of respondent's DRM software create security
vulnerabilities on consumers' computers, and, when consumers' computers
are connected to the Internet, the media player monitors users'
listening habits and sends back relevant advertisements.
According to the FTC complaint, Sony BMG engaged in unfair and
deceptive practices in distributing its content-protected CDs. The
complaint contains two unfairness charges. The first count alleges that
it was unfair for respondent to cause its DRM software, which exposed
consumers' to security risks, to be installed on consumers' computers
without adequate notification and consent. As alleged in the complaint,
respondent's ``XCP'' DRM software contains cloaking technology that
hides the existence of the software from the Windows Operating System.
The cloaking technology creates a security vulnerability because
malicious software that enters users' computers can exploit the
cloaking technology to conceal itself from the computers' security
software. In addition, respondent's ``MediaMax 5.0'' DRM software
creates a ``privilege escalation vulnerability'' that could allow third
parties who gain physical access to the computer but who have lower-
privilege access to exercise full control over a consumer's computer
running the Windows Operating System. Consumers could not reasonably
prevent this injury because they did not know of the DRM software's
existence or its harmful effects. The complaint therefore alleges that
respondent's practices caused, or were likely to cause, substantial
consumer injury that consumers could not reasonably avoid and which was
not outweighed by countervailing benefits to consumers or competition.
The complaint further alleges as unfair respondent's practices in
causing its DRM software that made computers insecure to be installed
without providing a reasonable means to locate and/or remove it. As
alleged in the

[[Page 13287]]

complaint, Sony BMG's use of cloaking technology and the failure of the
``XCP'' and ``MediaMax 5.0'' software to appear in the Windows ``Add/
Remove'' utility hid the existence of the software from consumers and
their operating systems. In addition, respondent failed to make an
uninstall tool readily available. The complaint alleges that, as a
result, consumers incurred substantial costs in locating and removing
the DRM software from their computers and in stopping its harmful
effects. Thus, the complaint alleges that respondent's practices in
failing to provide a reasonable means to locate and remove its DRM
software caused, or were likely to cause, substantial consumer injury
that could not be reasonably avoided by consumers and did not provide
countervailing benefits to consumers or competition.
In addition, the complaint challenges, as deceptive, Sony BMG's
failure to disclose adequately that its music CDs install onto
computers software that materially limits their use by limiting the
number of disc-to-disc copies that consumers can make, and by
restricting consumers'' ability to transfer to and play music on
digital playback devices other than Sony BMG and Microsoft devices.
Finally, the proposed complaint alleges as deceptive respondent's
undisclosed inclusion of its media player, which monitors the artists
that consumers listen to on their computers and displays advertising.
The proposed consent order contains provisions designed to enhance
and expand upon respondent's programs to provide refunds to consumers
and includes injunctive relief to protect against future consumer
injury from similar acts and practices.
Part I of the proposed order requires Sony BMG to include on the
front cover of the packaging for any content-protected CD a clear and
prominent disclosure that important consumer information regarding
limits on copying and use can be found on the rear of the product
packaging. This provision also requires respondent to disclose more
fully on the back cover that the CD will install software, if that is
the case; has copying limits; and can only be used on certain playback
devices. Part II bars Sony BMG from installing content protection
software from a CD without consumers' authorization. Specifically,
before such software can be installed, respondent must disclose on the
consumer's computer screen the information required by Part I and the
consumer must have signaled her consent by clicking on a properly
labeled button or taking a similar action. Further, in cases where Sony
BMG conditions consumers' use of its CDs on their installing content
protection software onto their computers, Part III requires that
respondent clearly and prominently disclose this requirement on the
product packaging.
Regarding ``enhanced connectivity'' CDs (CDs containing
respondent's proprietary media player that transmits non-personally
identifiable information from consumers' computers to respondent and
displays promotional messages on consumers' computers), Part IV of the
proposed order, which applies to enhanced connectivity CDs that Sony
BMG sells prior to the date that this order becomes final, prohibits
respondent from using any information it collects through enhanced
connectivity CDs for any marketing purpose and requires respondent to
destroy such information within three days of receipt. Part IV also
prohibits Sony BMG from using any such information to deliver
advertising or marketing messages. Part V, which applies to enhanced
connectivity CDs that Sony BMG sells after the order becomes final,
requires that if, to use a CD on a computer, consumers must agree to
have information collected about them, Sony BMG must disclose this
condition clearly and prominently on the product packaging. Further,
Part V prohibits Sony BMG from collecting any information using its
enhanced connectivity CDs, unless it first discloses that the CD will
collect information and/or send back advertising to the computer and
obtains consumers' consent to do so.
In connection with the marketing, advertising, or distributing of
any CD, Part VI prohibits Sony BMG from installing content protection
software that prevents consumers from readily locating or removing the
software from the computer. This prohibition includes, but is not
limited to, hiding, cloaking, using misleading or random names for, and
misrepresenting the purpose or effects of any file, folder, or
directory associated with such software.
Part VII requires that respondent provide a reasonable and
effective means to uninstall its content protection software. Part VII
also provides that Sony BMG is not required to uninstall the
``counter'' file of its software that determines whether the consumer
has exceeded the permitted number of copies on the computer, as long as
respondent discloses on consumers' computer screens, prior to
installing the content protection software, that this file will not be
removed and the file does not impair, hinder, or otherwise adversely
affect the computer's operation. Part VII further requires that Sony
BMG, for a period of two years from the date that the order becomes
final, continue to provide free uninstall tools and patches for XCP and
MediaMax 5.0 and to disclose the existence of these tools on its Web
site. In addition, Part VII of the order requires that Sony BMG notify
consumers of the XCP and MediaMax 5.0 vulnerabilities and how to fix
their computers, by extending its existing program of purchasing key
words on search engines to one year after the date the order becomes
final, and also by publishing a notice through its Web site.
Part VIII of the proposed order makes clear that all purchasers,
prior to December 31, 2006, of XCP and MediaMax CDs are eligible to
participate in its ongoing compensation program. Part VIII also
requires Sony BMG to extend the period for accepting exchanges to six
months after December 31, 2006. Further, Part VIII of the order
requires that Sony BMG reimburse consumers up to $150 of their costs to
repair computer damage resulting from their attempts to remove the XCP
content protection software before respondent made an uninstall tool
readily available. Finally, Part VIII requires Sony BMG to publish
notices on its Web site informing consumers about the extended period
for exchanging CDs and the ``repair reimbursement'' program.
Part IX of the proposed order requires that, before selling
MediaMax CDs from its inventory, Sony BMG must make applicable
disclosures about copying and use restrictions on the product
packaging. In the case of MediaMax 5.0 CDs, Sony BMG also must disclose
on the packaging that, if used on a computer, these CDs will create
security vulnerabilities that consumers can eliminate with a patch that
they can download, free of charge, from respondent's Web site, and
establish an Internet connection through which Sony BMG will collect
information from, and send back advertising to, the computer. Also,
with respect to MediaMax 5.0 CDs that Sony BMG has sold to retailers,
Part IX requires that it offer retailers the same financial incentives
to return these CDs as those for XCP CDs. Further, Sony BMG must offer
these incentives for two years after the date the order becomes final.
Parts X through XIII of the proposed order are record-keeping and
reporting provisions. Part XIV provides that the order will terminate
after twenty (20) years under certain circumstances.
The purpose of this analysis is to facilitate public comment on the
proposed order, and it is not intended to constitute an official
interpretation of

[[Page 13288]]

the agreement and proposed order or to modify in any way their terms.

By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 07-1403 Filed 3-20-07; 8:45 am]

BILLING CODE 6750-01-P