Sony BMG has agreed to settle with a group of plaintiffs in a New York class action lawsuit relating to the DRM software that triggered consumer outrage and a PR disaster for the company. As part of the settlement, Sony will compensate those who purchased infected CDs and fix their computers.

The preliminary settlement was revealed in a filing with the US District Court for the Southern District of New York. It covers people who purchased or used a CD with Sony's now infamous XCP (Extended Copy Protection) software or the equivalent MediaMax software produced by Sony BMG partner Sunncomm. While both sets of DRM have their problems, XCP gained particular notoriety for opening up a security hole on computers that hackers were quick to exploit.

Under the terms of the settlement, Sony BMG would agree to provide the following:

• Compensation for buyers of XCP CDs and MediaMax CDs
• Software utilities to update and uninstall XCP and MediaMax software from consumers' computers
• An agreement by SONY BMG to immediately recall of XCP CDs, and not manufacture MediaMax CDs for a period of at least two years
• A series of injunctive measures governing any SONY BMG CDs manufactured with content protection software over the next two years
• Defendants’ agreement not to collect personal information on Settlement Class Members through XCP, MediaMax and future content protection software, without their express and affirmative consent
• Defendants’ agreement to waive certain rights currently contained in the EULAs for XCP and MediaMax CDs and software
• A “most favored nations” provision that would enhance the benefits available to all Settlement Class Members if Defendants provide additional benefits to a subset of Settlement Class Members through an agreement with any government authority

Sony BMG has already put a program in place that allows consumers to exchange infected CDs for clean ones, and this settlement clearly dictates that this practice continue with Sony BMG providing free shipping of the CDs and encouraging stores to replace the goods.

To nudge consumers to act on the settlement, Sony BMG will be required to offer two different incentive packages. In addition to receiving a DRM-free version of their original CD, consumers will have the option of picking up a $7.50 cash payment and promotion code that allows them to download one of 200 albums. Or they can pick up a promotion code that allows for three album downloads. Interestingly, Sony must also work to make the downloads available on iTunes.

In addition, "Under the Settlement, SONY BMG will be enjoined from using XCP and MediaMax software on audio CDs they manufacture. SONY BMG will implement several changes to its policies and procedures concerning content protection software and the EULAs associated with that software. These changes will ensure that the content protection software will not be installed without the user’s express consent, will be removable from the user’s computer, and will not render the user’s computers vulnerable to known security risks. In addition, the EULA’s will be written in plain English and will accurately describe the nature and function of the content protection software."

The settlement - available here in PDF (http://www.sunbelt-software.com/ihs/alex/sonysettleme23423423434nt.pdf) - must still be approved by the court.

Given the scope of the settlement, it's hard to take Sony BMG's earlier nonchalance about the incident seriously. It would seem the company's DRM suppliers have a lot of work to do in order to meet these new guidelines. ®

Related stories

Sears sued for website that leaked customer purchases (7 January 2008)
http://www.theregister.co.uk/2008/01/07/sears_privacy_classaction/
How fat is my DRM? (20 December 2006)
http://www.theregister.co.uk/2006/12/20/sony_rootkit_drm_settlement/
Stealth techniques push malware under the radar (3 October 2006)
http://www.theregister.co.uk/2006/10/03/verisign_stealth_malware_report/
Judge approves Sony rootkit settlement (23 May 2006)
http://www.theregister.co.uk/2006/05/23/sony_rootkit_settlement/
The big DRM mistake (3 March 2006)
http://www.theregister.co.uk/2006/03/03/the_drm_mistake/
400,000 Sony Bravia TVs hit by software flaw (14 February 2006)
http://www.reghardware.co.uk/2006/02/14/sony_bravia_bug/
Norway accuses iTunes of consumer-rights violations (27 January 2006)
http://www.theregister.co.uk/2006/01/27/norway_itunes_complaint/
Consumer group calls for anti-DRM laws (18 January 2006)
http://www.theregister.co.uk/2006/01/18/drm_consumer_opposition/
Researcher: Sony BMG rootkit still widespread (16 January 2006)
http://www.theregister.co.uk/2006/01/16/sony_bmg_rootkit_still_widespread/
Symantec fixes 'rootkit' bug in Systemworks (12 January 2006)
http://www.theregister.co.uk/2006/01/12/symantec_fixes_rootkit_bug/
Apple bitten by iTunes security bugs (11 January 2006)
http://www.theregister.co.uk/2006/01/11/itunes_vulns/
Data security moves front and center in 2005 (3 January 2006)
http://www.theregister.co.uk/2006/01/03/secfocus_2005_review/
Rootkits, cybercrime and OneCare (27 December 2005)
http://www.theregister.co.uk/2005/12/27/security_review_2005/
Sony BMG shortlisted for 'internet villain' gong (13 December 2005)
http://www.theregister.co.uk/2005/12/13/ispa_villain/
SonyBMG backtracks on buggy bug fix (9 December 2005)
http://www.theregister.co.uk/2005/12/09/sony_mediamax_problems/
EFF hatchet job spawns creepy reader love-in (8 December 2005)
http://www.theregister.co.uk/2005/12/08/everybody_hates_eff/
Sony opens up over another CD security hole (7 December 2005)
http://www.theregister.co.uk/2005/12/07/sony_cd_security/
EFF volunteers to lose important suit over Sony 'rootkit' (6 December 2005)
http://www.theregister.co.uk/2005/12/06/eff_needs_to_die/
Sony's DRM woes worsen (30 November 2005)
http://www.theregister.co.uk/2005/11/30/sony_drm_spitzer/
Sony fiasco: More questions than answers (23 November 2005)
http://www.theregister.co.uk/2005/11/23/sony_drm_questions/
Sony unsinged by rootkit CD fiasco (22 November 2005)
http://www.theregister.co.uk/2005/11/22/analysis/
Gaffer tape defeats Sony DRM rootkit (21 November 2005)
http://www.theregister.co.uk/2005/11/21/gaffer_tape_trips_up_sony_drm/