The Attorney General for the state of Texas filed a lawsuit against Sony BMG Music Entertainment on Monday, calling the media giant's copy-protection technology "illegal spyware".

The complaint alleges that Sony BMG violated the Texas Consumer Protection Against Computer Spyware (CPACS) Act, which includes provisions that punish those who hide software from a computer's owner. The focus of the legal action is a copy-protection program created by software firm First 4 Internet and used by Sony BMG to guard 52 CD titles.

The Extended Copy Protection (XCP) software hides itself and controls basic functions of the Windows operating system - tactics employed by the rootkits commonly used by online attackers. The software was included on some 4.7 million discs produced by Sony BMG, of which about 2.1 million were sold.

"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Texas Attorney General Greg Abbott said in a statement. "Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime."

With the lawsuit, Texas becomes the first state in the nation to sue Sony BMG for the company's role in installing the surreptitious copy-protection program on PCs. Following the discovery of the software three weeks ago, security experts, consumers and digital-rights advocates have taken the media giant to task, saying that Sony BMG's software makes computers insecure, does not adequately inform the user as to its function and cannot be uninstalled easily.

Sony BMG did not answer requests for comment on Monday.

At least a half dozen legal actions have already been filed or will be filed in the coming weeks, said sources at the firms involved in the cases. The same day as the Texas lawsuit, two law firms joined the Electronic Frontier Foundation, a digital rights advocacy group, to file a case in California court on Monday.

A lawyer in Los Angeles filed a class action lawsuit against Sony in citing three violations of consumer and business codes. Later that week, Italian digital rights group Associazione per la Libertá nella Comunicazione Elettronica Interattiva (ALCEI) filed a criminal complaint in the country to investigate whether Italian consumers were affected by the Sony BMG cloaking technology. Chicago-based law firm Cirignani Heller Harman & Lynch plans to file a lawsuit against Sony to recover damages caused to consumers by the media giant's copy protection scheme, an attorney with the firm said.

While the functionality and intent of Sony BMG's copy protection are at the heart of the lawsuits, they cases will also test whether consumers can give a company broad permission to install possibly detrimental programs on their systems. Moreover, the media giant constructed a number of hurdles to removing the program, including a privacy-invasive registration and the need to wait for a special identification number.

New York attorney Scott Kamber, who filed a class-action lawsuit against Sony BMG in a U.S. District Court in New York City last week, said that Sony BMG damaged consumers' computer systems with its code.

Two Princeton University computer scientists said that the way Sony BMG and copy-protection provider First 4 Internet remove the XCP software - using an Active X control - leaves PCs open to attack by malicious Web sites.

The Electronic Frontier Foundation (EFF) added to its list of complaints the MediaMax copy protection software produced by digital-rights provider SunnComm. That company protects the lion's share of Sony BMG's titles with about 20 million discs bearing SunnComm's digital-rights management code.

"Consumers have a right to listen to the music they have purchased in private, without record companies spying on their listening habits with surreptitiously-installed programs," Kurt Opsahl, a staff attorney with the EFF, said in a statement. "Between the privacy invasions and computer security issues inherent in these technologies, companies should consider whether the damage done to consumer trust and their own public image is worth its scant protection."

The intense pressure from consumers and security experts had Sony BMG reversing its course last week. The company ceased to manufacture the CDs that included the troublesome technology, planned to release a secure removal tool, and instituted a buy-back program.

"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets," Sony BMG said in a statement published last week.

With more law firms filing complaints against Sony BMG, recalling its CDs will likely not get the media giant out of legal hot water.

The Texas Attorney General's lawsuit focuses on classifying Sony BMG's copy protection as spyware, because it secretly installs itself and is difficult to remove. Moreover, because the software remains hidden and active after installation, the Attorney General charges that it goes beyond the function of copy protection.

The whole incident is unfortunate, analysts Martin Reynolds and Mike McGuire of business research firm Gartner wrote in brief on Friday (PDF), because the copy-protection software does not prevent most copy programs from duplicating discs. Moreover, a fingernail-sized piece of tape can render the track containing the software from executing, defeating the copy protection.

"Sony BMG's ... technology will prevent neither informed casual copiers nor high-volume 'pirates' from doing whatever they like with the content of the disc," the analysts wrote. "Sony BMG has created serious public-relations and legal issues for itself, and for no good reason."

Copyright © 2005, SecurityFocus

Related stories

• SonyBMG backtracks on buggy bug fix (9 December 2005)

  https://www.theregister.com/2005/12/09/sony_mediamax_problems/

• Sony's DRM woes worsen (30 November 2005)

  https://www.theregister.com/2005/11/30/sony_drm_spitzer/

• Sony fiasco: More questions than answers (23 November 2005)

  https://www.theregister.com/2005/11/23/sony_drm_questions/

• Sony unsinged by rootkit CD fiasco (22 November 2005)

  https://www.theregister.com/2005/11/22/analysis/

• Gaffer tape defeats Sony DRM rootkit (21 November 2005)

  https://www.theregister.com/2005/11/21/gaffer_tape_trips_up_sony_drm/

• Sony's CD rootkit infringes DVD Jon's copyright (18 November 2005)

  https://www.theregister.com/2005/11/18/sony_copyright_infringement/

• Sony DRM uninstaller 'worse than rootkit' (17 November 2005)

  https://www.theregister.com/2005/11/17/sony_drm_uninstaller_peril/

• Sony pulls rootkit DRM CDs (16 November 2005)

  https://www.theregister.com/2005/11/16/sony_withdraws_xcp_cds/

• Sony rootkit DRM: how many infected titles? (15 November 2005)

  https://www.theregister.com/2005/11/15/sony_bmg_bodycount/

• Sony suspends rootkit DRM (12 November 2005)

  https://www.theregister.com/2005/11/12/sony_suspends_rootkit_drm/

• Sony BMG faces digital-rights seige (11 November 2005)

  https://www.theregister.com/2005/11/11/secfocus_sony_analysis/

• Hidden DRM code's legitimacy questioned (3 November 2005)

  https://www.theregister.com/2005/11/03/secfocus_drm/

• Sony to offer patch for 'rootkit' DRM (3 November 2005)

  https://www.theregister.com/2005/11/03/sony_rootkit_drm/

• Removing Sony's CD 'rootkit' kills Windows (1 November 2005)

  https://www.theregister.com/2005/11/01/sony_rootkit_drm/