Attorney General Lockyer Announces Settlement with SONY BMG to Resolve Case of Secret Software Placed on Millions of CDs

Firm Will Pay Restitution for Harm Caused to Computers, Plus Civil Penalties

Tuesday, December 19, 2006
Contact: (916) 210-6000,

(LOS ANGELES) – Attorney General Bill Lockyer today announced SONY BMG Music Entertainment will pay restitution and civil penalties to resolve a lawsuit filed by Lockyer and Los Angeles County District Attorney Steve Cooley that alleged the firm committed unfair business practices and left computers vulnerable to hackers when it surreptitiously placed on millions of CDs software to restrict consumers’ ability to copy the music.

“Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers,” said Lockyer. “To its credit, SONY BMG learned this lesson and has stopped the practices that led to this lawsuit. But the settlement further protects consumers by prohibiting similar conduct in the future and requiring SONY BMG to pay consumers back for out-of-pocket expenses they incurred to repair harm to computers caused by the software.”

Said Cooley: “In trying to gain market share, companies need to be sensitive to consumers’ rights to privacy, especially in this electronic age.”

The joint complaint alleges SONY BMG’s conduct violated state laws prohibiting false or misleading advertising, unfair or unlawful businesses practices, and unauthorized access to computers. Lockyer and Cooley today filed the settlement and lawsuit it resolves in Los Angeles County Superior Court.

Under the settlement, SONY BMG will provide refunds of up to $175 to California consumers who spent money to repair computer damage caused by trying to uninstall certain “digital rights management (DRM)” software. Consumers will have 180 days to file a refund claim. Refund claims must be submitted on a form available on SONY BMG’s web site and must include a description of the harm and documentation of repair expenses.

An estimated 450,000 Californians purchased CDs with the DRM software covered by the restitution provision. An unknown number of those California buyers suffered damage to their computers and are eligible for refunds. The problems alleged in the complaint occurred only on computers with Windows operating systems.

SONY BMG also will pay $622,000 in civil penalties, and $128,000 in costs and fees, with each payment split evenly between the Attorney General’s Office and District Attorney’s Office. Aside from the monetary payments, the settlement includes court-enforced “injunctive relief” provisions that prohibit SONY BMG from committing the alleged unlawful practices in the future.

Between January 2005 and November 2005, according to the complaint, SONY BMG manufactured more than 12.6 million CDs with two kinds of DRM software. Californians bought about 930,000 copies of those CDs. SONY BMG did not disclose in the outer packaging the presence of the software, which was loaded on consumers’ computers without their knowledge or consent when they played the CDs on their computers, the complaint alleges. The DRM software was further concealed from consumers, according to the complaint, because it was downloaded to a hidden file.

The complaint also alleges the DRM software contained flaws that created security vulnerabilities in computers, exposing them hacking and other problems. Additionally, consumers frequently suffered damage to their computers when they tried to uninstall the software themselves, without using an uninstall program later provided by SONY BMG. For example, according to the complaint, consumers who tried to remove one type of the DRM software by themselves sometimes saw their CD-ROM drives crash.

SONY BMG also failed to adequately inform consumers about “enhancement” software placed on certain titles. The enhanced CDs, when inserted into computers, allowed SONY BMG to communicate via the Internet with the user’s IP address, which in turn permitted the company to send the consumer advertisements related to the particular artist.

Among the injunctive relief provisions, SONY BMG must provide adequate, pre-sale notice to consumers if music CDs contain DRM software. Additionally, SONY BMG must clearly inform consumers if the music CDs they purchase contain an enhanced feature that allows the company’s servers to collect consumers’ IP address and other personal information when the CD is inserted into the computer. SONY BMG also must obtain a consumer’s affirmative consent before connecting the consumers’ computer to the Internet.

# # #