CDs’ Embedded Content Protection Software Posed Security Risks, Limited CD Use, and Monitored Users’ Listening Habits on their Computers, Without Consumer Consent
Sony BMG Music Entertainment has agreed to settle Federal Trade Commission charges that it violated federal law when it sold CDs without telling consumers that they contained software that limited the devices on which the music could be played, restricted the number of copies that could be made, and contained technology that monitored their listening habits to send them marketing messages. According to the FTC, the software also exposed consumers to significant security risks and was unreasonably difficult to uninstall. The proposed settlement requires Sony BMG to clearly disclose limitations on consumers’ use of music CDs, bars it from using collected information for marketing, prohibits it from installing software without consumer consent, and requires it to provide a reasonable means of uninstalling that software. The settlement also requires that Sony BMG allow consumers to exchange the CDs through June 31, 2007, and reimburse consumers for up to $150 to repair damage to their computers that they may have suffered in trying to remove the software.
“Installations of secret software that create security risks are intrusive and unlawful,” said FTC Chairman Deborah Platt Majoras. “Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content.”
According to the complaint detailing the charges, Sony BMG embedded in its music CDs content protection software, also known as Digital Rights Management software, which installed itself on consumers’ computers to restrict the number of times the audio files could be copied. It also prevented the music from being played on certain portable digital devices. The music could not be transferred directly to iPods, for example. In addition to restricting the use of the CDs on computers using the Windows Operating System, the software, which was concealed from consumers, created security vulnerabilities that could allow hackers and other third parties to gain access to consumers’ computers.
The FTC alleges that the installation of software without consumer consent that exposed consumers’ computers to security risks was unfair and violated federal law. In addition, the complaint alleges that hiding the software from consumers and failing to provide a means to uninstall it also were unfair practices in violation of federal law.
The agency charged that it was deceptive for Sony BMG to fail to disclose adequately that software would be installed on consumers’ computers, and that the software would limit consumers’ copying and use of the CDs on their computers. The FTC also alleged that it was deceptive, in violation of federal law, to fail to disclose that Sony BMG’s monitoring technology, included on many of its CDs, monitored consumers’ music listening preferences and sent targeted marketing ads to their computers.
The settlement requires clear and prominent disclosure on the packaging of Sony BMG’s future CDs of any limits on copying or restrictions on the use of playback devices. It bars the company from installing content protection software without obtaining consumers’ authorization, and, if Sony BMG conditions consumers’ use of its CDs on installation of the content protection software, it must disclose that requirement on the product packaging.
In addition, the settlement bars Sony BMG from using the information on consumers’ listening preferences that it has already gathered through the monitoring technology it installed and bars them from using the information to deliver ads to those consumers. For future CDs containing such technology, the agreement requires that, before transmitting information about consumers, their computers or their use of the CD, Sony BMG must clearly disclose on consumers’ computer screens what the technology will do, and obtain consumers’ consent. If it conditions consumers’ use of its CDs on their agreement to have information collected, Sony BMG must disclose that condition clearly on the CDs’ packaging.
The settlement bars Sony BMG from installing or hiding content protection software that prevents consumers from finding or removing the software, and requires that it provide a reasonable and effective way to uninstall any content protection software. It requires that for two years, Sony BMG provide an uninstall tool and patches to repair the security vulnerabilities created on consumers’ computers by previously installed software. The company is required to advertise these free fixes on its Web site.
As part of the settlement, Sony BMG will allow consumers to exchange CDs containing the concealed software purchased before December 31, 2006 for new CDs that are not content-protected, and will be required to reimburse consumers up to $150 to repair damage that resulted directly from consumers’ attempts to remove the software installed without their consent. Sony BMG is required to publish notices on its Web site describing the exchange and repair reimbursement programs.
Sony BMG also is required to provide financial inducements to retailers to return the CDs that create security problems for consumers’ computers. For CDs already in its stock that are sold to retailers, Sony BMG is required to disclose on the product packaging the restrictions on use and the security vulnerabilities.
Finally, the settlement contains record-keeping and reporting provisions designed to allow the agency to monitor compliance with its order.
The Commission vote to accept the proposed consent agreement was 5-0. The FTC will publish an announcement regarding the agreement in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 1, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
NOTE: This consent decree is for settlement purposes only and does not constitute an admission by the respondent of a law violation.
Copies of the complaint, proposed consent agreement and an analysis to aid public comment are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.shtm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad.
Claudia Bourne Farrell,
Office of Public Affairs
Matthew Daynard, Tracy Shapiro or Stacey Ferguson
Bureau of Consumer Protection
202-326-3291 or 202-326-2343 or 202-326-2361