Sony BMG to pay up over DRM rootkit debacle

Sony BMG Music Entertainment has agreed to cough up $150 (£77) for every PC infected in 2005 with its rootkit software. The agreement follows a US Federal Trade Commission (FTC) ruling that Sony had acted improperly and illegally by surreptitiously adding the rootkit to music CDs it sold in the US last year.

Some estimates have pegged the number of infected PCs at one million, posing yet another cash drain on parent company Sony which has already been hit for compensation over faulty laptop batteries and problems with the Sony PlayStation 3.

The software installed itself on to user's PCs when the CDs were inserted into a computer's optical disc drive. The software went on to limit which kind of devices the music could be played on (iPods were affected), how many devices the music it could be played on and how many times it could copied.

It also sent information back to Sony BMG about user's listening habits so they could be bombarded with marketing messages. Worse the software also opened up user's PCs to malicious attack by third parties and proved very difficult to uninstall.

Sony used two different kinds of rootkit software: Extended Copy Protection (XCP) MediaMax CD-3, both of which appeared on around 50 Sony BMG releases each , CDs that went to sell over 20 million copies .

FTC Chairman Deborah Platt Majoras said: "Installations of secret software that create security risks are intrusive and unlawful. Consumers' computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content."

The FTC has ruled that Sony cannot use any marketing information it has collected already and that future versions of digital rights management (DRM) software contained on CDs must deliver an onscreen warning to users before it is installed.