Two separate lawsuits filed in California and Texas on Monday allege that Sony BMG Music Entertainment distributed spyware on 52 music CD titles, which compromised the security of buyers’ computer systems when the CDs were inserted into Windows PCs, and transmitted data on the computer users’ listening habits back to the company.

Texas Attorney General Greg Abbott filed a civil lawsuit on Monday against Sony BMG Music Entertainment for hiding “spyware” software on its compact discs in a bid to thwart music copying.

According to the lawsuit filed in Travis County, several of the company’s music compact discs require customers to download Sony’s media players if they want to listen to the CDs on a computer.

Software included with that media player “remains hidden and active” after installation, the Attorney General’s office said, and makes users vulnerable to security risks and possible identity theft.

Sony said on its Web site that it had recalled all CDs that were installed with its XCP technology designed to prevent illegal music copying, Abbott said, but Texas investigators were able to purchase several of the CDs at Austin retailers on Sunday.

Texas is seeking civil penalties of $100,000 per violation of the state’s Consumer Protection Against Computer Spyware Act, which was enacted earlier this year.

“Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers,” Abbott said.

Sony announced on Friday that customers could exchange CDs that contained XCP software for new copies without the spyware, and download software designed to fix the security vulnerabilities. — Reuters

Separately, the Electronic Frontier Foundation filed suit in California, not only over the XCP software, but over another piece of software Sony used, known as MediaMax, which is on many more CD titles and suffers from many of the same problems.

EFF is pleased that Sony BMG has taken steps in acknowledging the security risks caused by the XCP CDs, including a recall of the infected discs. However, these measures still fall short of what the company needs to do to fix the problems caused to customers by XCP, and Sony BMG has failed entirely to respond to concerns about MediaMax, which affects over 20 million CDs — ten times the number of CDs as the XCP software.

“Sony BMG is to be commended for its acknowledgment of the serious security problems caused by its XCP software, but it needs to go further to regain the public’s trust,” said Corynne McSherry, EFF Staff Attorney. “It is unconscionable for Sony BMG to refuse to respond to the privacy and other problems created by the over 20 million CDs containing the SunnComm software.”

The suit, to be filed in Los Angeles County Superior court, alleges that the XCP and SunnComm technologies have been installed on the computers of millions of unsuspecting music customers when they used their CDs on machines running the Windows operating system. Researchers have shown that the XCP technology was designed to have many of the qualities of a “rootkit.” It was written with the intent of concealing its presence and operation from the owner of the computer, and once installed, it degrades the performance of the machine, opens new security vulnerabilities, and installs updates through an Internet connection to Sony BMG’s servers. The nature of a rootkit makes it extremely difficult to remove, often leaving reformatting the computer’s hard drive as the only solution. When Sony BMG offered a program to uninstall the dangerous XCP software, researchers found that the installer itself opened even more security vulnerabilities in users’ machines. Sony BMG has still refused to use its marketing prowess to widely publicize its recall program to reach the over 2 million XCP-infected customers, has failed to compensate users whose computers were affected and has not eliminated the outrageous terms found in its End User Licensing Agreement (EULA).

The MediaMax software installed on over 20 million CDs has different, but similarly troubling problems. It installs files on the users’ computers even if they click “no” on the EULA, and it does not include a way to fully uninstall the program. The software transmits data about users to SunnComm through an Internet connection whenever purchasers listen to CDs, allowing the company to track listening habits — even though the EULA states that the software will not be used to collect personal information and SunnComm’s website says “no information is ever collected about you or your computer.” If users repeatedly requested an uninstaller for the MediaMax software, they were eventually provided one, but they first had to provide more personally identifying information. Worse, security researchers recently determined that SunnComm’s uninstaller creates significant security risks for users, as the XCP uninstaller did.

“Music fans shouldn’t have to install potentially dangerous, privacy intrusive software on their computers just to listen to the music they’ve legitimately purchased,” said EFF Legal Director Cindy Cohn. “Regular CDs have a proven track record — no one has been exposed to viruses or spyware by playing a regular audio CD on a computer. Why should legitimate customers be guinea pigs for Sony BMG’s experiments?”

“Consumers have a right to listen to the music they have purchased in private, without record companies spying on their listening habits with surreptitiously-installed programs,” added EFF Staff Attorney Kurt Opsahl, “Between the privacy invasions and computer security issues inherent in these technologies, companies should consider whether the damage done to consumer trust and their own public image is worth its scant protection.”

Both the XCP and MediaMax CDs include outrageous, anti-consumer terms in their “clickwrap” EULAs. For example, if purchasers declare personal bankruptcy, the EULA requires them to delete any digital copies on their computers or portable music players. The same is true if a customer’s house gets burglarized and his CDs stolen, since the EULA allows purchasers to keep copies only so long as they retain physical possession of the original CD. EFF is demanding that Sony BMG remove these unconscionable terms from its EULAs. — Electronic Frontier Foundation

People have gotten years in prison for doing far less damage to people’s computers. Sony should be prosecuted to the fullest extent of the law, and perhaps its executives should face criminal charges over this.

To protect yourself against copy protection on CDs, hold down the Shift key while inserting the disc, or better yet, disable the Windows “autorun” feature. This prevents the illegal software from running on your computer, but the downside is you have to start your CD player — and applications on other CDs that you might use — manually.