EFF was sad but not surprised to discover that the security holes in the software Sony BMG has placed on its CDs did not end with the XCP rootkit. As reported on EFF's site Tuesday equally troubling risks are built into CDs loaded with another type of software, MediaMax version 5. Given the nature of the software being forced on consumers along with their music, we fully expect that more problems will be uncovered.

But EFF is pleased to see that Sony BMG has begun to learn from experience in at least one way. In responding to the newly discovered problems with MediaMax version 5, Sony BMG has at last taken the obvious step we suggested last month--using its artists' websites to notify consumers of the security risks.

We challenged Sony on its failure to use those sites to publicize Sony's recall/replacement program for XCP-infected discs. To state the obvious: Consumers are a good deal more likely to stop by Celine Dion's official website than Sony BMG's stuffy corporate site.

Sony BMG still hasn't taken up that challenge with respect to XCP, and we still urge them to do so. Consumers unfortunate enough to have purchased one of the 52 CD titles loaded with XCP software still have to somehow find their way to the Sony BMG website for information about the rootkit.

But in a step we applaud, Sony BMG is taking EFF up on at least part of its challenge and is using some artist sites to get the word out about the security vulnerability on MediaMax-infected discs. The websites of several affected artists--Alicia Keys, BabyFace and Carlos Santana among them--already direct music fans who have bought Sony BMG MediaMax CDs to a Sony BMG consumer advisory about the MediaMax security hole.

Sony BMG needs to do much more, but the company is moving in the right direction. Now, Sony should take the next step and post similar advisories on the sites of every artist whose name is attached to an XCP or MediaMax infected CD, and should offer an exchange program to purchasers of MediaMax version 5 CDs that matches the program offered to the XCP-infected group. Sony BMG also needs to update its somewhat confusing Sony BMG website (including the advisory) to better help music fans sort all this out. It's easy, Sony BMG--just put one foot in front of the other.

Related Issues