January 20, 2006 | By Kurt Opsahl

SunnComm's initial response to our open letter

A while back, we wrote an open letter to SunnComm, the manufacturer responsible for the insecure MediaMax DRM software installed on audio CDs.

As an initial formal response, SunnComm has released lists of all the titles, regardless of label, that use the MediaMax 5 and MediaMax 3 DRM. The MediaMax'd CDs are not limited to Sony BMG, but include independent label records such as Cuban Link's "Chain Reaction" by Men of Business Records, Peter Cetera's "You Just Gotta Love Christmas" by Viastar Records or MediaMax'd releases on KOCH Records. SunnComm provided a copy of the following letter, which it sent on January 5 to all the independent labels using its software:

Dear ,

You are by now well aware of the litigation relating to Sony BMG Music Entertainment?s use of digital rights management (?DRM?) technologies and the corresponding press and public interest in this issue. We write to assure you of our commitment to notify you and your customers of any potential security vulnerability, and to enlist you in responding to security concerns raised recently concerning Versions 3 and 5 of our industry-leading MediaMax product.

Our focus is and will remain on the delivery of high-quality, secure, consumer friendly content protection and enhancement solutions. As most of you know, we have been working closely over the past several weeks with the Electronic Frontier Foundation (the ?EFF?), security firms, and other industry groups to ensure that we address these concerns promptly and effectively. The principal security concern relates to MediaMax Version 5 CDs and how they affect computers running Microsoft?s Windows operating system. Windows allows for different levels of access to a computer, and that software installs a file folder that could allow a guest user to gain unauthorized access to the computer. We have attached a copy of a report on that concern prepared for the EFF. Please read this document carefully and let us know if you have any questions. Additional concerns have been raised relating to both Versions 3 and 5 regarding the transfer of certain files to memory before a user has accepted the End User License Agreement.

It is important to remember that it is common for software companies to be called upon from time to time to issue patches and updates to their software. We understand and accept this responsibility, and will work with our customers to ensure timely notifications and updates. We have committed to addressing each of the concerns raised regarding MediaMax Versions 3 and 5, and intend to help define best practices for the industry going forward. To date, we have issued a patch and uninstaller, available to all purchasers of MediaMax CDs on the SunnComm Customer Support site www.sunncomm.com/support. Both the patch and uninstaller have been thoroughly tested and certified by two independent security firms. These tools address each and every concern identified to us to date. We have also committed, through a settlement agreement relating to the numerous lawsuits filed against Sony BMG, to participate in a program of notifying consumers who purchased Sony BMG CDs containing MediaMax Versions 3 or 5 about these concerns and ensuring that those consumers have easy access to the patch and uninstaller.

As with consumers of Sony BMG CDs, we need to ensure that your customers are both notified promptly of the concerns raised relating to MediaMax Versions 3 and 5 and have access to the patch and uninstaller. We will need to work together with you to achieve both objectives efficiently and effectively. Regarding notification, we need first to develop and publish a list that identifies every CD containing MediaMax Version 3 or 5 on every independent label, then to take additional steps to ensure adequate notice to consumers of those CDs. Those steps, which we seek your active participation in developing and implementing, may include notifications on our respective websites and uploading a notification banner on CDs that include Perfect Placement banners. Those website notifications should contain links to the patch and uninstaller, and the banners should contain click-throughs to the website notifications to ensure easy access to those links. Additional steps may be required, and we would value any further thoughts you may have.

It is essential that we complete the steps outlined in this letter as soon as possible. In anticipation of doing so, please consider the CDs on your label that should be included in the list. We will contact you next week in order to confirm those titles and discuss the other issues we have outlined.

We look forward to working cooperatively with you to address the concerns that have been raised promptly and efficiently. While doing so plainly imposes some significant short-term burdens, we believe that the long-term gains, including the establishment of clear protocols for consumer notification and updates for DRM software, will serve both content and DRM providers well as the market for digital content continues to flourish.


Kevin M. Clement

We are looking forward to a formal response from SunnComm on all the remaining points raised in our open letter.

Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Op-ed from EFF's @ncardozo: if your business model depends on fooling customers, it deserves to fail https://eff.org/r.gjvi

Oct 6 @ 6:17pm

Facebook's name policy harms human rights activists, LGBTQ people, domestic violence survivors, and more.

Oct 6 @ 6:09pm

New Zealand confirms half the TPP countries will be forced to extend copyright term by 20 years. We have to stop it. https://eff.org/r.oygk

Oct 6 @ 3:37pm
JavaScript license information