CONSUMER ALERT

MIKE COX

ATTORNEY GENERAL

The Attorney General provides Consumer Alerts to inform the public of unfair, misleading, or deceptive business practices, and to provide information and guidance on other issues of concern.

SONY MUSIC CDS RECALLED – IDENTITY THEFT RISK PROMPTS WORLDWIDE EXCHANGE PROGRAM

On November 15, 2005, Sony BMG announced that it will replace all copies of its music CDs containing a controversial copy protection program that automatically installs and creates an identity theft risk when the discs are played on personal computers. Sony's complete statement appears at: http://cp.sonybmg.com/xcp/english/home.html.  The software, known as XCP, has been exploited by software hackers who take advantage of the product's ability to hide files as part of its anti-piracy technology.

The company's decision followed more than a week of persistent electronic media-watchers' criticism of the XCP technology, which manipulates the Windows core processing center, or "kernel," to make it almost totally undetectable on Windows systems and nearly impossible to remove without damaging Windows, much like malicious programs known as "root kits."  Computer security researchers had determined that the XCP program hid files with a name that began with the characters $sys$, rather than the specific file names typically used for copyright enforcement. Hackers could exploit this feature by hiding files under the $sys$ name, and thereby gain access to the computer operating systems.

Sony BMG said that it would allow customers to exchange CDs with the XCP technology for copies that did not have the copy protection software installed.  Some experts believe that as many as 500,000 copies of the product have been installed worldwide.

In the days immediately before the recall announcement, Sony said it would temporarily suspend production of the effected CDs and released a software patch to disable the XCP copy protection program.  Sony's software patch appears at:  (http://cp.sonybmg.com/xcp/english/updates.html)

Some reports suggest that the patch is not completely effective in plugging the security leak. While consumers may wish to download the patch from Sony's Web site, Microsoft has announced that it will include a tool that will address the problem in the December version of Microsoft's Malicious Software Removal Tool.  It is expected that Windows users will be able to download this program from Microsoft's Web site at http://www.microsoft.com/security/default.mspx.

Consumers are encouraged to take appropriate steps to plug the security leak and participate in the recall in order to maintain the security of their personal computers.

IDENTITY THEFT INFORMATION FROM MICHIGAN ATTORNEY GENERAL

Consumers may visit the Attorney General's Web site for more information on ID theft and to view consumer alerts on a wide range of topics.  Mail or telephone inquiries and complaints may be directed to the Attorney General's Consumer Protection Division at:

Consumer Protection Division
P.O. Box 30213
Lansing, MI 48909

Phone: 517-373-1140

Toll-free within Michigan: 1-877-765-8388
Fax: 517-241-3771
www.michigan.gov/ag (online complaint form)

The Attorney General's Identity Theft Information for Michigan Consumers - 2005 Update is available at: http://www.michigan.gov/ag/0,1607,7-164-34739_20942-80479--,00.html.

An electronic version of the FTC's publication "TAKE CHARGE: Fighting Back Against Identity Theft" and additional publications and articles on a variety of topics related to ID theft are available at the FTC's Web site:

            ID Theft Home Page:                http://www.consumer.gov/idtheft 

Consumers may also call the FTC's ID Theft Hotline at 1-877-IDTHEFT (1-877-438-4338).