The Electronic Frontier Foundation filed a class-action lawsuit against Sony BMG Entertainment on Monday through which it is demanding that the company further address problems related to the controversial "rootkit"-style copy-protection mechanism that it shipped on an estimated 24 million music CDs.

The suit, filed in Los Angeles County Superior court, alleges that two different types of rootkit DRM (digital rights management) software have been installed on the computers of "millions of unsuspecting music customers" when they played affected CDs on devices running Microsoft Corp.'s Windows operating system.

While the EFF lauds Sony for taking initial steps to fix issues related to one form of the rootkit, known as First4Internet XCP, the filing claims that a second variation of the software, labeled as SunnComm MediaMax, has not been addressed and affects 20 million of the involved CDs.

According to the EFF, the MediaMax software installs itself on computers even when users choose not to run the application, and the group contends that the application does not include any feature for deleting the program entirely.

The lawsuit claims that the rootkit software transmits information on individual usage habits back to Sony BMG, including details of what music people listen to, allowing the company to spy on customers and track their habits.

EFF said that when consumers repeatedly requested an uninstaller for MediaMax they were eventually provided one, but not before being forced to share even more personally identifying information.

Sony BMG representatives didn't immediately return calls seeking comment on the lawsuit, but the company did respond to an earlier letter from the EFF, saying that it was taking aggressive measures to address the rootkit issues.

The entertainment giant originally included the DRM software on its CDs to protect against piracy of the content on the discs, but the EFF and many industry experts maintain that the applications secretly degrade device performance, open security vulnerabilities, and automatically install updates through an Internet connection to Sony BMG's servers.

By some estimates, the only method of completely deleting the software is to reformat a computer's entire hard drive.

Further, the EFF said in its suit that a program designed to remove the DRM software from affected machines creates additional security vulnerabilities.

The group is also upset that Sony has not widely publicized its offer to recall 2 million CDs carrying the XCP rootkit software, and that it has yet to compensate people whose computers were affected by the applications.

In addition to seeking a full refund for CDs that carry the rootkits, EFF is also asking that Sony BMG reword the licensing agreement it asks consumers to approve if they choose to install its DRM applications.

EFF called the current agreement "outrageous" and "anti-consumer" based on the terms of the license which require consumers to delete digital copies of content if they declare bankruptcy or in the case that their houses are robbed.

"We've tried to work with Sony BMG, and they responded, but they haven't addressed all of our concerns related to privacy, MediaMax, or refunding the cost of CDs to consumers," said EFF Staff Attorney Kurt Opsahl. "Nor have they publicized the recall program; and when you consider how much effort they undertook in marketing these CDs to people in the first place, that's not much to ask."

The EFF isn't the only consumer watchdog filing litigation against Song BMG over the rootkits.

Earlier on Monday, Texas Attorney General Greg Abbott filed a civil lawsuit against the music company for including spyware on its CDs bearing the DRM applications, and consumers in the state of New York have also filed several class-action suits against the company.

Opsahl said that many people who have purchased CDs carrying the rootkit software will never know about it unless Song BMG goes to great lengths to inform the public.

He hopes that the court system will order the entertainment company to do just that and refrain from using similar tactics in the future.

"It's a very misguided effort on the part of the company; they want people to do the right thing and pay for their CDs, and then they punish people who do that by installing spyware and damaging their security," said the attorney. "Sony BMG is invading people's privacy, and they need to do more to regain the public's trust and show that this problem is being solved and won't happen again."

The law firms of Green Welling, and Lerach Coughlin Stoia Geller Rudman and Robbins have joined EFF in the class-action suit.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.