SONY BMG Data Privacy
Assessment Regarding the Use of XCP & MediaMax Content Protection Software
March
2006
Executive
Summary
Cybertrust was engaged by SONY BMG
Entertainment, Inc. (“SONY BMG”) to determine whether SONY BMG used XCP or
MediaMax content protection software to collect, aggregate, or retain
individuals’ personal information without their express consent. The purpose of
the engagement was to confirm representations by SONY BMG, as set forth in a
Settlement Agreement in In re SONY BMG CD Technologies Litigation, No
1:05-cv-09575 (NRB) (S.D.N.Y., preliminarily approved, Jan. 6, 2006).
For the engagement, Cybertrust
interviewed personnel of SONY BMG and SunnComm International Inc. (“SunnComm”),
as well as of Stroz Friedberg, LLC, SONY BMG’s data security and computer
forensics experts, analyzed CDs protected by XCP and MediaMax software, and
conducted on-the-console inspection of SONY BMG and SunnComm systems.
Cybertrust concludes that the XCP and
MediaMax software, which includes the XCP Bundled Player, and the MediaMax v.3
and MediaMax v.5 Players, only collect non-personal information tied to a
particular album and its usage. This
information is collected for two specific purposes:
1. To deliver a more
personalized user experience through the delivery of album specific content,
and
2. To ensure that rules
applicable to the usage of the music content on the CDs are enforced.
In connection with the first of these
purposes, if the user’s computer has a live Internet connection, the XCP and
MediaMax Players communicate only:
a)
the unique album ID (“uId” for XCP CDs, “id” and
“hackID” for MediaMax CDs) or song ID
(“CID” for MediaMax only),
b)
and the IP address of the user’s Internet connection.
The unique album ID is used
to return to the user’s player content and, in the case of MediaMax v. 3
titles, license information specific to the CD title.
Cybertrust did not find any
evidence that SONY BMG used the XCP Software or that SunnComm used the MediaMax
Software, or that any of the enhanced content on XCP CDs or MediaMax CDs was
used, to collect, aggregate, or retain information that could be identified
with or tracked to an individual without such person’s express consent.
Scope & Facts
Cybertrust was engaged to determine
if SONY BMG collected, aggregated, or retained Personal Data in a manner that
is inconsistent with the following representations (“SONY BMG
Representations”).
SONY BMG Representations
SONY BMG asserts
that it has not used the MediaMax or XCP Software, or any of the enhanced
content on the XCP CDs or MediaMax CDs, to collect, aggregate or retain
Personal Data about persons who listened to XCP CDs or MediaMax CDs on
computers, without such person’s express consent. SONY BMG further asserts that
it only has collected information necessary to provide enhanced CD
functionality. SONY BMG believes, and on that basis asserts, that such
functionality requires that the album title, artist, IP address, and certain
non-personally identifiable information be collected. Beginning prior to the
Fairness Hearing, SONY BMG will take commercially reasonable steps to destroy
the information it collects to provide enhanced CD functionality, including
logs of IP addresses, within ten (10) days after the collection of such data,
except as required by law, regulation, litigation discovery rule or court
order. SONY BMG shall, however, be permitted to compile aggregate,
non-personally identifiable data about hits to its servers from enhanced CDs.
For purposes of the SONY BMG Representations and
Cybertrust’s assessment, the following terms have the following definitions:
“Enhanced CDs” or “Connected CDs” are audio CDs
that, upon being loaded into a personal computer, initiate connections over the
Internet to a server for the purpose of allowing the server to provide
information to the user interface regarding the artist or the music on the CD
(the “Enhanced CD Functionality”).
“MediaMax CDs” are audio CDs that contain a version
of MediaMax Software.
“MediaMax Software” means “MediaMax” content
protection software used in connection with certain audio CDs released by SONY
BMG and one of its predecessors, BMG, and includes MediaMax version 3.0 and
MediaMax version 5.0.
“Personal Data” means information stored on a
computer that itself discloses the identity of the individual using that
computer or websites, other than the SONY BMG and SunnComm websites, that the
user has visited using the browser on such computer, but does not include the
IP address of the computer’s Internet connection or any information with
respect to an album title, artists and tracks, or other non-personally
identifiable information, that is routinely logged by SONY BMG in connection
with Enhanced or Connected CDs.
“XCP CDs” are audio CDs that contain XCP
Software.
“XCP Software” means the “XCP” content protection
software used in connection with certain audio CDs released by SONY BMG
commencing in Spring 2005.
The Fairness Hearing refers to the hearing at which
the court will consider the proposed settlement, as set forth in the Settlement Agreement
in In re SONY BMG CD Technologies Litigation, No 1:05-cv-09575 (NRB)
(S.D.N.Y., preliminarily approved, Jan. 6, 2006).
Platforms
Cybertrust’s
assessment of the XCP and MediaMax software was limited to the Windows
operating system (check footnote 1)
Applications
Three applications
were within the scope of Cybertrust’s assessment:
·
XCP Bundled Player
·
MediaMax v.3 Player
·
MediaMax v.5 Player
Each of these three
player applications allows an end user to play music contained on a XCP CD or
MediaMax CD, as the case may be, on a computer, as well as to copy (or “rip”)
tracks to the computer’s hard drive.
Both the XCP Bundled Player and the MediaMax v.5 Player also enable the
creation of a limited number of personal CD-R copies (“burns”).
Servers
Cybertrust reviewed
the servers associated with the following domains, which were identified as
supporting the XCP Bundled Player, the MediaMax v.3 Player, and the MediaMax
v.5 Player:
·
www.sonymusic.com
·
access.sonymusic.com
·
connected.sonymusic.com
·
xcpimages.sonybmg.com
·
license.sunncomm2.com
Cybertrust also
reviewed the following systems, which participate in the transfer or storage of
data tied to the XCP Bundled Player, the MediaMax v.3 Player, or the MediaMax
v.5 Player:
·
XCP Player
o
ConnecteD Web Cluster
o
DFS Application Cluster
o
Oracle DB Cluster
·
MediaMax v.3 and MediaMax v.5 Players
o
HUGO
o
SUNNY
o
License1
o
SUNNWEB
Cybertrust conducted
interviews and on-console reviews to identify sources of evidence, such as log
files, back-up files and databases.
Cybertrust’s assessment included reviews of sources of evidence within
the scope of the project that were used to quantify the resident data.
Cybertrust reviewed these sources to determine whether SONY BMG and SunnComm
complied with the SONY BMG Representations.
Statement of Opinion
XCP
Based on
Cybertrust’s data privacy assessment of the XCP Software, as well as server segments
that support the XCP Software, Cybertrust has determined that SONY BMG has not
used the XCP Software, or any of the enhanced content on the XCP CDs, to
collect, aggregate or retain personally identifiable information without user
consent. Cybertrust has determined that the XCP Bundled Player transmits only
certain non-personally identifiable information (album ID and IP address) to
provide the Enhanced CD Functionality.
Cybertrust has found that SONY BMG temporarily retains this
non-personally identifiable information as part of standard web logging
activities. Cybertrust has also
determined that SONY BMG does not associate or aggregate that information with
any other information to produce personally identifiable information.
MediaMax v.3
Based on
Cybertrust’s data privacy assessment of the MediaMax v.3 Software as well as
the server segments that support the MediaMax v.3 Software, Cybertrust has
determined that SONY BMG and SunnComm have not used the MediaMax v. 3 Software,
or any of the enhanced content on the MediaMax v.3 CDs, to collect, aggregate
or retain personally identifiable information without user consent. Cybertrust
has determined that the MediaMax v.3 Player transmits certain non-personally
identifiable information (album ID, track IDs, and IP address) to provide the
Enhanced CD Functionality. Cybertrust
has found that SunnComm retains this non-personally identifiable information as
part of standard web logging activities. Cybertrust has determined that
SunnComm does not associate or aggregate that information with any other
information to produce personally identifiable information.
MediaMax v.5
Based on
Cybertrust’s data privacy assessment of the MediaMax v.5 Player, as well as
server segments that support the MediaMax v.5 Software, Cybertrust has
determined that SONY BMG and SunnComm have not used the MediaMax v.5 Software,
or any of the enhanced content on the MediaMax v.5 CDs, to collect, aggregate
or retain personally identifiable information without user consent. The MediaMax
v.5 Software does not collect any information that can be used to personally
identify a user without user consent.
Cybertrust has determined that the MediaMax v.5 Player transmits certain
non-personally identifiable information (album ID, track IDs, and IP address)
to provide the Enhanced CD Functionality.
Cybertrust has found that SunnComm retains this non-personally
identifiable information as part of standard web logging activities. Cybertrust
has determined that SunnComm does not associate or aggregate that information
with any other information.
Based on Cybertrust’s findings, it is
Cybertrust’s opinion that the SONY BMG Representations are accurate: SONY BMG
has not used the MediaMax or XCP Software, or any enhanced content on XCP CDs
or MediaMax CDs, to collect, aggregate, or retain Personal Data about
individuals who listened to XCP CDs or MediaMax CDs on computers, without such
person’s express consent.
To read the full, detailed report please click here.
[1] XCP CDs do not include software for the Macintosh platform, while MediaMax CDs do not protect the audio and offer only limited enhanced CD functionality on the Macintosh platform.