State Attorney General Greg Abbott said this month that Sony may have violated the state Deceptive Trade Practices Act because CDs containing MediaMax technology secretly install files on PCs even if a user rejects an agreement.
"We keep discovering additional methods Sony used to deceive Texas consumers who thought they were simply buying music," said Abbott, a Republican. "Thousands of Texans are now potential victims of this deceptive game Sony played with consumers for its own purposes."
The state's amended lawsuit asserts that New York-based Sony failed to warn consumers of the harm MediaMax could cause PCs. Texas' Consumer Protection Against Computer Spyware Act of 2005 allows for civil penalties of $100,000 for each violation of the law.
Abbott also urged retailers to stop carrying CDs containing MediaMax, which is made by Phoenix-based SunnComm. His official website set up a frequently asked questions section on Sony CDs earlier this month.
In November, Texas sued Sony for its use of XCP software, claiming the company violated a recently passed anti-spyware law. Bloggers and security firms have said both XCP and MediaMax create vulnerabilities on PCs.
Sony issued an uninstall and a software update for the application on its website this month.
"We encourage you to run this update on any computer that you think has played a Sony-BMG CD with SunnComm MediaMax software," the company said.
The Electronic Frontier Foundation and Sony released a joint statement earlier this month announcing a software update for the SunnComm's MediaMax.
A media uproar forced Sony to offer refunds for CDs containing XCP technology last month after Windows security expert Mark Russinovich first disclosed the spyware-like technology on his blog in late October. Within weeks, new trojans took advantage of the rootkit technology and bloggers disclosed that Sony's uninstall for the XCP also made PCs vulnerable to malicious code.
Ed Felten, the Princeton University computer science professor who exposed vulnerabilities caused by the XCP uninstaller on his "Freedom to Tinker" blog, said Sony may have violated the federal Computer Fraud and Abuse Act.
"We know that the programs obtained information from the user's computer and sent that information across the net to either Sony-BMG or SunnComm," Felten said on his blog this month. "In most cases, that would be interstate communication. So the main issue would seem to be whether the companies, in installing their software on a user's computer, intentionally accessed the computer without authorization or exceeded authorized access."