The FTC said the software, designed to prevent users from copying music, posed a security risk.
"Installations of secret software that create security risks are intrusive and unlawful," FTC Chairwoman Deborah Platt Majoras said.
"Consumers’ computers belong to them, and companies must adequately disclose unexpected limitations on the customary use of their products so consumers can make informed decisions regarding whether to purchase and install that content."
"Not only did [the software] allow Sony's code to hide, it also created space for other malicious software to hide," Edward Felten, a Princeton University professor of computer science and public affairs, told SC Magazine for its December issue.
He and a graduate student specifically studied the two rootkit uninstallers Sony offered as a solution.
"They both installed an ActiveX control that could be invoked by a webpage," Felten said. "It could be told by any page on the web to download code. Any webpage could install whatever software. It was about as serious as a vulnerability could be."
In December, Sony BMG agreed to pay US$4.25 million in a settlement with 39 states, agreeing to reimburse end users whose PCs were damaged when trying to uninstall the rootkit-like technology. In addition, Sony said it will no longer distribute CDs containing copyright protection that is difficult for users to locate or remove.
On its website, Sony BMG lists "CD Copy Protection Principles" that state its record labels "are not currently releasing to the public any music CDs that limit copying of the music through software that installs from the CD to the computer. We have no current plans to do so."
Click here to email reporter Dan Kaplan.