Fallout continues against Sony BMG over its 'rootkit' debacle.

One week after being sued by the Texas Attorney General, Sony BMG is under investigation by Eliot Spitzer, attorney general for the State of New York.

Sony BMG faces legal slap

Spitzer began looking into Sony's use of the XCP (extended copy protection) software over the past "couple of weeks," said Brad Maione, a spokesman for his office.

More recently, Spitzer has dispatched investigators to see whether or not Sony is honouring its promise to recall its 52 XCP music titles from music sellers: "We're aware of the situation and we're taking a look at it," said Maione. "We're trying to see if they're still on the shelves."

Maione declined to say whether or not his office was planning legal action against Sony.

Texas Attorney General Greg Abbott sued Sony last week, accusing the media company of violating his state's 2005 antispyware law by distributing the software on music CDs from artists like Celine Dion and Frank Sinatra.

XCP is also the subject of a California class action lawsuit against Sony by the Electronic Frontier Foundation.

Consumer rights mis-management

Created to limit the number of copies that Sony customers could make of their CDs, XCP uses special "rootkit" cloaking techniques to disguise its presence on a PC, and is extremely difficult to remove. It is considered a security risk by many computer experts, including Microsoft, and is treated as spyware. Earlier this month, hackers wrote malicious Trojan software that used XCP's cloaking capabilities to hide itself on affected computers.

After weeks of unrelenting criticism over its use of the software, Sony eventually announced plans to pull XCP CDs from store shelves and launched a scheme to allow its customers to exchange their music for CDs that did not have the copy-protection software installed.

Sony BMG had fair warning

However, a report on Business Week this morning states that Sony BMG had ample warning of the implications of what it was doing.

Anti-virus company F-Secure warned the company about the software on October 4 - a month before the issue exploded.

Bruce Schneier, chief technology officer at security consulting firm Counterpane Internet Security said that record label attempts to employ digital rights management (DRM) are pointless: "You can't do it. DRM is a desperate attempt to cling to their old business model. They have to figure out how to make money in the new world."

Sony BMG says the warning it received from F-Secure seemed to be about a "routine matter", but it eventually began investigating the matter.

F-Secure maintains the company hoped to keep the matter quiet, but Sony BMG claims that's not true.

"The best lesson that Sony BMG - and the music industry - can take away is to be more vigilant when it comes to the software they ask customers to load onto computers," Business Week warns.