In a new paper examining the Sony BMG rootkit fiasco, a pair of lawyers argue that the music company didn't just damage itself—it unwittingly struck a blow against DRM in general.

Deirdre Mulligan and Aaron Perzanowski are the authors of "The Magnificence of the Disaster," which looks at the entire chronology of Sony BMG's problems with CD copy protection technology in an attempt to understand just how the label could have made a blunder of this magnitude. The paper, published in the Berkeley Technology Law Journal, argues that the rootkit was the result of more than "utter disregard, or even contempt, for user security and privacy." It was a product of market, technology, and legal factors that all encouraged Sony BMG to go forward with its ill-advised plan.

The music business continues to sink, and it's understandable that labels like Sony BMG would grab at any available life raft. Upset about P2P trading of its songs and swapping between friends, the company hoped to eliminate one of the main sources of pristine-quality digital rips: the unprotected CD. But how could it have added the badly buggy software from both First4Internet and SunnComm to millions of discs without doing any due diligence on the possible ramifications?

The authors argue that simple negligence or lack of technical expertise is a hard explanation to believe, especially as Sony (which owns a big chunk of the label) has wide technical expertise in this matter that Sony BMG could easily have drawn on. Security researchers, who identified the problem after the CDs were released, could also have done so ahead of time had they been consulted.

The most likely explanation for deploying the CD-based DRM was that "Sony BMG likely underestimated the public reaction to the security and privacy threats created by its DRM." In other words, the company took a calculated risk that consumers wouldn't care about these issues and found later that it guessed wrong.

Consumer backlash may have been particularly strong in this case because consumers already have an expectation of privacy and control when listening to CDs that they don't necessarily have when using Internet-enabled software, for instance. "Consumers consider the playing of the CD to be a private passive act and one carries no risk of attack from the outside world," say the paper's authors. "One security and privacy threats intruded upon the snow and safety, consumers reacted with unexpectedly intense indignation." It also didn't help that buyers had paid the same amount as other CDs but received less functionality in return.

The DMCA may have also contributed to Sony BMG's calculation to deploy the software. Because the DMCA bars the circumvention of effective copy protection technologies in almost all cases, even security researchers worry about looking too deeply into how the technologies work. This "chilling effect" may have led the music label to conclude that its system did not have to be extensively vetted before deployment, as it could always file DMCA lawsuits against those who researched the copy protection software.

To correct the problem, the paper argues that the DMCA needs reformation; specifically, it needs a permanent statutory exemption "that enables researchers and lay users to proactively identify and remove dangerous protection measures from their systems." It also wouldn't hurt for the FTC to lay down "best practices" for software installation and removal.

Although things turned out badly for Sony BMG, anti-DRM advocates may be pleased at the fallout. By raising the public profile of DRM and making users aware of its many downsides, the rootkit incident may have contributed to a broader move away from DRM among music labels. The rootkit "undermined consumer acceptance of digital rights management technology," according to the paper's authors, and may have helped spur labels like EMI and Universal to experiment with opening up downloads, rather than trying to restrict CDs.