The last few weeks have been bad ones for SonyBMG. The music giant included copy-protection software on many of its recent CDs, and that software turned out to expose purchasers to significant security risks. In one case, for example, the software hid itself on the purchaser's computer in order to stop the purchaser from disabling the software; but now virus writers can use that "hidden" section to sneak in other unwanted code, like dangerous viruses. The result has been a PR disaster, a massive recall of protected CDs, and now also a series of filed lawsuits. Ed Felten has a fantastic series of posts on all this and I would encourage anyone with interest in the details to read those posts with care.
On the legal side, meanwhile, the EFF's Fred von Lohmann has been offering a great deal of commentary on the controversy, and it is no overstatement to say that Fred is downright gleeful to see SonyBMG stumble in this way. Writes Fred:
So here's to the eventual demise of DRM [digital rights management] on digital music. Once the DRM is gone, we can see what a real, robust, competitive digital music marketplace looks like.
I think, by contrast, that Fred's enthusiasm is at best premature and most likely embarrassingly wrong. Despite what Fred says, this is not the end of DRM, and the end of DRM is certainly not something to celebrate in any event.
1. First, suppose that Fred is correct and legal liability plus bad PR will indeed mean the end of DRM. Is that a good thing? Surely it would be if, in response, we think that the music industry will continue to invest in music at the same or a higher clip, and we think that there will be no strategic alternative for restricting access to music. But both of those assumptions are remarkably ambitious. Without some form of protection against unauthorized redistribution, isn't it likely that the music industry will (say) invest less or develop other ways of fighting piracy? Remember what happened when viewers started to skip television commericals. Advertisers responded by resorting to more product placement. I am not sure that was a good trade; viewers might be better off in a world where we commit to not skip commercials and in return advertisers stop paying poor Rory Gilmore to down Coke after Coke. Fred's argument is a slam-dunk only if no response of this sort is possible; and I don't see why that's even a remotely reasonable assumption to make.
2. What responses might we see? Ed Felten predicts that this might be the end of one type of DRM: namely, programs that install themselves on your computer, hide from you, and try to stop you from doing things you want to do. He likens DRM of this sort to spyware, which similarly is software that must hide from users becauses users don't like it. My colleague Randy Picker notes in the comments that consumers might ultimately and rightly grin and bear it. True, I don't like computer programs that stop me from rip-mix-burn'ing my music; but I still might agree to live with them if that is the best way to get fast, cheap, legal music. In any event, if "I'm hiding" is no longer a viable strategy, what then? For instance, might we see more services (like the SBC Yahoo Music Engine) that stream music but only to a specific proprietary player? That is, one response to a world without DRM is to stop selling CDs entirely and instead stream encrypted music to a compliant player that in turn protects the music. Is that a better approach from a social welfare perspective? (Fred, you seem to know that it is, but I don't see how you could possibly.)
3. DRM has other charms as well, and here again I fear that Fred is too quick to condemn it. Indeed, as I have argued elsewhere, self-help technologies like DRM can significantly reduce the costs of administering legal regimes. Self-help can be much less expensive than litigation as a means for protecting one party's interests; compare in this light the costs of building a fence to the costs of litigating over trespass to land. Moreover, self-help can also serve to identify which interests to protect. Trade secret law, for instance, protects only that information which the relevant trade secret holder himself has taken efforts to protect; one reason is that self-help here signals that the relevant trade secret holder genuinely values the information, and thus that this information might warrant more effective legal protection as well. (I suspect that section 1201 of the DMCA is in part explained along these very lines.)
4. Lastly, returning to SonyBMG, I think it would be a mistake if all this simply leads to better labeling. Yes, SonyBMG could put a warning on the outside of each CD that "this product contains DRM and might reduce the security of your computer system," but I don't see much value in that sort of notice. Consumers will have a hard time evaluating the risk, and these generic disclaimers are largely ignored in any event. It might be that legal rules have to condemn certain forms of DRM as too dangerous, much as shopkeepers are today not allowed to run electricity through their shop windows, even though the threat of electrocution would be a formidable deterrent to theft. That technique is too punishing and it has too many undesirable side-effects, for example the risk that some innocent youngster might break the window by accident and then be injured severely. Applied here, DRM of the sort adopted by SonyBMG might similarly be so bad as to be impermissible. But then we need to say more about what forms of DRM would be permissible, just as we similarly today allow shopkeepers to put locks on their doors, call the police in the event of a burglary, and so on.