That’s what FTC appeared to be doing when they finally settled with Sony BMG over the rootkitted-CD incident. (Or as the proponents of DRM might say, “aggressive copyright protection” technology.)
According to one version of the story from Information Week, Sony did not admit to any wrong-doing– standard operating procedure for these deals– but will replace any infected CDs purchased before 2007 and also agreed to compensate customer upto $150 for damages caused by the malicious software. By one measure of market pricing, this is a hefty penalty for root-kitting a machine, considering that PCs by the thousands can be purchased for remote control botnets at better price points in the underground economy. (And at least Sony did not “exploit” the rootkitted machines the way bot-herder will.) On the other hand, one could argue Sony got off the hook too easy considering that a reputable company should never have engaged in practices that exposed users’ computers to risk. It is not clear what consumers will have to do to claim damages. Some users may have receipts from tech support services, others may have wasted hours of their own time trying to uninstall the rootkit and mitigate the vulnerability it creates. How can that loss of productivity be quantified?