The Dismantling of the DMCA's Anti-Circumvention Provisions

According to a recent decision in the U.S. District Court for the District of Columbia, the use of an illicitly obtained password and username to enter an otherwise secure Web site does not violate the anti-circumvention provisions of the Digital Millennium Copyright Act (“DMCA”). In Egilman v. Keller & Heckman LLP, 2005 U.S. Dist. LEXIS 28245 (D.D.C. Nov. 10, 2005), the court held that the law firm Keller & Heckman and others working in concert with it who entered Dr. Egilman's Web site through the use of a username and password that they were not authorized to use had not violated the DMCA, regardless of how the username and password were obtained. This surprising decision runs counter to other decisions interpreting the DMCA and would appear to create a significant loophole to the DMCA's anti-circumvention provisions.

The DMCA's Anti-Circumvention Provisions

The U.S. Congress passed the DMCA in order to “strengthen copyright protection in the digital age.” Universal City Studios, Inc. v. Corley, 273 F.3d 429, 435 (2d Cir. 2001). The DMCA protects those who shield their works “behind digital walls such as encryption codes or password protections.” Id.

Pursuant to the DMCA, it is illegal to “circumvent a technological measure that effectively controls access to a [copyrighted] work,” 17 U.S.C. '1201(a)(1)(A), or to “traffic in any technology” designed to circumvent such a technological measure, 17 U.S.C. '1201(a)(2). For both of these provisions, the Act defines the phrase to “circumvent a technological measure” to mean “to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” 17 U.S.C. '1201(a)(3)(A).

The Valid Password Loophole

The Egilman decision arose from somewhat peculiar circumstances. Dr. Egilman testified as an expert on behalf of several plaintiffs in the Colorado toxic tort case Ballinger v. Brush Wellman, Inc. He also posted what the court described as “scurrilous and inflammatory statements” regarding the trial's participants on his password-protected Web site in violation of a gag order and was sanctioned for those postings by the court. Egilman, 2005 U.S. Dist. LEXIS 28245, at *2. Egilman, however, claimed that the court learned of these postings because attorneys at Keller & Heckman and Jones Day accessed his password-protected Web site without authorization. Accordingly, Egilman sued Keller & Heckman and Jones Day for a violation of the DMCA.

In analyzing Egilman's DMCA claim, the court stated that only one other federal court, I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), had addressed the same 1201(a)(1) anti-circumvention issue. In I.M.S., the plaintiff accused the defendant of violating the DMCA by accessing its password-protected Web site through the use of a password the defendant had not been authorized to use. The I.M.S. court held that the defendant's use of a password it had “borrowed” from a third party did not amount to a violation of the DMCA. Id. at 533. The court reasoned that the defendant did not “surmount or puncture or evade any technological measure to [enter the site];” “what [the] defendant avoided and bypassed was permission to engage and move through the technological measure from the measure's author.” Id. at 532. Because the I.M.S. court upheld claims for violations of the Computer Fraud and Abuse Act and state law tort violations, the court's DMCA ruling was not fatal to plaintiff's claims, and the matter was thereafter settled without further proceedings.

The Egilman court could have narrowly interpreted the I.M.S. decision to apply only in situations where an authorized user knowingly lends its password to one other party. Instead, the court broadened the I.M.S. court's DMCA exception. The court reasoned that “[w]hat is missing from this statutory definition [of circumvention] is any reference to 'use' of a technological measure without the authority of the copyright owner, and the court declines to manufacture such language now.” 2005 U.S. Dist. LEXIS 28245, at *20. The court flatly held that “using a username/password combination as intended ' by entering a valid username and password, albeit without authorization ' does not constitute circumvention under the DMCA.” Id.

The Egilman court goes further, and makes the broad statement that it is “irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained.” Egilman, 2005 U.S. Dist. LEXIS 28245, at *21. In Egilman, it was not clear whether the defendants had obtained the username and password directly from an authorized third party, made a lucky guess or used powerful code-breaking software to determine the username/password combination. To the court, it did not matter, as long as the final product was the proper username and password.

The court's reasoning in this decision is questionable. It appears to interpret the “technological measure” at issue as the password, as opposed to the firewall. Such an interpretation is unnecessarily narrow and arguably inconsistent with circuit court precedent. According to the Second Circuit in Corley, the DMCA's protections apply to those that circumvent “digital walls” to access protected content. 273 F.3d at 435.

Because the “technological measure” is the “digital wall,” not simply the code used to get past it, the Egilman court goes astray by reasoning that the person accessing the content is “using” the technological measure. An unauthorized user is not “using” the “digital wall” ' he or she is getting past it. This fits the statutory definition of circumvention, which is to “deactivate … a technological measure, without the authority of the copyright owner.” Thus, even with the proper codes, an unauthorized user has fulfilled the components of circumvention: getting past the digital wall without having authority to do so.

Other Decisions Interpreting Anti-Circumvention Provisions Are in Conflict with Egilman and I.M.S.

Contrary to the implication of the Egilman court, there are several relevant anti-circumvention decisions other than I.M.S. In RealNetworks, Inc. v. Streambox, Inc., 2000 U.S. Dist. LEXIS 1889 (W.D. Wash. Jan. 18, 2000), the plaintiff protected files hosted on its server through use of a “Secret Handshake,” a proprietary authentication sequence that was sent by the authorized users of RealNetworks' program RealPlayer. To gain access to a work protected by the “Secret Hand-shake,” a user had to employ a copy of the RealPlayer program. The defendant marketed a product called Streambox, which “mimicked” that authentication sequence to gain access to RealNet-works' server. In applying the anti-trafficking provision of 1201(a)(2), the court stated that Streambox's use of these codes (the proper codes) to gain access to RealNetworks' server “circumvents the technological measures RealNetworks affords to copyright owners.” Id. at *20.

There have also been several cases involving the DVD encryption format “Content Scramble System” or “CSS.” As described by the Second Circuit, “CSS is an encryption scheme that employs an algorithm configured by a set of 'keys' to encrypt a DVD's contents.” Corley, 273 F.3d at 437. “One cannot gain access to a CSS-protected work on a DVD without application of the three keys that are required by the software.” Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294, 317 (S.D.N.Y. 2000).

Courts have held that unauthorized use of these access keys to gain access to CSS-protected works violates the circumvention provisions of the DMCA. With little discussion, the court in Reimerdes held that unauthorized use of these “keys” to unlock CSS “clearly is a means of circumventing a technological access control measure.” 111 F. Supp. 2d at 317. In 321 Studios v. Metro Goldwyn Mayer Studios, Inc., 307 F.Supp.2d 1085 (N.D. Cal. 2004), the same argument was asserted as was made by defendants in I.M.S. and Egilman, namely, that the software did not violate the DMCA because “it simply uses the authorized key to unlock the encryption.” Id. at 1098. The 321 Studios court flatly rejected that argument, stating that “while 321's software does use the authorized key to access the DVD, it does not have authority to use this key … and it therefore avoids and bypasses CSS.” Id.

It is difficult, if not impossible, to reconcile the reasoning in I.M.S. and Egilman with the decisions in Reimerdes, RealNetworks and 321 Studios. All revolve around the same core set of facts ' an unauthorized user gains access to technologically protected content through the use of the proper access codes. Because neither the I.M.S. nor Egilman court sufficiently explained why it should matter whether the access control is a computerized authentication sequence or a user-entered password, it is not clear that this is a valid difference for application of DMCA protections. This divide seems ripe for future decisions to address.

Practical Concerns and Tips

While Egilman's violation of a court's gag order makes him a rather unsympathetic plaintiff, one wonders whether the outcome would have been different if the defendants had accessed his site prior to the trial in order to see a preview of his upcoming testimony, or, if the person gaining access had been a “hacker” accessing a corporation's trade secrets through the use of access codes found on the Internet.

Practitioners who argue for the broad exception stated by the Egilman court should be careful about extending this precedent. As construed in Egilman, the “valid password” exception would seem to gut the enforcement of protections sought through the use of passwords or encryption. Those bringing suit for alleged breaches of technological protection measures should be aware of this apparent loophole to the DMCA protections. Plaintiffs should not rely only on DMCA protections and, if possible, should bring additional causes of action such as Computer Fraud and Abuse Act claims, copyright infringement claims, or state-law tort violation claims.

The DMCA protections were required, at least in part, to bring the United States into compliance with the World Intellectual Property Organization (“WIPO”) 1996 Copyright Treaty, which mandated that signatory countries provide “adequate legal protection and effective legal remedies against the circumvention of effective technological measures” used by authors to protect their works. If the Egilman and I.M.S. courts' reasoning is followed, it is unclear whether the DMCA protections will truly be adequate to ensure continued compliance with this treaty obligation.

According to a recent decision in the U.S. District Court for the District of Columbia, the use of an illicitly obtained password and username to enter an otherwise secure Web site does not violate the anti-circumvention provisions of the Digital Millennium Copyright Act (“DMCA”). In Egilman v. Keller & Heckman LLP, 2005 U.S. Dist. LEXIS 28245 (D.D.C. Nov. 10, 2005), the court held that the law firm Keller & Heckman and others working in concert with it who entered Dr. Egilman's Web site through the use of a username and password that they were not authorized to use had not violated the DMCA, regardless of how the username and password were obtained. This surprising decision runs counter to other decisions interpreting the DMCA and would appear to create a significant loophole to the DMCA's anti-circumvention provisions.

The DMCA's Anti-Circumvention Provisions

The U.S. Congress passed the DMCA in order to “strengthen copyright protection in the digital age.” Universal City Studios, Inc. v. Corley , 273 F.3d 429, 435 (2d Cir. 2001). The DMCA protects those who shield their works “behind digital walls such as encryption codes or password protections.” Id.

Pursuant to the DMCA, it is illegal to “circumvent a technological measure that effectively controls access to a [copyrighted] work,” 17 U.S.C. '1201(a)(1)(A), or to “traffic in any technology” designed to circumvent such a technological measure, 17 U.S.C. '1201(a)(2). For both of these provisions, the Act defines the phrase to “circumvent a technological measure” to mean “to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” 17 U.S.C. '1201(a)(3)(A).

The Valid Password Loophole

The Egilman decision arose from somewhat peculiar circumstances. Dr. Egilman testified as an expert on behalf of several plaintiffs in the Colorado toxic tort case Ballinger v. Brush Wellman, Inc. He also posted what the court described as “scurrilous and inflammatory statements” regarding the trial's participants on his password-protected Web site in violation of a gag order and was sanctioned for those postings by the court. Egilman, 2005 U.S. Dist. LEXIS 28245, at *2. Egilman, however, claimed that the court learned of these postings because attorneys at Keller & Heckman and Jones Day accessed his password-protected Web site without authorization. Accordingly, Egilman sued Keller & Heckman and Jones Day for a violation of the DMCA.

In analyzing Egilman's DMCA claim, the court stated that only one other federal court, I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc ., 307 F. Supp. 2d 521 (S.D.N.Y. 2004), had addressed the same 1201(a)(1) anti-circumvention issue. In I.M.S., the plaintiff accused the defendant of violating the DMCA by accessing its password-protected Web site through the use of a password the defendant had not been authorized to use. The I.M.S. court held that the defendant's use of a password it had “borrowed” from a third party did not amount to a violation of the DMCA. Id. at 533. The court reasoned that the defendant did not “surmount or puncture or evade any technological measure to [enter the site];” “what [the] defendant avoided and bypassed was permission to engage and move through the technological measure from the measure's author.” Id. at 532. Because the I.M.S. court upheld claims for violations of the Computer Fraud and Abuse Act and state law tort violations, the court's DMCA ruling was not fatal to plaintiff's claims, and the matter was thereafter settled without further proceedings.

The Egilman court could have narrowly interpreted the I.M.S. decision to apply only in situations where an authorized user knowingly lends its password to one other party. Instead, the court broadened the I.M.S. court's DMCA exception. The court reasoned that “[w]hat is missing from this statutory definition [of circumvention] is any reference to 'use' of a technological measure without the authority of the copyright owner, and the court declines to manufacture such language now.” 2005 U.S. Dist. LEXIS 28245, at *20. The court flatly held that “using a username/password combination as intended ' by entering a valid username and password, albeit without authorization ' does not constitute circumvention under the DMCA.” Id.

The Egilman court goes further, and makes the broad statement that it is “irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained.” Egilman, 2005 U.S. Dist. LEXIS 28245, at *21. In Egilman, it was not clear whether the defendants had obtained the username and password directly from an authorized third party, made a lucky guess or used powerful code-breaking software to determine the username/password combination. To the court, it did not matter, as long as the final product was the proper username and password.

The court's reasoning in this decision is questionable. It appears to interpret the “technological measure” at issue as the password, as opposed to the firewall. Such an interpretation is unnecessarily narrow and arguably inconsistent with circuit court precedent. According to the Second Circuit in Corley, the DMCA's protections apply to those that circumvent “digital walls” to access protected content. 273 F.3d at 435.

Because the “technological measure” is the “digital wall,” not simply the code used to get past it, the Egilman court goes astray by reasoning that the person accessing the content is “using” the technological measure. An unauthorized user is not “using” the “digital wall” ' he or she is getting past it. This fits the statutory definition of circumvention, which is to “deactivate … a technological measure, without the authority of the copyright owner.” Thus, even with the proper codes, an unauthorized user has fulfilled the components of circumvention: getting past the digital wall without having authority to do so.

Other Decisions Interpreting Anti-Circumvention Provisions Are in Conflict with Egilman and I.M.S.

Contrary to the implication of the Egilman court, there are several relevant anti-circumvention decisions other than I.M.S. In RealNetworks, Inc. v. Streambox, Inc., 2000 U.S. Dist. LEXIS 1889 (W.D. Wash. Jan. 18, 2000), the plaintiff protected files hosted on its server through use of a “Secret Handshake,” a proprietary authentication sequence that was sent by the authorized users of RealNetworks' program RealPlayer. To gain access to a work protected by the “Secret Hand-shake,” a user had to employ a copy of the RealPlayer program. The defendant marketed a product called Streambox, which “mimicked” that authentication sequence to gain access to RealNet-works' server. In applying the anti-trafficking provision of 1201(a)(2), the court stated that Streambox's use of these codes (the proper codes) to gain access to RealNetworks' server “circumvents the technological measures RealNetworks affords to copyright owners.” Id. at *20.

There have also been several cases involving the DVD encryption format “Content Scramble System” or “CSS.” As described by the Second Circuit, “CSS is an encryption scheme that employs an algorithm configured by a set of 'keys' to encrypt a DVD's contents.” Corley , 273 F.3d at 437. “One cannot gain access to a CSS-protected work on a DVD without application of the three keys that are required by the software.” Universal City Studios, Inc. v. Reimerdes , 111 F. Supp. 2d 294, 317 (S.D.N.Y. 2000).

Courts have held that unauthorized use of these access keys to gain access to CSS-protected works violates the circumvention provisions of the DMCA. With little discussion, the court in Reimerdes held that unauthorized use of these “keys” to unlock CSS “clearly is a means of circumventing a technological access control measure.” 111 F. Supp. 2d at 317. In 321 Studios v. Metro Goldwyn Mayer Studios , Inc., 307 F.Supp.2d 1085 (N.D. Cal. 2004), the same argument was asserted as was made by defendants in I.M.S. and Egilman, namely, that the software did not violate the DMCA because “it simply uses the authorized key to unlock the encryption.” Id. at 1098. The 321 Studios court flatly rejected that argument, stating that “while 321's software does use the authorized key to access the DVD, it does not have authority to use this key … and it therefore avoids and bypasses CSS.” Id.

It is difficult, if not impossible, to reconcile the reasoning in I.M.S. and Egilman with the decisions in Reimerdes, RealNetworks and 321 Studios. All revolve around the same core set of facts ' an unauthorized user gains access to technologically protected content through the use of the proper access codes. Because neither the I.M.S. nor Egilman court sufficiently explained why it should matter whether the access control is a computerized authentication sequence or a user-entered password, it is not clear that this is a valid difference for application of DMCA protections. This divide seems ripe for future decisions to address.

Practical Concerns and Tips

While Egilman's violation of a court's gag order makes him a rather unsympathetic plaintiff, one wonders whether the outcome would have been different if the defendants had accessed his site prior to the trial in order to see a preview of his upcoming testimony, or, if the person gaining access had been a “hacker” accessing a corporation's trade secrets through the use of access codes found on the Internet.

Practitioners who argue for the broad exception stated by the Egilman court should be careful about extending this precedent. As construed in Egilman, the “valid password” exception would seem to gut the enforcement of protections sought through the use of passwords or encryption. Those bringing suit for alleged breaches of technological protection measures should be aware of this apparent loophole to the DMCA protections. Plaintiffs should not rely only on DMCA protections and, if possible, should bring additional causes of action such as Computer Fraud and Abuse Act claims, copyright infringement claims, or state-law tort violation claims.

The DMCA protections were required, at least in part, to bring the United States into compliance with the World Intellectual Property Organization (“WIPO”) 1996 Copyright Treaty, which mandated that signatory countries provide “adequate legal protection and effective legal remedies against the circumvention of effective technological measures” used by authors to protect their works. If the Egilman and I.M.S. courts' reasoning is followed, it is unclear whether the DMCA protections will truly be adequate to ensure continued compliance with this treaty obligation.