Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
One of the motivations for enacting the Digital Millennium Copyright Act (DMCA), 17 U.S.C. '1201 et seq., was the acknowledgement by Congress of “the ease with which pirates could copy and distribute a copyrightable work in digital form was overwhelming the capacity of conventional copyright enforcement to find and enjoin unlawfully copied material.” See, Universal City Studios v. Corley, 273 F.3d 429 (2d Cir. 2001). Among the provisions created to redress this rampant infringement were the prohibitions against: 1) removing copyright management information (CMI); and 2) circumventing technological measures in place to prevent infringement. See, 17 U.S.C. ”1202(c), 1201(a). CMI is defined in the DMCA as information communicated with a copyrighted work which identifies the nature of the copyright. In one notable case involving CMI, a news organization was found to have violated the DMCA by knowingly distributing pictures with CMI that included authorship credit attributed to the wrong photographer. These two DMCA prohibitions are included in a broader category of protections afforded copyright holders called digital rights management (DRM), which is an access control technology used to prevent misuse of copyrighted works.
Each is controversial. Anti-circumvention preventions have arguably brought about unintended consequences, including jeopardizing fair use and chilling free expression and scientific research, and CMI has alleged to have been defined so broadly as to include logos, which could theoretically allow a trademark holder to invoke DMCA protections. As another of the many examples, almost 17 years after the passage of the DMCA, there remains a dispute as to whether CMI is only protected if it involves the use of a “digital” technological measure, such as CMI embedded in the software, or whether it is also protected when used in an “analog” measure, such as the author manually affixing the author's name to the work. See also, Murphy v. Millennium Radio Grp., 650 F.3d 295 (3d Cir. 2011) (printed credit on image that is not part of an “automated copyright protection or management system” is CMI). Another source of disagreement is whether a “simple” copyright notice constitutes CMI within the meaning of the DMCA.
Copyright holders can ' and do ' respond that DRM is designed to comport with the animating purposes of the DMCA, which requires ingenuity and flexibility in creating new mechanisms to prevent infringement, and that the anti-circumvention provisions are replete with exceptions to the restrictions, including for reverse engineering, research activities, security investigations and use by non-profit organizations. So the argument goes, such exceptions ensure that free speech and innovation is not unduly burdened by the anti-circumvention rules that amply protect the copyright holder's interests.
DRM and software are inextricably linked.'As the Electronic Frontier Foundation (EFF) recently observed: 'As software has become ubiquitous, so has DRM.' See, 'Victory for Users: Librarian of Congress Renews and Expands Protections for Fair Uses.”
CMI is almost always embedded in software or its underlying source code. Software is used to both circumvent and prevent circumvention of copyrighted works. Unsurprisingly then, cases abound that confront when, where and how software can be permissibly used to circumvent restrictions, or determine if the measures used by the copyright holder to input CMI are valid.
This article focuses on two of the most recent cases that tackle these issues. The first involves a dispute over circumvention of a website entry point between a software licensor and licensee. The second case is a recent dispute in the Southern District of New York over whether the insertion of the company name into the source code of its licensed software is sufficient CMI to trigger its Section 1202 enforcement rights.
Reverse Engineering Software Entry Point Can Violate DMCA
The first line of the opinion describes TLS Group, S.A. v. NuCloud Global, No. 2:15-cv-00533-TC (D. Utah. April 18, 2016) as a “dispute between two technology companies over the ownership of proprietary software.” The plaintiff (TLS) provides information technology services to organizations, including the UK's Visa and Immigration Service (UKVI). It contracted in Spring 2013 with defendant (NuCloud), a company focused on cloud computing, software and technology, to write software that enabled TLS to provide cloud-computing technology to UKVI, among other clients.
The relationship soured 18 months later, after NuCloud alleged that TLS had interfered with its work, destroyed morale and refused to pay on time. Though the parties briefly reconciled and settled their differences, the rapprochement was short-lived, and TLS sued. NuCloud counterclaimed with 14 causes of action, including an allegation that the plaintiff violated the DMCA anti-circumvention provisions. TLS then moved to dismiss the DMCA claim, and NuCloud responded with a request to the court for leave to amend the counterclaim to supplement the allegations.
More specifically, NuCloud alleged that TLS violated the DMCA's anti-circumvention provisions when it designed a way, through reverse engineering, to circumvent its website/URL entry point that it had used to provide TLS with restricted access to its proprietary software. NuCloud had granted TLS access to its software code only though this URL entry point. Moreover, NuCloud's software could function correctly only by relying on the URL entry point, which also contained certain router configurations and other pre-existing software, each of which functioned as technological measures protecting the software code. TLS did not possess an alternative copy of the code, and its sole access to the plaintiff's software was through the URL entry point. After it detached the software from the URL entry point, TLS allegedly blocked NuCloud's access to it.
The court agreed with NuCloud and held that the plaintiff had “proposed allegations [that] could support a conclusion” that TLS had violated '1201(a)(1). In arriving at this conclusion, the court focused squarely on the distinction between altering, reverse engineering or damaging a copy of the copyrighted work after authorized access, which is not anti-circumvention under the DMCA, and altering, reverse engineering or damaging the technological protection measures, which is. The court surveyed the case law, and agreed that the instant case was analogous to Davidson & Assocs. v. Jung, 422 F.3d 630 (8th Cir. 2005), where the defendant had violated '1201(a)(1) by reverse engineering a “secret handshake” that the plaintiff had set up with its customers to permit the latter to access its servers. The instant case aligned with the Davidson holding because NuCloud's protective measure was also circumvented when TLS “reverse engineered the software to free it from its dependency on [NuCloud's] URL entry point and other technological measures.”
Accordingly, TLS had “effectively avoided, bypassed, removed or deactivated, or impaired” NuCloud's technological barriers, and had potentially violated the DMCA, by, in the words of Congress, committing the “electronic equivalent of breaking into a locked room in order to obtain a copy of a book.”
Source Code Labeled With The Company Name Is CMI
How to adjudicate DMCA claims that arise from a software-related dispute was exemplified by the recent Southern District of New York decision in Bounce Exchange v. Zeus Enterprise, No. 15cv3268 (DLC) (S.D.N.Y Dec. 9, 2015). Bounce Exchange is a company that develops and sells software that permits its clients to track website users' behavior and to target such users with germane advertising messages. It is the exclusive owner of the copyright in the software, and its underlying source code.
Bounce alleged that in March 2013, two executives of Zeus Enterprise d/b/a Yieldify (defendant), a software company based in the UK, posed as a potential Bounce customer and requested a demonstration of Bounce's software. In response, Bounce claimed it unwittingly provided a software demonstration, which included non-public information, to Yieldify's CEO and Chief Technology Officer.
Fast forward to February 2015, when Bounce discovered Yieldify was selling source code “substantially similar” to Bounce's proprietary code. Yieldify's code purportedly reproduced directly “portions of the code, structure, sequence and organization” of Bounce's code. Most important for the court's subsequent holding, Bounce alleged that Yieldify had improperly removed “all references to and identifications of Bounce Exchange” from the software code, and replaced it directly with terms that referred to Yieldify.
Bounce filed its initial complaint for copyright infringement in April 2015, but Judge Denise Cote was deciding in this opinion additional DMCA claims that Bounce sought to add to the latest iteration of its complaint. Specifically, Bounce sought to supplement its complaint with a claim that Yieldify had wrongly altered and distributed its copyrighted material in violation of 17 U.S.C. '1202. Yieldify opposed on the ground of futility.
17 U.S.C. '1202 deals with copyright management information (CMI), which is defined in subsection (c) as information “conveyed in connection with” a copyrighted work. The same section proscribes the intentional removal or alteration of CMI. See also, Zalewski v. Cicero Builder Dev., 754 F.3d 95 (2d Cir. 2014) (noting that '1202 prevents removal or manipulation of the familiar ' copyright notice). Bounce cited references in its code to “bounce” and “bouncex” as CMI.
Judge Cote agreed. As in NuCloud, she analogized to a copyright law situation involving a non-digital work by equating Bounce's insertion of its name into its code, and thus into the body of the work, to the fact that a book's author typically appears on both the cover and on pages inside the book. If the latter is protected, so is the former, particularly because “many courts have recognized that forms of CMI may be contained in the body of a work.” Second, Cote held that Bounce's code included CMI in part because of the “nature” of software code. That is, code is distinctive from its supported software insofar as is seldom seen by anyone but the developers. “Weaving CMI into the text of the source code” could therefore be among the ways to best enhance the security of the code. Accordingly, “bounce” and “bouncex” are examples of CMI.
The court then summarily dispatched Yieldify's three defenses, which were rooted in statutory interpretation of the terms of the DMCA, the applicability of a canon of statutory instruction, and the lack of specificity of the terms “bounce” and “bouncex.” Accordingly, Yieldify's futility defense was rejected, and Judge Cote granted Bounce's motion to amend its complaint to include DMCA claims.
NuCloud'is not the only recent case involving CMI to be decided in the Southern District of New York. See, Playboy Enters. Int'l v. Mediatakeout.com, No. 15 Civ. 7053 (PAE) (S.D.N.Y. March 8, 2016). In March, Judge Paul Engelmayer denied the motion to dismiss of a media website that had put its watermark on copyrighted images owned by Playboy, as well as replaced Playboy's watermark. Playboy brought a '1202 claim based on the placement of the watermark. Judge Engelmayer agreed that this claim would survive the motion to dismiss because Playboy had shown in its complaint that the media website applied its watermark to the photos, and the affirmative defenses the website brought could not be successful absent the development of a factual record.
Richard Raysman is a Partner at Holland & Knight. Peter Brown is the principal at Peter Brown & Associates and a member of this newsletter's Board of Editors. They are co-authors of Computer Law: Drafting and Negotiating Forms and Agreements (Law Journal Press).
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.