Court refuses to enjoin use of fake accounts to access DRM-protected information

Plaintiff manufacturer of medical equipment sued a company that services such equipment for hospitals and clinics. Plaintiff claimed, among other things, that defendant violated the Computer Fraud and Abuse Act and the anticircumvention provisions of the Digital Millennium Copyright Act by using fake accounts to access proprietary documents, information and software that plaintiff had protected with digital rights management (DRM) technology.

The court denied plaintiff’s motion for preliminary injunction – which sought to bar defendant from accessing the computer systems or circumventing the DRM. It held that plaintiff had not met an essential element required for injunctive relief, namely, that plaintiff would suffer irreparable harm if the injunction was not granted.

There were two main reasons for the court’s decision. First, the court found that the assertions of irreparable harm were mere conclusions not supported by concrete facts. Second, the court found that the obligations on the defendant imposed by the contracts it had with its hospital and clinic customers would constrain defendant from engaging in the harmful activity that plaintiff sought to stop. For example, plaintiff claimed that defendant would access patient data without authorization. But the court noted that defendant was bound by confidentiality agreements and the obligation to abide by applicable data protection law. And plaintiff was worried that continued unauthorized access would increase the chances that defendant would modify the equipment. But again, the court looked to the contracts between defendant and its customers, which obligated defendant to properly maintain the equipment (thus removing any incentive to do what plaintiff was seeking to prevent).

Philips North America LLC v. Advanced Imaging Services, Inc., 2021 WL 6052285 (E.D. Cal., December 21, 2021)

DMCA anticircumvention case over copied YouTube videos moves forward

Defendant fired plaintiff over two videos advocating for COVID-19 workplace protections that plaintiff posted on YouTube. Around the time of the termination, the employer allegedly used a smartphone to record the videos in question while they were being played on a computer screen. Defendant then allegedly further copied, distributed and performed these videos in connection with legal proceedings involving plaintiff, without plaintiff’s consent.

DMCA anticircumvention

Plaintiff sued his former employer for copyright infringement. And because YouTube technology provides technological protection measures to prevent unauthorized copying of videos, plaintiff sued under Section 1201 of the Copyright Act – one of the anticircumvention provisions of the Digital Millennium Copyright Act (“DMCA”).

No fair use (yet)

Defendant argued its conduct was fair use of the videos. It asserted it submitted the videos in response to plaintiff’s OSHA complaint and in support of a no-trespass order. But the court refused to make a fair use determination at the motion to dismiss stage, since no facts supporting fair use could be found in the complaint.

DMCA circumvention

The court also allowed plaintiff’s DMCA circumvention claim to move forward.

Section 1201(a)(1)(A) of the DMCA states “[n]o person shall circumvent a technological measure that effectively controls access to a work protected under [the Copyright Act].” “Circumvent,” as used in §1201, “means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner[.]” §1201(a)(3)(A). “[A] technological measure ‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” §1201(a)(3)(B).

Defendant argued the court should throw out the DMCA circumvention claim because plaintiff did not identify a specific technological measure that defendant allegedly circumvented. The court rejected that argument, however, saying that that much specificity was not required to survive a motion to dismiss.

Defendant also argued the DMCA claim should fail because the statute prohibits “circumvention,” which is different from copying, and the complained-of conduct was simply copying. The court viewed the law differently, however, citing Chamberlain Group, Inc. v. Skylink Technologies., Inc., 381 F.3d 1178 (Fed. Cir. 2004), where the court held that while infringement and circumvention are distinct, an act of infringement can also involve an act of an authorized circumvention.

The facts of this case may cause one to consider cases such as R. Christopher Goodwin & Assoc., Inc. v. Search, Inc., 2019 WL 5576834 (E.D. Louisiana October 29, 2019) and wonder whether circumvention has really occurred. It does not appear defendant in this case did anything to disable measures that would have prevented it from viewing the videos. Presumably the streamed videos were available to anyone who could visit YouTube. And the act of creating the copies did not even touch on any of the protection measures YouTube put in place. There was no cracking or descrambling – just the capturing of video as it passed through the air (at that moment being analog) from the computer screen to the camera of the smart phone. Perhaps there is an analog hole defense here?

Edland v. Basin Electric Power Cooperative, 2021 WL 3080225 (D.S.D. July 21, 2021)

Employee’s unauthorized conduct was not a DMCA prohibited circumvention

Plaintiff sued its former employee and alleged, among other things, that defendant violated the anticircumvention provisions of the Digital Millennium Copyright Act  (17 USC 1201). While defendant was still an employee, she used her username and password to access and download copyrighted material stored on plaintiff’s server after she had already accepted an employment offer from a competitor.

Defendant moved to dismiss the anticircumvention claim. The court granted the motion to dismiss.

The court’s holding centered on what the DMCA means by “circumvent a technological measure”. The statute requires that for there to be circumvention, one must “descramble a scrambled work . . . decrypt an encrypted work, or otherwise . . . avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

In this case, the court followed the line of reasoning in prior cases, including Egilman v. Keller & Heckman LLP  to hold that defendant did not circumvent any measures because she validly accessed the system using her username and password.

The court found that even if the use that defendant made of that access was not something that plaintiff would have authorized her to do, i.e. copy the materials at issue, defendant’s alleged abuse of her logon privileges did not rise to the level of descrambling, decrypting, or otherwise avoiding, bypassing, removing, deactivating, or impairing anything.

R. Christopher Goodwin & Assoc., Inc. v. Search, Inc., 2019 WL 5576834 (E.D. Louisiana October 29, 2019)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

DMCA injunction against company accused of importing Iranian cracking tools and Chinese password generator to unlock software

Defendant entered into a software license agreement with plaintiff that allowed defendant to use plaintiff’s software in China. Plaintiff filed suit, accusing defendant of violating the anticircumvention provisions of the Digital Millennium Copyright Act (DMCA), which enabled defendant to use the software in California. It sought a preliminary injunction and the court granted the motion. 

The DMCA at 17 U.S.C. § 1201(a)(1) prohibits “circumvention of technological measures that effectively control access to a copyrighted work.” The court found that plaintiff was likely to succeed on this claim: defendant’s computers contained evidence of crack files used to gain unauthorized access to plaintiff’s software, and these cracking tools were used to circumvent anti-piracy measures by unlocking the software. Also, defendant manually changed the MAC addresses of 11 computers in the United States, which also allowed defendant to circumvent plaintiff’s anti-piracy measures.

The court also found that plaintiff could prove violation of § 1201(a)(2), which prohibits importing and manufacturing “technology that circumvents a technological measure that ‘effectively controls access’ to a copyrighted work.” The forensic evidence collected from defendant’s computers showed that defendant imported a crack file from an Iranian software piracy website and obtained license key generator software from a Chinese website known to host pirated software.

Synopsys v. Innogrit, 2019 WL 2617091 (N.D. Cal. June 26, 2019)

Installing earlier software version that lacked license check feature triggered DMCA anticircumvention liability

EGS and DDS were in a dispute over the use of DDS’s software. [You can read about the copyright infringement claims here.] DDS claimed EGS had failed to pay license fees for its software. So DDS installed an update that would confirm the current license, and if the license was not up to date, would lock the program. In response, EGS elected to use a previously-licensed and older version of the software that did not contain the license check feature. Because of this, DDS claimed that EGS violated the anticircumvention provisions of the Digital Millennium Copyright Act

EGS moved to dismiss the DMCA anticircumvention claim. The court denied the motion. 

The DMCA provides, in relevant part, that “[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title.” It goes on to state that “to ‘circumvent a technological measure’ means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” It also explains that “a technological measure ‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” 

EGS had argued in part that it did not violate the anticircumvention provisions because its conduct was like the defendant in the case of I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Info. Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004). In that case, the defendant used a legitimate username and password to gain access to the protected work. 

The court acknowledged that like the situation in I.M.S., EGS did not do anything to change or manipulate the DDS software. However, as the court noted, the fact remained that EGS allegedly removed the software and reinstalled a prior version. For that reason, I.M.S. and the similar case of Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816 (N.D. Ill. Sept. 20, 2012), were not to the contrary.

First, those cases acknowledged that removing a technological measure suffices to state a claim under the DMCA. Second, EGS had leaned heavily on the fact that DDS analogized its license check to a password protection system, and that the district courts in I.M.S. and Navistar reasoned that “using a password to access a copyrighted work, even without authorization, does not constitute circumvention under the DMCA …” But implicit in those courts’ reasoning was a recognition that the licensee already knew the password and thus had the key to the castle.

In this case, to the contrary, EGS had no way to go through the license check and access the current software except by removing it entirely. Accordingly, the court found that a more apt analogy was that EGS circumvented “the deployed technological measure in the measure’s gatekeeping capacity” by uprooting the locked gate.

Eclipse Gaming Systems, LLC v. Antonucci, 2019 WL 3988687 (N.D. Ill. Jan. 31, 2019)

See also:

The vexing linkage between access and protection in DMCA anticircumvention analysis

A couple of days ago David Donoghue wrote about the recent case of Nordstrom Consulting, Inc. v. M&S Technologies, Inc., No. 06-3234, 2008 WL 623660 (N.D. Ill. March 4, 2008). Dave’s post gives a very thorough treatment of all aspects of the case, which involve primarily allegations of infringement of the copyright in software.

The case also involved a claim of circumvention under the Digital Millennium Copyright Act, at 17 U.S.C. 1201(a). The court granted the defendants’ summary judgment motion on this claim.

The dispute arose from a rather typical set of facts. The parties had collaborated on the development of some software. Along the way the principal author of the software became dissatisfied and parted ways. Litigation ensued over the parties’ ownership and use of the source code.

Before plaintiff Nordstrom officially severed ties, he went on vacation. While he was gone, one of the defendant’s employees (Butler) sent Nordstrom an email saying that Butler needed access to the source code which was stored on a computer there in the office, in order to help out a customer. Nordstrom didn’t respond for several days, and in the meantime, Butler disabled the BIOS password for the computer.

Nordstrom sued under Section 1201 over this disabling of the password. The court relied heavily on the Federal Circuit’s decision in Chamberlain Group, Inc. v. Skylink Technologies, Inc., 381 F.3d 1178 (Fed. Cir. 2004) to conclude that there was no violation of Section 1201’s anticircumvention provisions.

The Chamberlain case draws a necessary connection between circumvention and infringement. And the presence of this connection is the vexing part of the analysis. A quick reading of Section 1201 does not reveal the link.

But the Chamberlain court held that Section 1201’s prohibition on circumvention does not give rise to a new property interest, only a new cause of action, one that goes after circumvention of methods controlling access to protected works. One can’t pursue a defendant just for circumvention in a vacuum, so to speak. The circumvention has to bear some “reasonable relationship to the protections that the Copyright Act otherwise affords copyright owners.” Chamberlain, 381 F.3d at 1202. In other words, without infringement or the facilitation of infringement arising from the cirumvention, a cause of action under 1201 does not arise. The linkage is one between access and protection.

The holding of the Nordstrom case as to the DMCA claim picks up on this link between access and protection. Summary judgment on the circumvention claim was proper because the plaintiff could not show that Butler’s disabling of the BIOS password protection on the computer storing the source code enabled any infringement. The evidence before the court was that Butler accessed the code to fix a problem on behalf of an authorized licensee of the software. Because of the license, there could be no infringement. Without any connection to infringement, under the teaching of Chamberlain, a cause of action for circumvention could not be sustained.

Scroll to top