Unauthorized use of username and password not a “circumvention” under DMCA

The recent case of Egilman v. Keller & Heckman LLP addressed a close question arising under a provision of the Digital Millennium Copyright Act (“DMCA”) found at 17 U.S.C. § 1201. The issue was whether accessing a computer system through the unauthorized use of a valid username and password constitutes an unlawful circumvention of a technological measure. The court held that such conduct is not “circumvention,” and thus not a violation of the DMCA.

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site. He filed suit in federal court asserting, among other things, that the use of the unauthorized username and password was an illegal circumvention of a technological measure, in violation of 17 U.S.C. § 1201.

One defendant moved to dismiss for failure to state a claim, and the others moved for judgment on the pleadings. The court granted the motions.

An essential fact that drove the court’s holding was that the username and password which the defendants allegedly used were the actual username and password which the plaintiff had chosen to protect his website from unauthorized access. For this reason, the defendants were alleged to have merely “used” the technological measure put in place by the plaintiff, and not to have “circumvented” the measure. The court specifically adopted the language and analysis of the case of I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521 (S.D.N.Y. 2004), a case with similar facts and issues.

Quoting from I.M.S., the court stated:

Whatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.

The court went so far as to say:

It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained. (Emphasis added.)

With this last statement, namely, that the means by which the username and password are obtained is irrelevant, did the court adjudicate a loophole in Section 1201? What if a defendant uses technological means to guess a username and crack a password? In that case, the defendant would ultimately be using the plaintiff’s intended username and password, and thus, according to the court, would merely be “using” and not “circumventing” a technological measure. In such a case, could one really say that for purposes of a Section 1201 analysis, how a username and password are obtained is irrelevant?

Egilman v. Keller & Heckman, LLP, — F.Supp.2d —, 2005 WL 3077260 (D.D.C., November 10, 2005).

[Text of opinion]

Technorati:


Circumvention

1 Comment

  1. David Salamon
    December 20, 2005

    It looks to me like the use of the cracked password would not count as circumvention.

    However, that shouldn’t come as a suprise.

    I think that the actuall act of cracking that password would still count as a violation of the DMCA if it involved any sort of non-intended use of the system (say copying a couple of files and running some cracking software) rather than abusing an intended use (say trying every possible password for an account sequencially).

    That shouldn’t come as a suprise either, becasue the DMCA is about making many of the harder to protect against attacks illegal, rather than trying to legislate commonplace security violations.

Comments are closed.

Scroll to top