Category Archives: DMCA

Does a plaintiff claiming unlawful removal of copyright management information have to own a registered copyright?

Plaintiff sued defendants for violation of the provisions of the Digital Millennium Copyright Act (“DMCA”) that prohibit one from intentionally removing or altering any copyright management information (“CMI”) with the knowledge, or having reasonable grounds to know, that it will induce, enable, facilitate, or conceal a copyright infringement (17 U.S.C. § 1202(b)).

Defendants moved to dismiss, asserting that the court should reject plaintiff’s DMCA cause of action for failure to state a claim for which relief may be granted because copyright registration, which plaintiff admits it lacks, was a prerequisite for bringing suit under this provision of the DMCA.

The court denied the motion. It held that copyright registration was not a prerequisite to this sort of action.

Defendants had argued that the provisions of 17 U.S.C. § 411(a) required registration. That section provides that “no civil action for infringement of the copyright in any United States work shall be instituted until preregistration or registration of the copyright claim has been made in accordance with this title.” Defendants argued that this requirement applied to DMCA actions and tried to justify their position by asserting that (1) a plain reading of Section 1202(b) of the DMCA establishes that a claim brought thereunder constitutes a civil action for infringement, (2) the provisions of Title 17 of the United States Code, including 17 U.S.C. § 411(a), apply to the DMCA despite its silence as to those provisions, and (3) precedent shows that the registration requirement applies to the DMCA. The court rejected these arguments.

First, a plain reading of the DMCA did not establish that it is subject to the registration requirement found in 17 U.S.C. § 411(a). Such requirement pertains to “civil action[s] for infringement of the copyright.” However, a DMCA action under Section 1202(b) is not an action for infringement, but rather for the improper removal or alteration of CMI. Second, the court held that Section 411(a) need not apply to the DMCA merely because other provisions of Title 17 do. Finally, the case law defendants cited, including the recent Supreme Court case of Fourth Estate v. Wall-Street.com, did not indicate that registration is required for DMCA actions.

Diamondback Industries, Inv. v. Repeat Precision, LLC, 2019 WL 5842756 (N.D.Tex., November 7, 2019)

See also:

Suit under DMCA for concealing copyright management information failed because plaintiff did not properly allege defendants’ intent

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Employee’s unauthorized conduct was not a DMCA prohibited circumvention

Plaintiff sued its former employee and alleged, among other things, that defendant violated the anticircumvention provisions of the Digital Millennium Copyright Act  (17 USC 1201). While defendant was still an employee, she used her username and password to access and download copyrighted material stored on plaintiff’s server after she had already accepted an employment offer from a competitor.

Defendant moved to dismiss the anticircumvention claim. The court granted the motion to dismiss.

The court’s holding centered on what the DMCA means by “circumvent a technological measure”. The statute requires that for there to be circumvention, one must “descramble a scrambled work . . . decrypt an encrypted work, or otherwise . . . avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

In this case, the court followed the line of reasoning in prior cases, including Egilman v. Keller & Heckman LLP  to hold that defendant did not circumvent any measures because she validly accessed the system using her username and password.

The court found that even if the use that defendant made of that access was not something that plaintiff would have authorized her to do, i.e. copy the materials at issue, defendant’s alleged abuse of her logon privileges did not rise to the level of descrambling, decrypting, or otherwise avoiding, bypassing, removing, deactivating, or impairing anything.

R. Christopher Goodwin & Assoc., Inc. v. Search, Inc., 2019 WL 5576834 (E.D. Louisiana October 29, 2019)

About the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

DMCA injunction against company accused of importing Iranian cracking tools and Chinese password generator to unlock software

Defendant entered into a software license agreement with plaintiff that allowed defendant to use plaintiff’s software in China. Plaintiff filed suit, accusing defendant of violating the anticircumvention provisions of the Digital Millennium Copyright Act (DMCA), which enabled defendant to use the software in California. It sought a preliminary injunction and the court granted the motion. 

The DMCA at 17 U.S.C. § 1201(a)(1) prohibits “circumvention of technological measures that effectively control access to a copyrighted work.” The court found that plaintiff was likely to succeed on this claim: defendant’s computers contained evidence of crack files used to gain unauthorized access to plaintiff’s software, and these cracking tools were used to circumvent anti-piracy measures by unlocking the software. Also, defendant manually changed the MAC addresses of 11 computers in the United States, which also allowed defendant to circumvent plaintiff’s anti-piracy measures.

The court also found that plaintiff could prove violation of § 1201(a)(2), which prohibits importing and manufacturing “technology that circumvents a technological measure that ‘effectively controls access’ to a copyrighted work.” The forensic evidence collected from defendant’s computers showed that defendant imported a crack file from an Iranian software piracy website and obtained license key generator software from a Chinese website known to host pirated software.

Synopsys v. Innogrit, 2019 WL 2617091 (N.D. Cal. June 26, 2019)

Installing earlier software version that lacked license check feature triggered DMCA anticircumvention liability

EGS and DDS were in a dispute over the use of DDS’s software. [You can read about the copyright infringement claims here.] DDS claimed EGS had failed to pay license fees for its software. So DDS installed an update that would confirm the current license, and if the license was not up to date, would lock the program. In response, EGS elected to use a previously-licensed and older version of the software that did not contain the license check feature. Because of this, DDS claimed that EGS violated the anticircumvention provisions of the Digital Millennium Copyright Act

EGS moved to dismiss the DMCA anticircumvention claim. The court denied the motion. 

The DMCA provides, in relevant part, that “[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title.” It goes on to state that “to ‘circumvent a technological measure’ means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.” It also explains that “a technological measure ‘effectively controls access to a work’ if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” 

EGS had argued in part that it did not violate the anticircumvention provisions because its conduct was like the defendant in the case of I.M.S. Inquiry Management Systems, Ltd. v. Berkshire Info. Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004). In that case, the defendant used a legitimate username and password to gain access to the protected work. 

The court acknowledged that like the situation in I.M.S., EGS did not do anything to change or manipulate the DDS software. However, as the court noted, the fact remained that EGS allegedly removed the software and reinstalled a prior version. For that reason, I.M.S. and the similar case of Navistar, Inc. v. New Baltimore Garage, Inc., 2012 WL 4338816 (N.D. Ill. Sept. 20, 2012), were not to the contrary.

First, those cases acknowledged that removing a technological measure suffices to state a claim under the DMCA. Second, EGS had leaned heavily on the fact that DDS analogized its license check to a password protection system, and that the district courts in I.M.S. and Navistar reasoned that “using a password to access a copyrighted work, even without authorization, does not constitute circumvention under the DMCA …” But implicit in those courts’ reasoning was a recognition that the licensee already knew the password and thus had the key to the castle.

In this case, to the contrary, EGS had no way to go through the license check and access the current software except by removing it entirely. Accordingly, the court found that a more apt analogy was that EGS circumvented “the deployed technological measure in the measure’s gatekeeping capacity” by uprooting the locked gate.

Eclipse Gaming Systems, LLC v. Antonucci, 2019 WL 3988687 (N.D. Ill. Jan. 31, 2019)

See also:

Company cannot avoid DMCA liability for false CMI by claiming it used its own name

Plaintiff sued defendant claiming defendant violated the DMCA by providing and distributing false copyright management information (“CMI”), in violation of 17 U.S.C. § 1202(a)(1)–(2). Defendant had placed its brand name and logo on and adjacent to plaintiff’s photo within defendant’s advertising material. 

The part the DMCA relevant to this case provides that “[n]o person shall knowingly and with the intent to induce, enable, facilitate, or conceal infringement — (1) provide copyright management information that is false, or (2) distribute or import for distribution copyright management information that is false.”

Section 1202(c) defines CMI as “any of the following information conveyed in connection with copies or phonorecords of a work or performances or displays of a work, including in digital form, except that such term does not include any personally identifying information about a user of a work or of a copy, phonorecord, performance, or display of a work: …” (emphasis added). It goes on to list eight types of CMI, as relevant in this case: (2) the name of, and other identifying information about, the author of the work; (3) the name of, and other identifying information about, the copyright owner of the work, including the information set forth in a notice of copyright; and (7) identifying numbers or symbols referring to such information or links to such information.

Defendant moved to dismiss, arguing that the plain language of § 1202(c) excepts from the definition of CMI “any personally identifying information about a user of a work or of a copy, phonorecord, performance, or display of a work.” It reasoned that because plaintiff’s complaint defined defendant as a “user” of the photograph (i.e., by alleging that defendant used the photograph for commercial promotion) and because personally identifiable information includes names, the name of a user of a work is not, and cannot, be CMI.

The court rejected this argument and denied the motion to dismiss. It looked to the decision of another federal court, Tiermy v. Moschino S.P.A., No. 15-CV-5900, 2016 WL 4942033 (C.D. Cal. Jan. 13, 2016) in which a defendant had made a similar argument. As that court noted, defendant’s argument fell short on a logical basis. Taking defendant’s theory to the extreme, virtually any person who took another’s work and placed their name or brand on it could be considered a “user of a work” rather than an infringer, and escape liability. The court found that was not the intent of the statute, which is to protect the integrity of CMI by prohibiting the provision of false CMI. The court held that it cannot be, and defendant provided no authority in support, that an alleged infringer can escape liability under § 1202(a) simply because the false CMI put forth is the alleged infringer’s own name.

Roth v. The Walsh Co., 2019 WL 318404 (E.D. Wis. Jan. 24, 2019)

Suit under DMCA for concealing copyright management information failed because plaintiff did not properly allege defendants’ intent

Plaintiff sued defendants under the provision of the Digital Millennium Copyright Act (DMCA) (17 U.S.C. § 1202(a)) that, among other things, prohibits a person from knowingly and with the intent to induce, enable, facilitate, or conceal infringement, provide copyright management information that is false.

Defendants moved to dismiss for failure to state a claim. The district court granted the motion, and plaintiff sought review with the Second Circuit. On appeal, the court affirmed the dismissal.

It noted that in order to plead a violation of Section 1202(a), a plaintiff must plausibly allege that a defendant knowingly provided false copyright information and that the defendant did so with the intent to induce, enable, facilitate, or conceal an infringement. This is a double scienter requirement.

In this case, the court found that plaintiff’s DMCA claim merely alleged that one of the defendants was identified on a disputed work (a book) as its author, and that she was listed in the notice of copyright as its owner, which plaintiff alleges is false.

The court held that these facts did not amount to a plausible allegation that defendants knew that such copyright information was false, or that it even was false. Moreover, plaintiff had failed to adequately plead that defendants intended to conceal valid copyright management information.

Krechmer v. Tantaros, 2018 WL 4044048 (2nd Cir. August 24, 2018)

Website operator not liable for copyright infringement despite lack of DMCA safe harbor protection

Online platforms that allow user-generated content should take advantage of the safe harbor provisions of the Digital Millennium Copyright Act (DMCA), which protect the platform in the event of a third party claim of copyright infringement over the user-generated content. But the recent case of BWP Media USA, Inc. v. T&S Software Associates, Inc., 2016 WL 1248908 (N.D. Tex., March 25, 2016) shows that a platform may still avoid liability for infringement even if it has not availed itself of the benefits of the DMCA.

Plaintiff copyright holders sued defendant online forum board operator for direct and vicarious copyright infringement, over photos uploaded by users of the online forum board. Defendant moved for summary judgment. The court granted the motion. The defendant successfully defeated these claims of copyright infringement even though it had not met the DMCA safe harbor requirement of designating an agent with the Copyright Office to receive takedown notices.

Direct Infringement

The court found there was no triable issue on plaintiffs’ claim that defendant was liable for direct infringement, because the parties did not dispute that defendant played no direct role in uploading the photos. Citing the seminal case of Religious Tech. Ctr. v. Netcom OnLine Comm’cn Servs., 907 F, Supp. 1361 (N.D.Cal. 1995), the court observed that “making an internet company liable for direct copyright infringement simply because it gave users access to copyrighted material posted by others would create unreasonable liability.”

Vicarious Liability

A defendant may be vicariously liable for copyright infringement where it “profits directly from the infringement and has a right and ability to supervise the direct infringer, even if the defendant initially lacks knowledge of the infringement.” Metro-Goldwyn-Mayer Studios, Inc. v. Grokster, Ltd., 545 U.S. 913, 930 (2005). In this case, the court found that although plaintiffs contended that (1) the copyrighted photographs were displayed alongside paid advertising, (2) defendant received revenue from the paid advertising on its forum, and (3) the revenue received was based, in part, on the website traffic, plaintiff failed to point to any evidence in the record showing that defendant directly profited from the infringing conduct.

Observation: DMCA Safe Harbor Not Needed Here

Online service providers that make their platforms available for the storage of user-generated content (even if such ability is trivial, e.g., allowing users to upload profile pictures) are encouraged to take the appropriate steps to place the service provider within the protections of DMCA safe harbor. These steps include providing appropriate information in the platform’s terms of service, employing internal processes to handle takedown requests and repeat infringers, having a plan in place for dealing with counternotifications, and designating an agent with the Copyright Office to receive takedown notices. Being in the safe harbor means that the service provider has an affirmative defense if it is sued by a third party copyright holder for infringement causaed by the platform’s users.

Many have mistakenly believed that if a service provider fails to get safe harbor protection, it is automatically liable for infringement occasioned by user generated content uploaded to the service. That is not true, and the BWP Media case serves as an example. A copyright-owning plaintiff must still establish the elements of infringement against the service provider — whether for direct infringement or under a theory of secondary liability (like vicarious infringement) — even if the defendant does not find itself within the DMCA safe harbor.

BWP Media USA, Inc. v. T&S Software Associates, Inc., 2016 WL 1248908 (N.D. Tex., March 25, 2016)


Evan_BrownAbout the Author: Evan Brown is a Chicago technology and intellectual property attorney. Call Evan at (630) 362-7237, send email to ebrown [at] internetcases.com, or follow him on Twitter @internetcases. Read Evan’s other blog, UDRP Tracker, for information about domain name disputes.

Is a DMCA subpoena to identify unknown infringers valid if the infringement has ended?

The Digital Millennium Copyright Act (“DMCA”) is well-known for its notice and takedown provisions. But the DMCA provides a number of other interesting mechanisms, including a procedure for potential copyright plaintiffs to send subpoenas to online service providers to learn the identity of users who posted infringing content to that service. A recent case involving some subpoenas that a copyright owner sent to eBay examines the relationship between the notice and takedown procedures on one hand, and the subpoena mechanism on the other. The question before the court was whether a DMCA subpoena is valid if, by the time it is served on the online service provider, that online service provider has already removed or has disabled access to that content.

Section 512(h) (17 U.S.C. 512(h)) spells out the DMCA subpoena process, and how it relates to the notice and takedown provisions. An online service provider must act expeditiously to identify the user who uploaded infringing content “[u]pon receipt of the issued subpoena, either accompanying or subsequent to the receipt of a [takedown request].” That plain language seems straightforward — an online service provider has to provide the identifying information in response to any subpoena it receives either with or subsequent to a takedown notice.

But it was not so straightforward in a 2011 case, where some confusing facts made for some confusing law. In Maximized Living, Inc., v. Google, Inc., 2011 WL 6749017 (N.D. Cal. December 22, 2011), the copyright holder sent a subpoena to the online service provider after the copyright holder had sent a DMCA takedown notice. That would appear to comport with the statute — the subpoena came subsequent to the takedown notice. But the problem in that case was that the takedown notice was not valid. By the time it was sent, the alleged infringer had already removed the infringing content. From that, the Maximized Living case pronounced that “the subpoena power of §512(h) is limited to currently infringing activity and does not reach former infringing activity that has ceased and thus can no longer be removed or disabled.”

In the recent case of In re DMCA Subpoena to eBay, Inc., eBay, as the recipient of subpoenas to identify some of its users, picked up on the Maximized Living holding to argue that it did not have to answer the subpoenas because it had already taken down the offending content pursuant to previous takedown notices. Since the subpoenas did not relate to “currently infringing activity,” eBay argued à la Maximized Living, that the subpoenas had not been issued under §512(h)’s power and were therefore invalid.

The court rejected eBay’s argument. The key distinction in this case was that, unlike in Maximized Living, the takedown notices in this case, when they issued, related to content that was on the eBay servers at the time the takedown notices were issued. Granted, some of those takedown notices went all the way back to early 2012 (query whether the subpoena should be valid if it would only uncover the identity of an infringer for whom the 3-year copyright statute of limitations had passed; but that wasn’t before the court).

So to simply state the rule in this case — for a DMCA subpoena to be valid, it has to relate to a valid DMCA takedown notice. That DMCA takedown notice is not valid unless it was served at a time when infringing content resided on the service. An online service provider cannot avoid the obligation of responding to a subpoena by taking down the content, thereby causing there to be no “currently infringing activity”. Such a rule would, as the court observed, cause the online service provider’s safe harbor protection to also shield the alleged infringer from being identified. That would indeed be an odd application of the DMCA’s protection. The court in this case avoided that outcome.

In re DMCA Subpoena to eBay, Inc., 2015 WL 3555270 (S.D. Cal. June 5, 2015).

Evan Brown is a Chicago attorney helping clients in matters dealing with copyright, technology, the internet and new media. Call him at (630) 362-7237, send email to ebrown [at] internetcases dot com, or follow him on Twitter @internetcases

Photo courtesy of Flickr user Thomas Galvez under this Creative Commons license.

GitHub jeopardizes its DMCA safe harbor status by launching its new policy

GitHub has baked in some feelgood to its new DMCA takedown policy. The new setup features clearer language, a refusal to automatically disable all forks of an allegedly infringing repository, and a 24-hour window in which the target of a takedown notice may make changes. The mechanisms of this third point ought to cause one to consider whether GitHub is risking the protections of the DMCA safe harbor.

If a DMCA takedown notice alleges that only certain files (as opposed to the whole repository) infringe, under the new policy, GitHub “will contact the user who created the repository and give them approximately 24 hours to delete or modify the content specified in the notice.” If the user makes changes to the repository, the burden shifts back to the sender of the DMCA notice. This shifing-the-burden-back seems problematic under the DMCA.

GitHub’s policy says:

If the user makes changes, the copyright owner must review them and renew or revise their takedown notice if the changes are insufficient. GitHub will not take any further action unless the copyright owner contacts us to either renew the original takedown notice or submit a revised one. If the copyright owner is satisfied with the changes, they may either submit a formal retraction or else do nothing. GitHub will interpret silence longer than two weeks as an implied retraction of the takedown notice.

The DMCA protects a party in GitHub’s position so long as the party “responds expeditiously to remove, or disable access to, the material that is claimed to be infringing upon notification of claimed infringement”. Read that provision carefully — the response must be to take down, not merely take steps to work with the alleged infringer to make it right. GitHub’s new mechanism of interpreting silence as a retraction is not an expeditious removal of or disabling access to allegedly infringing material. Nothing in the DMCA requires the sender of the takedown notice to have to ask twice.

You’ve got to hand it to GitHub for trying to make the world a better place through this new policy. The intended net effect is to reduce the number of instances in which entire repositories are taken down simply because of a few allegedly infringing files. But GitHub is putting something of great value, namely, its DMCA safe harbor protection, at risk.

Many copyright plaintiffs look for every possible angle to pin liability. You can almost be certain that a copyright owner will challenge GitHub’s safe harbor status on the ground that GitHub did not respond expeditiously. It seems odd GitHub would be willing to toss a perfectly good affirmative defense. One would think the better approach would be to go ahead and take the repository down after 24 hours, rather than leaving it up and risk a finding on “non-expeditiousness”.

Related:

Microsoft letter to GitHub over DRM-free music software is not the first copyright-ironic action against an intermediary

Evan Brown is an attorney in Chicago advising clients on matters dealing with copyright, technology, the internet and new media.

DMCA’s protection of copyright management information applied to non-electronic works

The Digital Millennium Copyright Act (DMCA) provides safe harbors from copyright infringement liability for online service providers (17 U.S.C. 512) and makes it unlawful to circumvent technological measures that effectively control access to copyrighted works (17 U.S.C. 1201). A lesser-known (and lesser-litigated) provision of the DMCA (17 U.S.C. 1202) makes it illegal to intentionally remove or alter any copyright management information or to distribute copies of works knowing that copyright information has been removed or altered without authority of the copyright owner or the law. “Copyright management information” includes information conveyed in connection with copies of the work, such as the title and the name of the author.

A recent case from federal court in Florida considered whether this regulation of copyright management information in the DMCA applies only to electronic works intended for distribution over the internet, or whether it applies to more traditional works such as hard copy technical drawings. The court interpreted the DMCA broadly to apply to all kinds of works, whether on the internet or not.

Plaintiff alleged that defendant violated the DMCA by distributing copies of plaintiff’s drawings “knowing that [plaintiff’s] name had been removed therefrom and/or that another entity’s name had been added thereto.” Defendant argued that plaintiff failed to state a claim for a violation of the DMCA because the DMCA only applies to “technological” infringement. Defendant cited to Textile Secrets Intl’l, Inc. v. Ya–Ya Brand, Inc., 524 F.Supp.2d 1184 (C.D.Cal.2007), which found that § 1202(b) “was [not] intended to apply to circumstances that have no relation to the Internet, electronic commerce, automated copyright protections, or management systems, public registers, or other technological measures or processes as contemplated in the DMCA as a whole.” To read it otherwise, the court in that case reasoned, would contradict the “legislative intent behind the DMCA to facilitate electronic and Internet commerce.”

In this case, however, the court noted that other courts, focusing on the plain language of the DMCA, have held differently, and approved the DMCA’s application to non-technological contexts. See Murphy v. Millennium Radio Group LLC, 650 F.3d 295 (3d Cir.2011); Agence France Presse v. Morel, 769 F.Supp.2d 295 (S.D.N.Y.2011). Although in this case, as in Murphy, the legislative history of the DMCA was consistent with defendant’s interpretation, it did not actually contradict it. Instead, Section 1202(b) simply established a cause of action for the removal of, among other things, the name of the author of a work when it has been conveyed in connection with copies of the work.

So the court, as it found it was required to do, considered the statute’s plain meaning before it considered its legislative history. Under that analysis, it held that plaintiff’s allegations were sufficient to a state a claim for violation of the DMCA.

Roof & Rack Products, Inc. v. GYB Investors, LLC, 2014 WL 3183278 (S.D. Fla. July 8, 2014)

Evan Brown is an attorney in Chicago advising clients on matters dealing with copyright, technology, the internet and new media.