I’m in this week’s episode of Veoh Networks’ Viral, talking about the Safe Harbor provisions of the Digital Millennium Copyright Act (“DMCA”).
CNET is reporting on a cease and desist letter some company has sent to Microsoft, Apple, Adobe and others. (I’m not going to mention the company by name because I don’t want to play into what Jessica Litman and I agree is an attempt to garner some unwarranted publicity — see the CNET article.) Simply stated, the company, which has apparently developed some kind of technology designed to prevent ripping of digital audio streams, claims that Microsoft et al. are actively avoiding the implementation of the company’s technology in their products. It clams that this avoidance is a circumvention prohibited under the DMCA.
I don’t opine much on this site, but this company’s theory is based on, at best, a hypertechnical and unsupportable reading of the DMCA. As you know, “circumvention” under the DMCA means to “descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”
Did you see the word “avoid” there? That’s what the company is apparently hanging its hat on. And the argument sounds clever, until you actually think about the DMCA and what it says.
One has to read the DMCA prohibitions on avoiding, bypassing, removing, deactivating, or impairing technological measures along with the terms immediately preceding, namely, descrambling and decrypting. These prohibited activities share a common theme of some sort of active disabling of the technology, not simply choosing not to use an available technology.
There’s a maxim that Aristotle probably made up called sui generis that lawyers and courts are supposed to use when interpreting statutes. Essentially, when you see a group of terms together in a statute, one is to attribute a common meaning to those terms. Interpreting the meaning of “to avoid” in the way that this company suggests would not be consistent with this principle.
I sincerely hope to not see any reported decisions on these facts.
Court awards over $6 million in DMCA statutory damages
Defendant Filipiak ran an online business that sold, among other things, “mod chips” that allowed Sony PlayStation and PlayStation 2 consoles to play copied games. Sony filed suit against Filipiak under the Digital Millennium Copyright Act (“DMCA”), which makes it illegal to sell any device that is primarily designed or produced to circumvent a technological measure that effectively controls access to copyrighted works. 17 U.S.C. §1201(a)(2).
Filipiak stipulated to liability for selling circumvention devices. The court awarded Sony over $6 million in statutory damages under 17 U.S.C. §1203(c)(3)(A), which provides that
At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of [17 U.S.C. § 1201] in the sum of not less than $200 or more than $2,500 per act of circumvention, device, product, component, offer, or performance of service, as the court considers just.
The court drew a number of noteworthy conclusions in arriving at the damages figure. First, it held that §1203(c)(3)(A) authorizes a separate award of statutory damages for each device sold. (Filipiak had sold thousands of devices.) Next, the court looked to §504 of the Copyright Act (17 U.S.C. §504) to help it construe the meaning of the word “just” as it appears in §1203. No previous case had construed the meaning of the term in §1203, so the attorney’s fees provision of §504 provided guidance.
The amount of damages was calculated by awarding $800 per mod chip sold before June 12, 2004, and the full amount of $2,500 per mod chip sold after June 12, 2004. On that date, Filipiak had signed a stipulated injunction in which he agreed to discontinue sales of the chips and related software. The court concluded that the sales made after Filipiak signed the agreement constituted a willful violation of the DMCA, thus justifying a higher amount of statutory damages.
Sony Computer Entertainment America, Inc. v. Filipiak, (Slip. Op.) 2005 WL 3556676 (N.D. Cal., December 27, 2005).
The recent case of Egilman v. Keller & Heckman LLP addressed a close question arising under a provision of the Digital Millennium Copyright Act (“DMCA”) found at 17 U.S.C. § 1201. The issue was whether accessing a computer system through the unauthorized use of a valid username and password constitutes an unlawful circumvention of a technological measure. The court held that such conduct is not “circumvention,” and thus not a violation of the DMCA.
Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site. He filed suit in federal court asserting, among other things, that the use of the unauthorized username and password was an illegal circumvention of a technological measure, in violation of 17 U.S.C. § 1201.
One defendant moved to dismiss for failure to state a claim, and the others moved for judgment on the pleadings. The court granted the motions.
An essential fact that drove the court’s holding was that the username and password which the defendants allegedly used were the actual username and password which the plaintiff had chosen to protect his website from unauthorized access. For this reason, the defendants were alleged to have merely “used” the technological measure put in place by the plaintiff, and not to have “circumvented” the measure. The court specifically adopted the language and analysis of the case of I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521 (S.D.N.Y. 2004), a case with similar facts and issues.
Quoting from I.M.S., the court stated:
Whatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.
The court went so far as to say:
It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained. (Emphasis added.)
With this last statement, namely, that the means by which the username and password are obtained is irrelevant, did the court adjudicate a loophole in Section 1201? What if a defendant uses technological means to guess a username and crack a password? In that case, the defendant would ultimately be using the plaintiff’s intended username and password, and thus, according to the court, would merely be “using” and not “circumventing” a technological measure. In such a case, could one really say that for purposes of a Section 1201 analysis, how a username and password are obtained is irrelevant?
Egilman v. Keller & Heckman, LLP, — F.Supp.2d —, 2005 WL 3077260 (D.D.C., November 10, 2005).