Category Archives: DMCA

More evidence needed for YouTube’s DMCA defense

Viacom’s lawsuit against YouTube has gotten quite a bit of attention, but it wasn’t the first case of its kind filed. Almost a year ago, helicopter pilot and journalist Robert Tur sued YouTube for infringement of some well-known video he shot during the Rodney King Riots.

Both parties filed motions for summary judgment, and last week the court denied both motions. The rulings shed some light on how the safe harbor provisions of the Digital Millennium Copyright Act (“DMCA”) may play out in future lawsuits over user-generated content.

YouTube argued in its motion that it qualified for safe harbor protection “based on what it purport[ed] to be its definitive ability to satisfy all of the requirements of the statutory scheme.” The court neatly parsed seven requirements from 17 U.S.C. §512 that a service provider must meet to sail into the safe harbor:

(1) adoption and reasonable implementation of a termination policy for subscribers and account holders who are repeat infringers;

(2) accommodation and non-interference with “standard technical measures” that copyright owners use to protect their works;

(3) infringement is “by reason of the storage at the direction of a user of material that resides on a system or network controlled or operated by or for the service provider”;

(4) lack of actual knowledge of the infringing material or no awareness of facts or circumstances from which infringing activity is apparent on the system or network, and expeditious action to remove or disable access to material upon obtaining such knowledge or awareness;

(5) no “financial benefit” directly attributable to the infringing activity,” if it had “the right and ability to control such activity”;

(6) expeditious response to remove or disable access to infringing material upon notification from the copyright owner; and

(7) proper designation of an agent to receive such notification.

The difficulty arose for YouTube under the fifth point, namely, in connection with its argument that it gained no “financial benefit” directly attributable to the infringing activity,” and did not have “the right and ability to control such activity.”

Citing to the recent 9th Circuit case of Perfect 10 v. CCBill, the court observed that this point is actually two requirements in one: a provider’s receipt of a financial benefit is only implicated where it also has the right and ability to control the infringing activity. So if YouTube did not have the right and ability to control the alleged infringing activity, there was no reason to engage in the “financial benefit” analysis.

The court held that there was insufficient evidence to allow it to determine whether YouTube had the right and ability to control the infringing activity. The court’s comments on this point are intriguing, and foreshadow what might be some interesting issues in discovery. “There is clearly a significant amount of maintenance and management that YouTube exerts over its website, but the nature and extent of that management is unclear.” The court went on to note the lack of evidence as to “the process undertaken by YouTube from the time a user submits a video clip to the point of display on the YouTube website.”

Tur v. YouTube, Inc., No. 06-4436, (C.D.Cal. June 20, 2007)

Plain meaning, plain silliness under the DMCA anticircumvention provisions

CNET is reporting on a cease and desist letter some company has sent to Microsoft, Apple, Adobe and others. (I’m not going to mention the company by name because I don’t want to play into what Jessica Litman and I agree is an attempt to garner some unwarranted publicity — see the CNET article.) Simply stated, the company, which has apparently developed some kind of technology designed to prevent ripping of digital audio streams, claims that Microsoft et al. are actively avoiding the implementation of the company’s technology in their products. It clams that this avoidance is a circumvention prohibited under the DMCA.

I don’t opine much on this site, but this company’s theory is based on, at best, a hypertechnical and unsupportable reading of the DMCA. As you know, “circumvention” under the DMCA means to “descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

Did you see the word “avoid” there? That’s what the company is apparently hanging its hat on. And the argument sounds clever, until you actually think about the DMCA and what it says.

One has to read the DMCA prohibitions on avoiding, bypassing, removing, deactivating, or impairing technological measures along with the terms immediately preceding, namely, descrambling and decrypting. These prohibited activities share a common theme of some sort of active disabling of the technology, not simply choosing not to use an available technology.

There’s a maxim that Aristotle probably made up called sui generis that lawyers and courts are supposed to use when interpreting statutes. Essentially, when you see a group of terms together in a statute, one is to attribute a common meaning to those terms. Interpreting the meaning of “to avoid” in the way that this company suggests would not be consistent with this principle.

I sincerely hope to not see any reported decisions on these facts.

Hefty award to Sony in action against seller of PlayStation 2 “mod chips”

Court awards over $6 million in DMCA statutory damages

Defendant Filipiak ran an online business that sold, among other things, “mod chips” that allowed Sony PlayStation and PlayStation 2 consoles to play copied games. Sony filed suit against Filipiak under the Digital Millennium Copyright Act (“DMCA”), which makes it illegal to sell any device that is primarily designed or produced to circumvent a technological measure that effectively controls access to copyrighted works. 17 U.S.C. §1201(a)(2).

Filipiak stipulated to liability for selling circumvention devices. The court awarded Sony over $6 million in statutory damages under 17 U.S.C. §1203(c)(3)(A), which provides that

At any time before final judgment is entered, a complaining party may elect to recover an award of statutory damages for each violation of [17 U.S.C. § 1201] in the sum of not less than $200 or more than $2,500 per act of circumvention, device, product, component, offer, or performance of service, as the court considers just.

The court drew a number of noteworthy conclusions in arriving at the damages figure. First, it held that §1203(c)(3)(A) authorizes a separate award of statutory damages for each device sold. (Filipiak had sold thousands of devices.) Next, the court looked to §504 of the Copyright Act (17 U.S.C. §504) to help it construe the meaning of the word “just” as it appears in §1203. No previous case had construed the meaning of the term in §1203, so the attorney’s fees provision of §504 provided guidance.

The amount of damages was calculated by awarding $800 per mod chip sold before June 12, 2004, and the full amount of $2,500 per mod chip sold after June 12, 2004. On that date, Filipiak had signed a stipulated injunction in which he agreed to discontinue sales of the chips and related software. The court concluded that the sales made after Filipiak signed the agreement constituted a willful violation of the DMCA, thus justifying a higher amount of statutory damages.

Sony Computer Entertainment America, Inc. v. Filipiak, (Slip. Op.) 2005 WL 3556676 (N.D. Cal., December 27, 2005).


Unauthorized use of username and password not a “circumvention” under DMCA

The recent case of Egilman v. Keller & Heckman LLP addressed a close question arising under a provision of the Digital Millennium Copyright Act (“DMCA”) found at 17 U.S.C. § 1201. The issue was whether accessing a computer system through the unauthorized use of a valid username and password constitutes an unlawful circumvention of a technological measure. The court held that such conduct is not “circumvention,” and thus not a violation of the DMCA.

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site. He filed suit in federal court asserting, among other things, that the use of the unauthorized username and password was an illegal circumvention of a technological measure, in violation of 17 U.S.C. § 1201.

One defendant moved to dismiss for failure to state a claim, and the others moved for judgment on the pleadings. The court granted the motions.

An essential fact that drove the court’s holding was that the username and password which the defendants allegedly used were the actual username and password which the plaintiff had chosen to protect his website from unauthorized access. For this reason, the defendants were alleged to have merely “used” the technological measure put in place by the plaintiff, and not to have “circumvented” the measure. The court specifically adopted the language and analysis of the case of I.M.S. Inquiry Mgmt. Sys., Ltd. v. Berkshire Info. Sys., Inc., 307 F.Supp.2d 521 (S.D.N.Y. 2004), a case with similar facts and issues.

Quoting from I.M.S., the court stated:

Whatever the impropriety of defendant’s conduct, the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.

The court went so far as to say:

It was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained. (Emphasis added.)

With this last statement, namely, that the means by which the username and password are obtained is irrelevant, did the court adjudicate a loophole in Section 1201? What if a defendant uses technological means to guess a username and crack a password? In that case, the defendant would ultimately be using the plaintiff’s intended username and password, and thus, according to the court, would merely be “using” and not “circumventing” a technological measure. In such a case, could one really say that for purposes of a Section 1201 analysis, how a username and password are obtained is irrelevant?

Egilman v. Keller & Heckman, LLP, — F.Supp.2d —, 2005 WL 3077260 (D.D.C., November 10, 2005).

[Text of opinion]