Originally published July 6, 2004

A recent case from the United States District Court for the Southern District of New York has ruled for the first time on a significant issue pertaining to the scope of the Digital Millennium Copyright Act (DMCA) - whether unauthorized use of a valid password to access a secure Web site violates the DMCA. In I.M.S. Inquiry Management Systems Ltd. v. Berkshire Information Systems, Inc., the court decided that the DMCA does not prohibit such unauthorized access.

The DMCA’s Anti-Circumvention Provision

The DMCA was passed in 1998 "to strengthen copyright protection in the digital age." Once a copy-protection technology is "hacked," copyright pirates can quickly and easily copy and distribute copyrighted content in digital form. One of the ways the DMCA seeks to accomplish its goal of strengthening copyright protection is by forbidding the circumvention of technological measures that protect copyrighted content. Thus, the DMCA generally prohibits circumventing "access control technology" to access copyrighted materials, whether by decryption, descrambling, deactivation, or other impairment. It also prohibits trafficking in technology primarily designed to circumvent such access control technology.

The I.M.S. Case - Is Unauthorized Use of a Password Circumvention?

I.M.S. runs an Internet based advertising tracking service called "e-Basket." I.M.S. clients log on to a secure Web site with a unique password issued by I.M.S., where they can track magazine advertising. I.M.S. contends that it has a copyright in the selection and arrangement of its content.

Defendant Berkshire runs a competing service called "Marketshareinfo.com." I.M.S. alleged that prior to launching its operation, Berkshire gained access to an I.M.S. password, accessed the site without I.M.S. authorization, and copied approximately 85 percent of the I.M.S. report formats. Berkshire then launched Marketshareinfo.com, allegedly using the material it obtained from the secure I.M.S. site.

I.M.S. sued to stop Berkshire, alleging theories including violation of the DMCA. Berkshire moved to dismiss the DMCA claim, arguing that the alleged unauthorized use of a legitimate password did not constitute circumvention of an access control technology within the meaning of the DMCA.

The trial court agreed with Berkshire. The court found that use of password protection is an "access control technology" under the DMCA. It found that unauthorized use of a legitimate password, however, does not amount to "circumvention" of that technology. The court reasoned that, even if the allegations of I.M.S. were true, Berkshire had not avoided and bypassed the password protection technology itself. Instead, Berkshire had avoided and bypassed the requirement of having the permission of I.M.S. that would have protected against the former, but it did not forbid the latter.

Is There Protection Against Unauthorized Use of Passwords?

Assuming other courts follow the reasoning of the I.M.S. decision, copyright holders will not be able to rely on the DMCA to curtail access to their copyrighted material through the unauthorized use of legitimate passwords. That does not mean, however, that copyright holders are without recourse to challenge such conduct.

I.M.S. also brought a claim against Berkshire for violation of the Computer Fraud and Abuse Act (CFAA). The CFAA provides civil and criminal penalties for intentional unauthorized access to a protected computer that causes damage resulting in loss over $5,000. Berkshire also sought to have this claim against it dismissed, but the court found that, if true, the conduct described by I.M.S. satisfied the threshold requirements of the CFAA. Furthermore, although the court found potential problems with the copyright registration of I.M.S., the Copyright Act itself can provide remedies for the infringement of copyrighted content, even where the DMCA anti-circumvention provisions do not apply.

In short, the DMCA and access control technology should be considered as part of a copyright holder’s overall strategy for protecting its content, but as the I.M.S. decision makes clear, it will not cover every objectionable act. Obtaining the broadest measure of protection for copyrightable material requires an integrated strategy that draws on all available legal and technological safeguards.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.