Three days ago, I posted about a recent decision concerning databases and the DMCA (DMCA Decision on Databases). While others were claiming this as a victory against the abomination that is the DMCA, I remained uncertain, not yet having a chance to read the decision. Now, with many thanks to a reader, I have had a chance to read the decision: Inquiry Management Systems v. Berkshire Information Systems.
The case is about one information company (Berkshire) accessing and copying substantive amounts of a database of another information company (Inquiry Management Systems). The claims involved include the Computer Fraud and Abuse Act, copyright infringement, tortious interference and, my favorite, the DMCA. The decision is one of summary judgement, with the copyright and DMCA claims dropped from the case. This may seem like a DMCA victory, but I'm still not sure since the logic is a mess.
The Register has a piece on some other troublesome elements of the decision I didn't cover (Is password-lending a cybercrime?)
Not a DMCA "Database" Decision
The DMCA is a near absolute bar against circumventing "access" controls in order to get to copyrighted information. Under the Feist decision, many collections of facts (e.g., databases) aren't protected by copyright - an element of the great idea/expression dichotomy (copyright protects expressions, not ideas). The great worry about the DMCA with regard to databases is that the unscrupulous will use the DMCA to obtain paracopyright protection for databases that aren't protected by copyright.
The way one would do this is simple: take something copyrightable and place it behind a DMCA-sanctioned access control, for example, a paragraph of original prose protected by a simple encryption scheme. Then, take your non-copyrightable database and place it behind the same DMCA-sanctioned access control. When someone tries to circumvent the access control to get to the database, you can claim they were circumventing an access control that protects a copyrighted work, which is true. This puts the one trying to access the database in violation of the DMCA, subject to all the strong penalties associated with it. Congratulations! You have now found a loophole around the Feist decision.
This is what a DMCA database decision means to me. When a court decides whether the DMCA can be used to protect a telephone book worth of non-copyrightable data with a paragraph of prose, then I'll be interested.
That is not the case here. The judge doesn't go into detail but basically allows that the information in the database is copyrighted (though not registered for purposes of this infringement suit), and thus the threshold question of whether or not the access control truly controls access to copyrighted material, as opposed to a collection of facts, is not addressed directly.
However, that does not mean that this decision is not without interest to DMCA aficionados.
When Is a Password Legitimate? A Confusing Definition of Circumvention
What is circumvention? It all depends on how you look at it...
Having already decided that the database was copyrighted, the judge in this decision quickly acknowledges that the password protected access to the database qualifies as an access control device under the DMCA, which I would agree with. The only question left is whether or not unauthorized use of a password constitutes circumvention. The judges answers in the negative.
Apparently, because Berkshire didn't avoid or bypass IMS's password protection and got through the password protection the way it was intended, by using a valid password:
[O]ther actions proscribed by the DMCA, connote broader application of the anti-circumvention prohibition, such as the terms "avoid" and "bypass". These actions are far more open-ended and mundane, and do not necessarily involve some kind of tech-based execution. Notwithstanding this, defendant argues that it has not even committed any act of avoidance or bypass, as it is accused of confronting IMS's password-controlled access in the way precisely intended: "All [I.M.S.] accuses Berkshire of doing is using IMS's own customer's valid password and user [identification] to view IMS's e-Basket system exactly as the customer itself might have done." Rep. Mem. at 10.
We agree that plaintiff's allegations do not evince circumvention as that term is used in the DMCA. Circumvention requires either descrambling, decrypting, avoiding, bypassing, removing, deactivating or impairing a technological measure qua technological measure. In the instant matter, defendant is not said to have avoided or bypassed the deployed technological measure in the measure's gatekeeping capacity. The Amended Complaint never accuses defendant of accessing the e-Basket system without first entering a plaintiff-generated password.
Hmmmm .... this may seem rather straight forward, but not so fast. Let's take that last sentence first: "The Amended Complaint never accuses defendant of accessing the e-Basket system without first entering a plaintiff-generated password." Ok, what does this mean? Personally, I'm not sure. First, this is what we know of the origin of the password:
To gain access to e-Basket, I.M.S. alleges that Berkshire obtained a user identification and password issued to a third party, thereby knowingly inducing that third party to breach an agreement it had with I.M.S.
So, if you convince someone to give you a password in breach of an agreement (or more like, license) you are free and clear of a DMCA access violation. Ok, this sounds reasonable to me, but what is the principle behind it? Unfortunately, the case isn't clear. The holding of the decision is that "unauthorized use of an otherwise legitimate, owner-issued password" is not circumvention. But what does "otherwise legitimate" or "owner-issued" mean? They're not in the text of the DMCA.
What is "otherwise legitimate," exactly? If IMS verbally rescinded the password's authorization, but could not physically stop it from working, would that mean the password was no longer legitimate? That would seem to be a strange thing to base DMCA liability upon. What would it take to count as rescinding what once was legitimate?
What other means of obtaining a password are legitimate? Is this a blanket exemption to the DMCA for social engineering? What if Berkshire got the password by looking over the shoulder of the third party when they entered it on their computer? What if they obtained it under false pretenses (This is IMS customer service, giggle, can you verify your password for me -or- IMS customer services, this is "third party," can your remind me what my password is)?
Is this a blanket exemption to the DMCA for obtaining a password through a third party? What if Berkshire had found the password on a website or newsgroup? What if a disgruntled former employee of the third party sent the password to Berkshire? What if Berkshire had found the password on a warez site? Would that impose DMCA liability? If so, why? What would be the distinction?
The generation issue is sort of interesting. Would it be a violation of the DMCA if Berkshire had merely guessed the password? For example, many people use the same passwords for a variety of sites and uses. What if a third party used both Berkshire and IMS services and Berkshire tried the password the third party used on Berkshire's site on IMS's? Such a scheme is likely to work, eventually. But would it be a violation of the DMCA? After all Berkshire is still "confronting IMS's password-controlled access in the way precisely intended." Of course, I suspect that a judge will begin to see this sort of action as more of a bypass, but where is the line and how does one derive the line from the DMCA?
Going even further, what if Berkshire merely hazarded a guess at a commonly used password? What if Berkshire used a password generator to create a password that, coincidentally, IMS had already issued? What if they had used a password generator that created a valid password, but one that IMS had never issued? In this case the means to access was a password, but what if it were a serial number? Would that make a difference and, if so, how do you articulate that difference within the language of the DMCA? Is this a technological issue? Social engineering is okay, but digital engineering is bad? The case doesn't answer these questions at all.
Finally, running with this chain of examples, what should be the outcome if Berkshire found the password on a website or newsgroup, but the password had been (unbeknownst to Berkshire) generated by a password generator? What if Berkshire had thought the password of the unnamed third party was legitimately issued, but it wasn't? Is Berkshire liable under the DMCA? I don't think you can know from the DMCA or this decision.
Circumvention Depends on How You Look At It
Don't even start DeCSS aficionados arguing about the meaning of authorization and the DMCA. You see, under the DMCA, according to Reimerdes, buying a DVD doesn't give you authorization to access the DVD. Authorization to access the movie on the DVD comes from buying an authorized DVD player in conjunction with the DVD (we think; it really isn't clear when or where authorization accrues). This is confusing enough (what have you actually purchased when you buy a DVD?). This decision does little to clarify matters:
More precisely and accurately, what defendant avoided and bypassed was permission to engage and move through the technological measure from the measure's author. Unlike the CFAA, a cause of action under the DMCA does not accrue upon unauthorized and injurious access alone; rather, the DMCA "targets the circumvention of digital walls guarding copyrighted material." Universal Studios, 273 F.3d 429, 443 (emphasis in original).
Yeah, that is the neat thing about the DMCA. It not only targets unauthorized and injurious access, it targets non-injurious access as well.
Although whether an activity qualified as circumvention was not the question posed to the court, Universal Studios is instructive as a matter of reference. There, the offending circumvention was a DVD decryption program, DeCSS, which enabled the viewing of movies without using a DVD player. See Universal Studios, 273 F.3d at 452. The security device that prevented access to DVD movies without a DVD player, CSS, was described "in its basic function ... [as] a lock on a homeowner's door, a combination of a safe, or a security device attached to a store's products." Id., at 452-53. Likewise, "in its basic function, [DeCSS, the decryption program] is like a skeleton key that can open a locked door, a combination that can open a safe, or a device that can neutralize the security device attached to a store's products. DeCSS enables anyone to gain access to a DVD movie without using a DVD player." Universal Studios, 273 F.3d at 453.
I've never like this analogy, cuz usually, what keeps me from accessing a movie on DVD is not having the physical DVD. I've downloaded DeCSS, but that didn't get me any DVDs of movies. And, you know, as often as I try to use DeCSS without a DVD player, it just never works. Heck, I've even sung the DeCSS Song for my DVDs and nothing happened. What the judge must have meant, is that DeCSS enabled the viewing of movies on DVD (however you acquire the DVD) without using CSS authorized software. This sort of changes the analogy though. The physical DVD player isn't the key, the actual crypto key is the key.
The thing about CSS authorized software is that it has a key, an authorized password if you will. Once you have a legitimate key, then you can write DVD playing software that will decrypt a DVD movie. Now, you do have the encryption thing going on, but I don't see how using an unauthorized key that is otherwise legitimate is different from using an unauthorized password that is otherwise legitimate. The DMCA doesn't seem to see a difference:
It is of course the case, as defendant propounds, that the DMCA addresses activity such as decryption, descrambling, deactivation and impairment, and that these are all forms of circumvention under the subsection commonly involving technologically-sophisticated maneuvers. One might associate these activities with the breaking and entering (or hacking) into computer systems. [I guess making unauthorized use of a DVD you have legitimately purchased is the equivalent of breaking and entering]
On the other hand, other actions proscribed by the DMCA, connote broader application of the anti-circumvention prohibition, such as the terms "avoid" and "bypass". These actions are far more open-ended and mundane, and do not necessarily involve some kind of tech-based execution.
So the distinction between using an unauthorized crypto key that is otherwise legitimate and an unauthorized password that is otherwise legitimate is clear, because? Surprisingly, the last paragraph of the DMCA portion of the decision is able to even further muddy the logic of the distinction:
Defendant is alleged to have accessed plaintiff's protected website without plaintiff's authorization. Defendant did not surmount or puncture or evade any technological measure to do so; instead, it used a password intentionally issued by plaintiff to another entity. As an analogy to Universal Studios, the password defendant used to enter plaintiff's webservice was the DVD player, not the DeCSS decryption code, or some alternate avenue of access not sponsored by the copyright owner (like a skeleton key, or neutralizing device). Plaintiff, however, did not authorize defendant to utilize the DVD player. Plaintiff authorized someone else to use the DVD player, and defendant borrowed it without plaintiff's permission. Whatever the impropriety of defendant's conduct, the DMCA and the anti-circumvention provision at issue do not target this sort of activity.
Ooookaay. If I use DeCSS to view a DVD using the XING key, which was otherwise legitimate, why is that "surmounting" or "puncturing" a technological measure (terms not in the DMCA by the way)? In a sense, haven't I simply borrowed the player from XING? Unauthorized, sure, but why is does liability attach for borrowing XINGs key, but not for borrowing the unnamed third party's password? Now, I might do things with XING's player that the MPAA doesn't like, but that is the same as using the unnamed third party's password for things IMS didn't like. The MPAA authorized XING to use the key. DeCSS borrowed the key without the MPAA's permission. Isn't it the same thing?
You know, many of these problems with interpreting the DMCA could be solved if judges adopted my theory of the distinction between 1201(a) and 1201(b). Under my theory, IMS's password protection falls under 1201(a) and CSS falls under 1201(b). 1201(a) makes using and trafficking in a anti-access control device illicit, 1201(b) makes only trafficking in an anti-copying device illicit, using it is fine. Since what the court is considering here is possible use of a device, it wouldn't be necessary to strain for a distinction between CSS keys and a password, since under my theory, use of CSS keys is not a problem for the DMCA. Unfortunately, Reimerdes really blew that one, and every other judge is following that lemming to confusing and arbitrary distinctions.