Partner
Among many other prohibitions, the Digital Millennium Copyright Act (“DMCA”) prohibits efforts to gain access to computers by circumventing security control measures. In particular, the statute states that: “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” See 17 U.S.C. § 1201(a)(1)(A). “Circumventing” is very broadly defined to include:
The DMCA was intended to combat hacking and other cybercrimes. But the statute has a much broader reach and has been interpreted by courts to cover any sort of unauthorized effort to access computers, even by disgruntled employees
A recent decision from the federal Fifth Circuit Court of Appeals provides an interesting example of how the DMCA is applied and its limitations. See Digital Drilling Data Systems, LLC v. Petrolink Services, Inc., 965 F. 3d 365 (5th Cir. July 2, 2020).
In that case, the plaintiff, Digital Drilling Data Systems (“DDDS”), created certain software and a database schema used in oil and natural gas drilling operations. DDDS limited access to its proprietary software and database by providing customers with a designated laptop computer on which the software and database were loaded. Further, DDDS provided a “USB key” that needed to be inserted into the laptop before the software would run.
A competitor of DDDS, Petrolink Services (“Petrolink”), obtained a laptop that contained the DDDS software and database. Petrolink also obtained a USB key. However, Petrolink quickly learned that the USB key was not actually needed to access the DDDS software/database. The database was an open source Firebird database and Petrolink learned that it could gain access to the database by using Firebird’s default administrator username and password. This default username/passcode is well known. Thereafter, Petrolink accessed the database without using the USB key. Through this method, Petrolink was able to copy various parts of the database schema and a significant portion of the data.
Eventually, DDDS learned of Petrolink’s unauthorized access and theft of its proprietary software and schema. Eventually, DDDS brought suit against Petrolink for copyright infringement, unjust enrichment and other claims including a claim under the DMCA. DDDS argued that the USB key was a security control measure and that Petrolink had violated the DMCA by circumventing that control measure to gain unauthorized access to it computer.
Unfortunately for DDDS, the trial court did not agree. Under the DMCA, a control measure or device is defined as something that, “… in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” The trial court held that a “control measure” must be “effective.” Because there were two methods of gaining access to the software and data schema, the USB key and the commonly-known default Firebird username/password, the USB key could not be deemed an effective control measure as defined under the DMCA. Further, Petrolink did not circumvent the other security measure, username and passcode, since Petrolink went through the security measure by employing the Firebird default credentials. The court held that no violation of the DMCA had occurred. On appeal, the Fifth Circuit affirmed and agreed with the trial court. It should be noted that DDDS was victorious on other legal claims.
Legal and practical lesson: This case is yet another real-world example of the need to change default security settings. This is a bare minimum necessity for any effective cybersecurity.
For more information about the DMCA and cybersecurity, contact the copyright lawyers and data security lawyers at Revision Legal at 231-714-0100.
Section 1201 of the Digital Millennium Copyright Act, 17 U.S.C. § 1201, prohibits circumventing a “technological measure that effectively controls access to a work protected under this title.” The statute creates three separate prohibitions: (1) the act of circumvention itself; (2) trafficking in devices or services primarily designed to circumvent access controls; and (3) trafficking in devices or services primarily designed to circumvent copy-protection measures. The Digital Drilling case addressed the first prohibition—the act of circumvention. The “effectiveness” requirement is the critical limiting principle that the Fifth Circuit applied in Digital Drilling Data Systems, LLC v. Petrolink Services, Inc., 965 F.3d 365 (5th Cir. 2020): where a database is accessible through a well-known default password without engaging the claimed security measure at all, that measure cannot “effectively” control access.
The Digital Drilling decision carries a significant practical lesson: a security measure must actually be the exclusive or dominant gateway to access in order to qualify for DMCA anti-circumvention protection. A USB key that can be bypassed by entering a publicly known default password is legally equivalent to a lock installed next to an open window. Businesses should audit their access control systems before filing DMCA Section 1201 claims. If the forensic analysis of an intrusion reveals that the intruder never engaged the primary claimed security measure—instead using a secondary, more permissive access pathway—the DMCA anti-circumvention claim will fail. In Digital Drilling, DDDS lost its DMCA claim precisely because its own security architecture undermined the legal theory, despite suffering real economic harm from Petrolink’s theft.
The failure of a DMCA Section 1201 claim does not leave a plaintiff without remedies for unauthorized access and data theft. Copyright infringement under 17 U.S.C. § 501 remains available if the defendant copied protectable expression from the plaintiff’s software or database. The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, provides another avenue, prohibiting knowingly accessing a computer “without authorization.” The Supreme Court’s decision in Van Buren v. United States, 593 U.S. 374 (2021), narrowed the CFAA’s scope, but a party like Petrolink—which gained access using a default password the copyright owner intended to be changed—presents a stronger CFAA case because it accessed the system using credentials it was never authorized to use. State law claims for unjust enrichment, misappropriation, and conversion of trade secrets may also be available.
This case illustrates why layered security architecture matters both operationally and legally. To preserve DMCA Section 1201 protection, every access pathway to a protected work must itself be controlled by an effective technological measure. Default credentials should be changed before deployment. Access logs should be maintained so that unauthorized access is detectable. These measures not only improve actual security but also preserve legal remedies if a breach occurs.
If your business has suffered unauthorized access to proprietary software, databases, or digital content, multiple legal theories may be available. The technology attorneys at Revision Legal can help you assess the strength of your claims and develop an enforcement strategy. Contact us at 231-714-0100.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a copyright infringement claim as an online retailer can be stressful. Learn what counts as infringement, what claimants must prove, your available defenses, and how to respond strategically.
Read more about How to Respond to a Copyright Infringement Claim Against Your Online Store
The copyright discovery rule can extend the statute of limitations for infringement claims. Learn how courts apply it and how far back you can recover damages under the Copyright Act.
Read more about Copyright Infringement Discovery Rule: How It Extends Your Time to Recover Damages