No DMCA Violation Where Key Was Not an Effective Security Control and Where User Gained Access Via Authorization Process featured image

No DMCA Violation Where Key Was Not an Effective Security Control and Where User Gained Access Via Authorization Process

by John DiGiacomo

Partner

Copyright

Among many other prohibitions, the Digital Millennium Copyright Act (“DMCA”) prohibits efforts to gain access to computers by circumventing security control measures. In particular, the statute states that: “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” See 17 U.S.C. § 1201(a)(1)(A). “Circumventing” is very broadly defined to include:

  • Descrambling or decrypting files or systems that have been protected in either manner
  • Removing or deactivating security codes or measures
  • Using a device, software or coding to avoid or bypass security codes or other technological measure
  • And more

The DMCA was intended to combat hacking and other cybercrimes. But the statute has a much broader reach and has been interpreted by courts to cover any sort of unauthorized effort to access computers, even by disgruntled employees

A recent decision from the federal Fifth Circuit Court of Appeals provides an interesting example of how the DMCA is applied and its limitations. See Digital Drilling Data Systems, LLC v. Petrolink Services, Inc., 965 F. 3d 365 (5th Cir. July 2, 2020).

In that case, the plaintiff, Digital Drilling Data Systems (“DDDS”), created certain software and a database schema used in oil and natural gas drilling operations. DDDS limited access to its proprietary software and database by providing customers with a designated laptop computer on which the software and database were loaded. Further, DDDS provided a “USB key” that needed to be inserted into the laptop before the software would run.

A competitor of DDDS, Petrolink Services (“Petrolink”), obtained a laptop that contained the DDDS software and database. Petrolink also obtained a USB key. However, Petrolink quickly learned that the USB key was not actually needed to access the DDDS software/database. The database was an open source Firebird database and Petrolink learned that it could gain access to the database by using Firebird’s default administrator username and password. This default username/passcode is well known. Thereafter, Petrolink accessed the database without using the USB key. Through this method, Petrolink was able to copy various parts of the database schema and a significant portion of the data.

Eventually, DDDS learned of Petrolink’s unauthorized access and theft of its proprietary software and schema. Eventually, DDDS brought suit against Petrolink for copyright infringement, unjust enrichment and other claims including a claim under the DMCA. DDDS argued that the USB key was a security control measure and that Petrolink had violated the DMCA by circumventing that control measure to gain unauthorized access to it computer.

Unfortunately for DDDS, the trial court did not agree. Under the DMCA, a control measure or device is defined as something that, “… in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” The trial court held that a “control measure” must be “effective.” Because there were two methods of gaining access to the software and data schema, the USB key and the commonly-known default Firebird username/password, the USB key could not be deemed an effective control measure as defined under the DMCA. Further, Petrolink did not circumvent the other security measure, username and passcode, since Petrolink went through the security measure by employing the Firebird default credentials. The court held that no violation of the DMCA had occurred. On appeal, the Fifth Circuit affirmed and agreed with the trial court. It should be noted that DDDS was victorious on other legal claims.

Legal and practical lesson: This case is yet another real-world example of the need to change default security settings. This is a bare minimum necessity for any effective cybersecurity.

For more information about the DMCA and cybersecurity, contact the copyright lawyers and data security lawyers at Revision Legal at 231-714-0100.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side