Among many other prohibitions, the Digital Millennium Copyright Act (“DMCA”) prohibits efforts to gain access to computers by circumventing security control measures. In particular, the statute states that: “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.” See 17 U.S.C. § 1201(a)(1)(A). “Circumventing” is very broadly defined to include:
- Descrambling or decrypting files or systems that have been protected in either manner
- Removing or deactivating security codes or measures
- Using a device, software or coding to avoid or bypass security codes or other technological measure
- And more
The DMCA was intended to combat hacking and other cybercrimes. But the statute has a much broader reach and has been interpreted by courts to cover any sort of unauthorized effort to access computers, even by disgruntled employees
A recent decision from the federal Fifth Circuit Court of Appeals provides an interesting example of how the DMCA is applied and its limitations. See Digital Drilling Data Systems, LLC v. Petrolink Services, Inc., 965 F. 3d 365 (5th Cir. July 2, 2020).
In that case, the plaintiff, Digital Drilling Data Systems (“DDDS”), created certain software and a database schema used in oil and natural gas drilling operations. DDDS limited access to its proprietary software and database by providing customers with a designated laptop computer on which the software and database were loaded. Further, DDDS provided a “USB key” that needed to be inserted into the laptop before the software would run.
A competitor of DDDS, Petrolink Services (“Petrolink”), obtained a laptop that contained the DDDS software and database. Petrolink also obtained a USB key. However, Petrolink quickly learned that the USB key was not actually needed to access the DDDS software/database. The database was an open source Firebird database and Petrolink learned that it could gain access to the database by using Firebird’s default administrator username and password. This default username/passcode is well known. Thereafter, Petrolink accessed the database without using the USB key. Through this method, Petrolink was able to copy various parts of the database schema and a significant portion of the data.
Eventually, DDDS learned of Petrolink’s unauthorized access and theft of its proprietary software and schema. Eventually, DDDS brought suit against Petrolink for copyright infringement, unjust enrichment and other claims including a claim under the DMCA. DDDS argued that the USB key was a security control measure and that Petrolink had violated the DMCA by circumventing that control measure to gain unauthorized access to it computer.
Unfortunately for DDDS, the trial court did not agree. Under the DMCA, a control measure or device is defined as something that, “… in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work.” The trial court held that a “control measure” must be “effective.” Because there were two methods of gaining access to the software and data schema, the USB key and the commonly-known default Firebird username/password, the USB key could not be deemed an effective control measure as defined under the DMCA. Further, Petrolink did not circumvent the other security measure, username and passcode, since Petrolink went through the security measure by employing the Firebird default credentials. The court held that no violation of the DMCA had occurred. On appeal, the Fifth Circuit affirmed and agreed with the trial court. It should be noted that DDDS was victorious on other legal claims.
Legal and practical lesson: This case is yet another real-world example of the need to change default security settings. This is a bare minimum necessity for any effective cybersecurity.