Stanford CIS

Misuse of password found not to violate Digital Millennium Copyright Act

By Stanford Center for Internet and Society on

IMS Inquiry Management Systems Ltd. sued competitor Berkshire Information Systems Inc. in the United States District Court for the Southern District of New York for damages and injunctive relief arising from Berkshire’s alleged unauthorized access to and use of IMS’s e-Basket advertisement tracking system. Such access, achieved by obtaining a user’s ID and password, caused that third party to breach its contract with IMS resulted in the copying of eighty five percent of IMS’s report formats. Thus, this case brings about several claims, out of which we will single out those under the Computer Fraud and Abuse Act, the Copyright Act, and the Digital Millennium Copyright.Computer Fraud and Abuse Act claim

This claim is based on the unauthorized access to IMS’s e-Basket system, which compromised the integrity of said system and caused IMS to incur expenses above the statutory bar of $5,000.

Claim of copyright infringement

The debate here centers on the jurisdictional issue of the copyright registration pertaining to the infringed work, absent which the court would lack jurisdiction to  entertain this claim. The copyright on said work allegedly was infringed on March 2002, and the effective date of its registration was March 7, 2003.  Hence, Berkshire argued that the work which registration certificate is exhibited by IMS is not that which copyright was infringed upon. IMS, however, argues that both are the same work, as the work for which registration was secured was prepared over a period of time, like a mural initiated on a certain date and concluded on a later date, which was published in the interim.

Relying on previous case law, the court held that the certificate presented by IMS did not identify the preexisting work infringed by Berkshire, which was therefore left unprotected by the registration secured in 2003, and therefore dismissed the claim to  copyright infringement.

Digital Millennium Copyright Act

This claim centers on the theory that by accessing IMS’s system by means of a password belonging to a third party, Berkshire violated the anti-circumvention provision of §1201 (a)(1)(A) of the DMCA. The court broke said provision down as follows:

First, it asked if a password is a technological measure that effectively controls access; it found that a password was precisely such a measure, and that it had specifically been addressed by the DMCA. Second, the question came to whether said measure had been circumvented by Berkshire. In resolving this issue, the court turned to precedent under Universal Studios v Corley, the case dealing with the use of DeCSS to decrypt the protection borne by DVDs. Following this precedent, the court found that the unauthorized use of a password issued by IMS to a third party was more akin to the use of a third party’s DVD player than to the use of DeCSS on one’s own player. It therefore held that, notwithstanding how improper Berkshire’s conduct, it did not come under the DMCA.

In conclusion, Berkshire prevailed on its motions against IMS’s claims under the Copyright Act and DMCA; however the latter’s claim under the CFAA prevailed and will be heard by the court.

Published in: Blog , Vol. 1, No. 13 , Packets