Software Makers, Take Note: Court Defines “Circumvention” Downward

By Kerry Timbers. A member of our Litigation Practice Group

September 2010 IP Update

Hacking a security device in order to use software is not a violation of a law barring the circumvention of technology that “controls access” to copyrighted works, such as software. The Fifth Circuit makes this fine distinction in MGE UPS Systems Inc. v. GE Consumer and Industrial Inc.

Copyright law, in the form of the Digital Millennium Copyright Act, or DMCA, provides: “No person shall circumvent a technological measure that effectively controls access to a work protected under this title.”

This generally makes it illegal to circumvent technological measures that control access to a work, such as software used to prevent copying of DVDs, digital rights management (DRM) technology for music files, or software or hardware “keys” used to lock software programs with a password. Prohibited circumvention is illegal, whether or not there is any actual copyright infringement involved.

Thus, it has typically been held that “cracking” codes in order to access and copy music or movies is a violation of the DMCA. For example, last summer in a highly publicized case involving RealNetworks, a court halted the sale of software that would allow users to copy DVDs to their laptop computers or other devices for viewing.

In MGE, however, the court distinguishes between the cracking of technological measures designed to prevent access to and use of  a copyrighted work, as opposed to measures designed to prevent copying of the work — and held that cracking security measures that merely prevent access and use are allowed.

The Fifth Circuit considered a computer dongle, or external security key, that had to be attached to a computer in order to allow the software on the computer to run.  The software was used to service uninterruptible power supplies, and GE had obtained a “hacked” version of the software that could run without the dongle and its password. GE admitted that it had used the hacked software in its business, and indeed was found guilty of copyright infringement, although it was never proved that GE itself had hacked the software.

The court held that circumventing the dongle was not a violation of the DMCA because the dongle controlled only “viewing or using” the software, not copying it. The court stated that “the DMCA does not apply to mere use of a copyrighted work,” but suggested that had the dongle prevented copying of the software, or encrypted the software, its circumvention might have been illegal.

This observation echoed that of another court’s decision involving a universal remote garage door opener, where a security code was cracked to allow the universal remote to control the door opener. In that case, the court allowed the cracking of the door-opening software, because the software “lock” merely prevented use–not copying–of the software.

Both courts promoted the idea that the DMCA should not prohibit hacking software locks where the actual use of the program is either permitted (as where the user has paid for the software and is a legitimate user) or might make a “fair use” of the copyrighted work. As the MGE court said, “An owner’s technological measure must protect the copyrighted material against an infringement of a right that the Copyright Act protects, not from mere use or viewing,” which the court considered “within the purview of ‘fair use’ permitted under the Copyright Act.”

Coincidentally, the Register of Copyrights this summer recommended that there be an exception to the DMCA allowing the cracking of dongles where the dongles have malfunctioned, are damaged, or are obsolete — but implicitly suggesting that all other cracking of dongles would violate the DMCA. This position is at odds with theMGE decision, which would allow cracking of a dongle that controls access to the software under any circumstances, regardless of whether the dongle functions properly or is obsolete.

It remains to be seen whether other courts will endorse the Fifth Circuit’s logic. In addition to contradicting the view of the Register of Copyrights, the MGE decision can be fairly criticized as fundamentally misunderstanding how software works. For example, the court noted that the dongles do not perform encryption to prevent copyright violations. Exactly the same thing can be said about DVD encryption schemes: They do not prevent raw copying, but they discourage copying because the copies are useless in both cases without the “key.”

Software designers using dongles, usb keys, passwords, or other “locks” to restrict access to their software would be wise to have those measures not merely control use of the software, but also control decryption or some other method of preventing copying. Alternatively, they could write their software license to specifically prohibit cracking such measures and using any hacked copy of the software.

Given the possible loopholes in DMCA protection, yet another strategy is to register one’s copyright before any copyright infringement takes place. This would allow recovery of statutory damages and attorneys’ fees, which are not available if infringement begins before registration.