Egilman v. Keller & Heckman

Citation: Egilman v. Keller & Heckman, LLP, 401 F.Supp.2d 105, 77 U.S.P.Q.2d (BNA) 1070 (D.D.C. 2005).

Factual Background
Plaintiff alleged that the defendants, without authorization, used plaintiff’s username and password to gain access to areas on plaintiff’s website that plaintiff had protected by the username/password combination. Plaintiff alleged that defendants violated the DMCA by “circumventing the technical measures [plaintiff] installed on his website to restrict access to his copyright protected work.” Defendants moved to dismiss the count for failure to state a claim.

Trial Court Decision
The court began its DMCA analysis by quoting the relevant statutory provisions. The court first explained that under Section 1201(a)(1)(A) of the DMCA, “no person shall circumvent a technological measure that effectively controls access to a work protected [by Title 17, U.S. Code].” In turn, to “circumvent a technological measure” under Section 1201(a)(3)(A) means “to descramble a scrambled work, to decrypt a decrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner.”

Based upon these provisions, the court held that accessing a computer system through the unauthorized use of a valid password does not constitute circumvention of a technological measure in violation of the DMCA. The court held that “[w]hat is missing from this statutory definition [of circumvention] is any reference to ‘use’ of a technological measure without the authority of the copyright owner, and the court declines to manufacture such language now. As such, the court concludes that using a username/password combination as intended – by entering a valid username and password, albeit without authorization – does not constitute circumvention under the DMCA.”

The court found it immaterial that there was no allegation that defendant had received the username and password from someone who was authorized to have the username and password in the first place. In the court’s opinion, “[i]t was irrelevant who provided the username/password combination to the defendant, or, given that the combination itself was legitimate, how it was obtained.” Rather, “because [plaintiff’s] allegations demonstrate that an otherwise legitimate, owner-issued password was used to access [plaintiff’s] website. . . the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity.”

The court held that because the username/password combination used to access plaintiff’s website was created and installed by plaintiff, this “technological measure” that controlled access to plaintiff’s website was not “circumvented” by defendants within the meaning of the DMCA. Accordingly, the court dismissed plaintiff’s DMCA claim.