Court holds that the unauthorized distribution of passwords and usernames avoids and bypasses a technological measure in violation of DMCA sections 1201(a)(2) and 1201(b)(1).
Plaintiff Actuate Corporation entered into a software licensing agreement with defendant MRO Software, Inc. (MRO), whereby Actuate granted MRO rights to utilize certain Actuate software and to sell licenses to MRO products incorporating that software in exchange for license and maintenance fees. Among other things, the License Agreement allowed MRO to market, distribute and sublicense Actuate software for use with Partner Products, which was defined in the agreement as including MRO’s Maximo line of products. In or about August 2006, defendant IBM announced that it was acquiring MRO. After the acquisition, IBM incorporated MRO’s Maximo software into its own Tivoli line of products. In doing so, however, IBM did not pay Actuate any additional license fees. Further, IBM allegedly posted Actuate software and related materials online, including development tools, documentation and license keys, without Actuate’s authorization.
In 2009, Actuate brought suit against MRO and IBM in the Northern District of California claiming, inter alia, that defendants’ conduct constituted (1) a breach of contract and (2) circumvention of access controls and distribution of circumvention tools in violation of the DMCA (17 U.S.C. § 1201 et seq.). With respect to the DMCA claim, Actuate argued that the license key posted online by IBM enabled Actuate’s software to be installed on an unlimited basis. Defendants moved to dismiss the contract and DMCA claims.
In support of their motion, defendants pointed to a line of court decisions that found the unauthorized use of a password issued by the copyright holder did not constitute “circumvention” of a technological control under the DMCA, led by I.M.S. Inquiry Management Systems v. Berkshire Information Systems, Inc., 307 F. Supp. 2d 521 (S.D.N.Y. 2004) (hereinafter “the I.M.S. line of cases”). The I.M.S. court had found that the unauthorized use of a password was not analogous to a DVD decryption program that acted as a “skeleton key” or combination lock which was previously found to circumvent a technological measure.
Actuate, however, responded that the I.M.S. line of cases addressed DMCA provisions prohibiting direct circumvention (i.e., Section 1201(a)(1)) and thus were not applicable to the DMCA provisions prohibiting trafficking in technology designed to circumvent access or copy controls (i.e., Sections 1201(a)(2) and 1201(b)(1)).
Here, the court declined to adopt Actuate’s position that the definition of circumvention depended on which DMCA position was allegedly violated as there was no case law supporting the proposition and because the same definition of circumvention applied to 1201(a)(1) and 1201(a)(2).
However, the court ultimately declined to follow the I.M.S. line of cases and found that the unauthorized distribution of passwords and usernames avoids and bypasses a technological measure in violation of sections 1201(a)(2) and 1201(b)(1). The court rejected the I.M.S. court’s reasoning that a password was different from a skeleton key and/or combination lock, stating that it was essentially the same as a password. Thus, the court held that unauthorized use of a password may constitute circumvention under the DMCA.
The court declined to dismiss Actuate’s breach of contract claim as it was disputed whether IBM incorporated Actuate’s software in a manner authorized by the License Agreement.