Website Developer’s Unauthorized Login to Website Not Actionable Under DMCA

photo credit: The­Re­alMichael­Moore
In a recent deci­sion, Ground Zero Museum Work­shop v. Wil­son, a Dis­trict of Mary­land court held that a for­mer web­site devel­oper who allegedly gained unau­tho­rized access to the plaintiff’s web­site after a dis­pute and altered the web­site did not vio­late the DMCA’s anti-circumvention pro­vi­sion.  In a famil­iar fact pat­tern of the jilted lover, er, I mean web­site devel­oper, the devel­oper used his pass­word to access the back end of the plaintiff’s web­site after the two par­ties had a falling out and the devel­oper resigned.  Then, depend­ing upon whose ver­sion of real­ity you choose to believe, the devel­oper either (1) pulled out the web­site func­tion­al­ity he had cre­ated and left the web­site in the same con­di­tion it was in before he started work or (2) altered the web­site so that users would think it was no longer func­tion­ing and inserted code that would redi­rect users to var­i­ous news arti­cles about the plain­tiff and its owners.

The plain­tiff sued the devel­oper, alleg­ing var­i­ous causes of action includ­ing vio­la­tion of the DMCA’s Sec­tion 1201(a)(1)(A) anti-circumvention pro­vi­sion, fraud­u­lent DMCA infringe­ment notice under Sec­tion 512(f) and tres­pass to chat­tels.  The dis­trict court granted par­tial sum­mary judg­ment, dis­miss­ing the DMCA claims, but allow­ing the tres­pass to chat­tels claim to pro­ceed to trial.

With respect to the DMCA anti-circumvention claim, the dis­trict court held that even if the developer’s access to the web­site had been unau­tho­rized (a fact that the court found less than clear), unau­tho­rized use of a valid user­name and pass­word com­bi­na­tion can­not con­sti­tute a vio­la­tion of Sec­tion 1201.  The court, fol­low­ing a line of cases includ­ing one from the South­ern Dis­trict of New York, rea­soned that mere use of of pass­word tech­nol­ogy is dif­fer­ent than cir­cum­ven­tion of that tech­nol­ogy.  A find­ing of cir­cum­ven­tion, the court explained, requires that a defen­dant bypass, remove, deac­ti­vate, decrypt, avoid or impair the access con­trol measure.

The court also dis­missed the fraud­u­lent DMCA infringe­ment notice claim.  Although the notice was clearly inap­pro­pri­ate (the defen­dant sent a notice based upon the plaintiff’s alleged mis­use of trade­marks, not copy­righted mate­r­ial), the web host­ing ISP never acted on the notice because it had stopped host­ing the web­site by the time the notice was received.

The defen­dant web­site devel­oper argued that the tres­pass to chat­tels claim was pre­empted by the Copy­right Act.  The dis­trict court dis­agreed, not­ing that the claim required (and the plain­tiff had sub­mit­ted evi­dence) show­ing that it had been deprived of access to or pos­ses­sion of the web­site, which pro­vided the req­ui­site “extra ele­ment” to avoid preemption.

The deci­sion dis­cusses var­i­ous other claims of inter­est, includ­ing a Com­puter Fraud and Abuse Act claim.  Here is a copy if you are interested: