Website Developer’s Unauthorized Login to Website Not Actionable Under DMCA

What's your password
Creative Commons License photo credit: TheRealMichaelMoore
In a recent decision, Ground Zero Museum Workshop v. Wilson, a District of Maryland court held that a former website developer who allegedly gained unauthorized access to the plaintiff’s website after a dispute and altered the website did not violate the DMCA’s anti-circumvention provision.  In a familiar fact pattern of the jilted lover, er, I mean website developer, the developer used his password to access the back end of the plaintiff’s website after the two parties had a falling out and the developer resigned.  Then, depending upon whose version of reality you choose to believe, the developer either (1) pulled out the website functionality he had created and left the website in the same condition it was in before he started work or (2) altered the website so that users would think it was no longer functioning and inserted code that would redirect users to various news articles about the plaintiff and its owners.

The plaintiff sued the developer, alleging various causes of action including violation of the DMCA’s Section 1201(a)(1)(A) anti-circumvention provision, fraudulent DMCA infringement notice under Section 512(f) and trespass to chattels.  The district court granted partial summary judgment, dismissing the DMCA claims, but allowing the trespass to chattels claim to proceed to trial.

With respect to the DMCA anti-circumvention claim, the district court held that even if the developer’s access to the website had been unauthorized (a fact that the court found less than clear), unauthorized use of a valid username and password combination cannot constitute a violation of Section 1201.  The court, following a line of cases including one from the Southern District of New York, reasoned that mere use of of password technology is different than circumvention of that technology.  A finding of circumvention, the court explained, requires that a defendant bypass, remove, deactivate, decrypt, avoid or impair the access control measure.

The court also dismissed the fraudulent DMCA infringement notice claim.  Although the notice was clearly inappropriate (the defendant sent a notice based upon the plaintiff’s alleged misuse of trademarks, not copyrighted material), the web hosting ISP never acted on the notice because it had stopped hosting the website by the time the notice was received.

The defendant website developer argued that the trespass to chattels claim was preempted by the Copyright Act.  The district court disagreed, noting that the claim required (and the plaintiff had submitted evidence) showing that it had been deprived of access to or possession of the website, which provided the requisite “extra element” to avoid preemption.

The decision discusses various other claims of interest, including a Computer Fraud and Abuse Act claim.  Here is a copy if you are interested: