downloading, together with the license keys that allowed for unlimited use of such software by
downloaders, whether they were authorized to use the software or not, constituted circumvention
of technological measures on the software that restricted access to it and trafficking in
circumvention devices. IBM filed a motion to dismiss the claim, relying on the I.M.S., Egilman,
and R.C. Olmstead cases for the proposition that improper use of a legitimate password issued by
the copyright holder does not constitute circumvention.^1167
The court denied the motion. It found the I.M.S., Egilman, and R.C. Olmstead cases in
conflict with the 321 Studios and the Microsoft v. EEE Business cases from the Northern District
of California with respect to the issue of whether the unauthorized use of an otherwise legitimate
password can constitute circumvention. The court rejected IBM’s argument that the two lines of
cases were not inconsistent on the ground that, in the 321 Studios and Microsoft v. EEE Business
cases, there was no allegation that the parties whose passwords were being used had issued those
passwords to a third party. The court found no basis in 321 Studios for such a distinction, and
noted that Egilman expressly rejected the distinction. Accordingly, the court concluded that the
two lines of cases simply reached contradictory results, and declined to follow the reasoning of
the I.M.S. line of cases. It instead followed the 321 Studios and the Microsoft v. EEE Business
cases, and held that unauthorized distribution of passwords and user-names avoids and bypasses
a technological measure in violation of Sections 1201(a)(2) and 1201(b)(1).^1168
The reasoning of the I.M.S. court – that a password somehow does not fall within
[the analogy to the combination of a locked door used in the DeCSS cases], is not
well-founded. Rather, a combination to a lock appears to be essentially the same
as a password. Nor does the Court find support in the statute itself for drawing a
distinction between passwords and other types of code that might be used for
decryption. Therefore, the Court rejects Defendants’ position. Unauthorized use
of a password may constitute circumvention under the DMCA.^1169
(xxi) Navistar v. New Baltimore Garage
In this case, the plaintiff restricted access to its dealer communication network
and copyrighted material stored therein through use of passwords. The license agreement
for use of the network prohibited sharing with or otherwise distributing passwords to
third parties and using a third party’s password to gain access to the network. The
defendant, a licensee of the plaintiff’s network, violated these prohibitions and shared its
passwords with a third party who used them to log in and gain unauthorized access to
information on the plaintiff’s network. The plaintiff claimed that the defendant’s
provision to the third party with access to the plaintiff’s network through the
unauthorized use of its passwords constituted circumvention of a technological measure
or trafficking in technology designed to circumvent access or copy controls. The court,
noting a split in authority on the issue, ruled that unauthorized use of a valid password
(^1167) Id. at 9-10.
(^1168) Id. at 24-25.
(^1169) Id. at *26.