Anti-circumvention and the Digital Millennium Copyright Act

Information Outlook, June, 1999

The DMCA added sections 1201-1205 to the Copyright Act, titled "Copyright Protection and Management Systems." This particular portion of the Act added prohibitions on circumventing copyright management systems, the most technical and difficult part of the DMCA to understand. This is the only section of the DMCA that has a delayed implementation date - it is not effective until October 28, 2000. It prohibits the manufacture, import, sale, or trafficking in any technology, product, service, device, or component that is primarily designed or produced for the purposes of circumventing a technological measure that effectively controls access to a work. The term "circumvention" is defined as "to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure without the authority of the copyright owner."

There are some important exemptions to this amendment: (1) law enforcement, (2) reverse engineering, (3) encryption research, (4) protection of personally identifying information, and (5) security testing. There is also a minor exemption for libraries, but it likely will have little impact. Law enforcement agencies are not prohibited from disabling copyright management systems in the course of investigating, protecting information security of a government computer, or intelligence gathering. The reverse engineering exemption applies to a person who has lawfully acquired the right to use a copy of a computer program that may require circumvention of a technological measure in order to identify and analyze elements of the program that are necessary to achieve interoperability with other computer programs under certain conditions. Interoperability is defined as "the availability of computer programs to exchange information and of such programs mutually to use the information which has been exchanged."

Encryption research is limited to serious research to advance the state of the knowledge in encryption technology and in the development of encryption products. In order to qualify for this exemption, an act of encryption research must meet several requirements. First, the person must have lawfully obtained the encrypted copy of the copyrighted work or the performance or display of that work. Second, the act must be necessary to conduct such encryption research. Third, the person must have made a good faith effort to obtain authorization before the circumvention; and fourth, the act must not constitute infringement under the Copyright Act or other laws.

If the technological measure, or the work it protects, contains the capability of collecting or disseminating personally identifying information reflecting the online activities of a person, then it is not a violation to circumvent the technological measure. Security testing likewise is exempted from this prohibition against defeating technological protection measures if the information derived from such security testing is used solely to promote the security of the owner or operator of the computer system or network. However, such information derived from the security testing must not be used in a manner that facilitates infringement under the copyright law.

The exemption for nonprofit libraries, archives, and educational institutions grants to those institutions the right to gain access to a commercially exploited copyrighted work that is encrypted or otherwise protected solely for the purpose of making a good faith determination of whether to purchase the work. The library may not retain the work longer than is necessary to make such a determination nor may it obtain a commercial advantage or financial gain by circumventing the technological measure. This exemption appears to offer very little since any vendor who wanted to sell access to a protected work would make it available to the library for the purpose of evaluating whether to acquire access.

The amendment also protects the integrity of copyright management information such as digital watermarking. Knowingly providing false copyright information is prohibited as is the intentional removal or alteration of such information.

The remedies for the anti-circumvention prevention provision are not the usual copyright remedies. An aggrieved party may obtain an injunction and monetary damages. Both actual damages and any additional profits of the violator as well as statutory damages are available, but the statutory damages are unique. For each violation, a successful plaintiff may recover from $200 to $2,500 per act of circumvention. For knowingly providing false copyright management information or removing or altering copyright information, the statutory damages range from $2,500 to $25,000 per act. There are also criminal penalties for willful acts for purposes of commercial advantage or private financial gain that include fines of not more than $500,000 and/or imprisonment for more than five years for the first offense. For subsequent offenses, the fine may not be more than $1 million with imprisonment of not more than ten years. The criminal penalties do not apply to nonprofit libraries, archives, and educational institutions, but presumably libraries in the for-profit sector are subject to the criminal penalties.