Developers of high-end software face a serious piracy risk because software is generally easy to copy. One common technique to control piracy is to require the customer to install a pre-programmed device (a ‘dongle’) onto the computer running the software. (This device often inserts into a USB slot.)

Each time the software is fired up, it checks to see that the proper dongle is attached to the computer. If it is not, the software shuts down. In this way, people who come into possession of an unauthorized copy of the software are prevented from using it.

This mechanism seems like just the sort of technological measure that the authors of the Digital Millennium Copyright Act (DMCA) meant to reinforce. That law makes it illegal to “circumvent a technological measure that effectively controls access to a work protected under this title.”

Software developers often fail to register their works with the Copyright Office. This habit has arisen because developers are concerned about the requirement to deposit source code with the Copyright Office; because software is constantly being modified, so there is a continuous need to update the filing (what a hassle!); and because of a belief that technological measures are sufficient to prevent copying. If technology stops the pirate, why bother with copyright registration?

Developers going down this path have also had backup legal protection in the DMCA, which affords many of the same remedies as copyright infringement without the need to register with the Copyright Office.

In our September IP Update, we reported on the Fifth Circuit’s opinion in MGE UPS Systems Inc. v. GE Consumer and Industrial Inc., involving software that had been hacked so that it would not check to see if an authenticating dongle was attached to the computer on which the software was running. The sole issue on appeal was whether this conduct violated the DMCA. To our surprise, the Fifth Circuit ruled that it did not.

There was no question that the dongle was a technological measure. Nor was there any doubt that the software was a work protected under the Copyright Act. The only question, for the purpose of determining whether there had been a DMCA violation, was whether the dongle in question controlled “access” to the software.

In its original decision, the court embarked on a philosophical frolic to conclude that the dongle controlled access only for the purpose of running the software, which, it said, is not the kind of access that the authors of the DMCA intended to prohibit. In the court’s view, the DMCA bars only access for the purpose of making unauthorized copies of software, so running the hacked software was not a violation.

Never mind that the copy of the software being used was clearly unauthorized, since it had been hacked so as to avoid checking for the presence of the dongle. Never mind that the DMCA does not speak in terms of copying, but in terms of access, and that operating the software would seem to fall within any common sense understanding of “access”.

Finally, the opinion’s reliance upon the theory that there is no relationship between the dongle and unauthorized copying ignored the generally accepted notion [1] that a computer must copy the software into its memory in order to operate it, and that such copying without permission of the copyright holder is indeed a violation of the Copyright Act. If the dongle had not been circumvented, most of the code would never have been copied to memory from the storage device on which it resided. So nearly every facet of the court’s logic was flawed.

Well, someone on the Fifth Circuit must have had second thoughts about their startling opinion. On September 29, it was quietly replaced with a revised opinion that deleted the troubling analysis of what constitutes “access” to software. Instead, the court reaches the same conclusion – no DMCA violation – by noting that the record did not show that the company running this hacked software was the company that had hacked it.

This opinion makes no more sense than the one that it replaced. How can it be said that running software that has been hacked not to check for a dongle does not fit the description of what the DMCA forbids? After all, the list of DMCA requirements is slim. There must be:

1. Circumvention (check)
2. Of a technological measure (check)
3. That effectively controls access (check)
4. To a work protected by copyright (check).

Nowhere in the DMCA is there a requirement that the circumvention be engineered by the defendant, only that the defendant in fact circumvent the technology designed to control access to the copyrighted work.

If the analysis of this newly-minted Fifth Circuit opinion were to gain traction elsewhere, then the use of any device that circumvents attempts to prevent piracy would fall outside of the DMCA as long as the user of that device bought it from someone else. Surely the authors of the DMCA thought that they were outlawing the burglar, not just the fellow who sold him his tools.

Where does this leave software developers? Out of concern that the peculiar logic of the Fifth Circuit might prove contagious, the time has come for developers to take a second look at registration of software with the copyright office. Copyright infringement offers most of the remedies available under the DMCA and an enhanced chance that the defendant will ultimately be responsible for the developer’s legal fees in enforcing his rights. The deposit requirements of the Copyright Office are not onerous, and the advantage to be gained by registration is significant.