Scattered Passwords

A federal court recently ruled that using user names and passwords that do not belong to you is not an illegal act according the Digital Millennium Copyright Act (“DMCA”).

InternetCases.com reports:

Plaintiff Egilman maintained a website that was only available to visitors who entered a correct username and password. He had employed such measures so that only certain people (e.g., his students) would have access. Egilman alleged that, without authorization, the defendants obtained the correct username and password combination, and subsequently gained “improper and illegal” access to the site.

The federal court has made the following statement:

the DMCA and the anti-circumvention provision at issue do not target the unauthorized use of a password intentionally issued by plaintiff to another entity

and:

It was irrelevant who provided the username/password combination to the defendant.

So the bottom line is: If someone is using the correct user name and password on a technical device, they are not breaking the law, even if they got the password illegally.

Resources:
Federal Curt decision (pdf)
InternetCases.com

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    In this case, it seems DMCA was used as a sort of fishing expedition. The plaintiff could not prove (or did not to attempt to establish) that the defendent knowingly “accessed a protected computer system without authorization” under Title 18, which makes the same a crime.

    Instead, the plaintiff attempted to class using a password that was not issued to you constituted “circumvention of a technological measure that effectively controls access to a protected work” under DMCA.

    The entire line of logic is bullshit, and I wonder what lawyer told this plaintiff to pursue a DMCA claim on this issue. Frankly, a much better case could have been made under United States Code Title 18, Section 1030 Subsection A, Paragraph 4, which imposes penalties upon any individual who:

    “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period”

    DMCA’s vague anti-circumvention provision is not the appropriate legal instrument in this case, and the judge was correct to throw out the action. Had the action been brought in accordance with Title 18 (as competent legal counsel would have done) there would be a much different outcome.

    In this case, the problem is not that the law allows such conduct, but that the plaintiff’s complaint was fundamentally flawed.

  • Pingback: SecuriTeam Blogs » Defining “Authorized”