Opinion
Civil Action No. 06-2490 (GEB)
11-04-2011
NOT FOR PUBLICATION
MEMORANDUM OPINION
BROWN, Chief Judge
This case comes before the Court upon Defendants' Telecom Labs Inc., TeamTLI Corp., Continuant, Inc., Douglas Graham, Scott Graham, and Bruce Shelby (collectively "TLI/C" or "Defendants") Motion for Partial Summary Judgment Dismissing Avaya's Fifth Cause of Action (DMCA Claims) (Dkt. No. 294), and Plaintiff Avaya, Inc.'s Motion to Strike Volume II of Defendants' Statement of Undisputed Material Facts in Support of their Motion to Dismiss Avaya's DMCA Claims and the July 24, 2011 Certification of Scott Graham (Dkt. No. 282). The Court has considered the parties' submissions and decided the matter without oral argument pursuant to Federal Rule of Civil Procedure 78. For the reasons set forth below, the Court grants in part and denies in part Defendants' Motion. The Court also denies as moot Plaintiff's Motion to Strike.
I. Background
This case involves the Defendants' access to proprietary maintenance software that Plaintiff Avaya, Inc. ("Avaya") and its predecessors developed and embedded in complex telephony systems that they designed, manufactured, and sold. (Def.'s Statement of Undisputed Material Facts Vol. I ("SUMF") ¶¶ 1, 7.) Avaya continues to sell software systems through a network of "BusinessPartners" ("BPs") who are authorized to resell and service Avaya products. (Id. at ¶ 9.) When selling a telephone system, Avaya licenses rights to use the copyrighted system and maintenance software to end-users and BPs. (See 4th Am. Compl. ¶¶ 49-53.) Telecom Labs, Inc. ("TLI") was a BP from 1996 to 2003, but Continuant, Inc. ("Continuant") has never been a BP. (Id. at ¶¶ 162-67.) Both TLI and Continuant have provided maintenance for Avaya telephony systems. (Id. at ¶ 193.)
1. Avaya's PBX System
Avaya's private branch exchange ("PBX") system is the subject of this DMCA summary judgment motion. (Id. at ¶ 6.) PBX systems are voice switching systems used by mid-to large-sized companies, and they connect the public voice network with telephones and other communication stations at company locations. (Id. at ¶ 8.) A PBX system is composed generally of hardware, firmware, and software. (Id. at ¶ 13.) There are three main software functions: call processing, administration, and maintenance. (Id. at ¶ 27.) The maintenance software itself has several functions including those that run in the background continuously, those that periodically check and test the system at certain intervals, and those that can be run with on-demand commands. (Id. at ¶ 34.)
In order to use PBX software functions, a user must first acquire a login combination, comprising a username and password. (Id. at ¶¶ 41, 42.) Avaya personnel receive an "INT," "INADS," or "CRAFT" service login. (Id. at ¶ 42.) Avaya BPs are provided with a "DADMIN" login. (Id. at ¶ 43.) And Avaya provides owners or end-users of PBX systems with "customer-level logins." (Id. at ¶ 45.) Each level or class of logins provides access to a different range of software functions.
There are three classes of Avaya personnel service logins. (Id. at ¶ 46.) The INIT login can access the broadest set of functions, the INADS level can perform only certain maintenance functions, and the CRAFT level can access a subset of the maintenance functions that INADS is capable of accessing. (Id. at ¶¶ 47-49.) Service logins are active from the start of PBX installation and initially have a "default" password hard-coded for the system, which the user later changes to one of his own choosing. (Id. at ¶ 50; Pl.'s Responsive Statement of Undisputed Material Facts ("RSUMF") at ¶ 50; Doc. No. 351-1).
An Avaya BP gains access to a PBX system using a DADMIN login. (Id. at ¶ 76.) But the DADMIN login must first be "turned on" or "enabled" for each PBX system. (Id. at ¶¶ 78-79.) In order to turn on a DADMIN login, a BP must submit a request to Avaya with the permission of the PBX end-user. (Id. at ¶ 80.) Avaya then activates the DADMIN login for the specific system requested and issues a username and a "default" password, which the BP may later change to one of its own choosing. (Id. at ¶¶ 80, 89.) In later PBX versions, a second CRAFT-level login was developed. (Id. at 92.) To create that second level, a CRAFT-level login user adds a username and designates it as a service-level login. (Id. at ¶ 93.) DADMIN login users are given the ability to create such a second CRAFT-level login. (Id. at ¶ 94.)
Customer-level logins have evolved over time. Early PBX systems had a defined number of distinct logins termed "cust," "rcust," "browse," and "nms." (Id. at ¶¶ 60-62.) The earliest systems had several of these logins, representing both the username and password. (Id. at ¶ 60.) Later, each login had one associated, customer-designated password. (Id. at ¶65.) Eventually, Avaya employed administrable logins, which have two levels: the super-user and the non super-user, each associated with different system permissions. (Id. at ¶¶ 69, 70.) Customer-level login users have "Maintenance Software Permissions" ("MSPs") that allow the user to access functions that facilitate performance of most maintenance functions, but MSPs generally must be "turned on" or "activated" by Avaya. (Id. at ¶¶ 73, 74.)
The conventional username-password security feature in the PBX system was altered in the late 1990s when Avaya incorporated an Access Security Gateway ("ASG") Key into the login scheme. (Id. at ¶ 11). Under this security measure, the traditional username (e.g., DADMIN) remains, but the password requires a different type of authentication mechanism. (Id. at ¶ 189; Pl.'s RSUMF at ¶ 50.) Upon attempting to login, the user is given a "challenge." (Id.) To satisfy the challenge, the user must enter the correct "response," consisting of a string of numbers; however, the response changes for each login attempt. (Id.) To get the correct response each time, the user enters the ASG challenge into a device that contains ASG software. (Id.) The software uses an algorithm and numeric key to translate the challenge into the correct response, which is then entered into the prompt to gain access to the system. (Id.) After the ASG Key security measure was implemented, Avaya no longer needed to hard code a "default" password for new users. (Id.) However, PBX software can still be accessed from a terminal at the PBX system's location using a traditional CRAFT login. (Id.)
2. Defendants' PBX Access and Maintenance Activities
TLI began operations in 1996 and, around that time, signed an agreement to become an Avaya BP. (Def.'s SUMF at ¶ 162.) In 2001, TLI established a network operations center and began to sell post-warranty maintenance contracts for Avaya PBXs. (Id. at ¶ 164.) TLI's last BP agreement with Avaya was terminated in late 2003. But TLI and Continuant, who was assigned pre-existing contracts, continued to provide maintenance for Avaya PBX systems even after Avaya terminated its agreement with TLI in 2003. Defendants readily admit accessing the 1,299 PBX systems of their end-user customers to provide maintenance services. (See, e.g., id. at ¶ 193.)
Defendants assert that they obtained active PBX system logins from sources including: (1) Avaya, while TLI was a BP; (2) Avaya BPs; (3) its end-user customers; (4) commonly-known and public default passwords; (5) customer-stored information in PBX systems; (5) a third party who interpreted PBX system files, called "translations;" and (6) through an employee in possession of an ASG Key. (Id. at ¶ 169; Pl.'s RSUMF ¶ 170; Pl.'s Supplemental Statement of Undisputed Material Facts ("SSUMF") ¶¶ 32-36, 40, 43, 56; Doc. No 351-5). Plaintiff does not dispute that Defendants used these methods; instead Plaintiff argues that Defendants mischaracterize the authority and legality by which the methods were carried out.
First, Defendants maintain that DADMIN or CRAFT logins were obtained from Avaya when TLI was a BP. (Id. at ¶ 170.) While Avaya does not dispute this fact as literally stated, it does assert that continued use after TLI's BP status was terminated was unauthorized and illegal. (Pl.'s RSUMF at ¶ 170.) Additionally, Avaya argues that Continuant was never a BP, and as such, Continuant was never authorized to use DADMIN logins. The parties do not dispute that TLI/C continued to use the DADMIN logins to provide maintenance after TLI was terminated as a BP. (Pl.'s RSUMF at ¶ 173.)
Second, Defendants state that they also obtained DADMIN logins from three current, authorized BPs—Xeta Technologies, CTAP, and Consolidated Ventura, Inc. (Def.'s SUMF at ¶ 174.) The current BP would submit a request to Avaya to reset a DADMIN password, and Defendants accessed the PBX systems using the reset password given to Defendants by the current BP. (Id. at ¶¶175-76.) Avaya objects to Defendants' characterization of this process. Avaya asserts that Defendants knew that they could not successfully submit DADMIN request forms themselves because Defendants were not BPs; rather, Defendants secretly conspired with current BPs to submit login requests "to fool Avaya" in to enabling the DADMIN login. (Pl.'s RSUMF at ¶ 17.)
Third, Defendants state, and Plaintiff does not contest, that Defendants accessed customer PBX systems by the use of DADMIN, CRAFT, and CRAFT-level logins provided by customers. (Def.'s SUMF at ¶¶ 177-78.) But Plaintiff asserts that these logins were not "valid" in the sense that Defendants were authorized to use them simply by virtue of the customers having offered them. (Pl.'s RSUMF at ¶ 177.) As such, Avaya contends that Defendants' use was unauthorized. (Id.)
Fourth, Avaya security staff acknowledged that users sometimes failed to change the hard-coded default passwords to one of their own choosing. (Def.'s SUMF at ¶ 104.) Defendants assert, and Avaya does not contest that CRAFT login default passwords were occasionally disclosed in Internet chatrooms, on telephone bulletin boards, and in publicly available documents. (Id. at ¶¶ 99-102.) And the parties agree that those passwords could be found through a Google search. (Id. at ¶ 103.)
Fifth, Defendants state that they retained D2 Communications and its principal David Creswick, a former AT&T employee, to help Defendants extract passwords from PBX system "translations." (Id. at ¶183.) Translations are portable data files on PBX systems that contain information about the version in use by the end-user. (Id. at ¶¶ 105, 108.) One has the ability to extract data from the translation, and Defendants retrieved passwords using that method. (Id. at ¶ 113.) Defendants provided Mr. Creswick with a copy of a PBX system's translation from which he identified a working login and gave that login to Defendants. (Id. at ¶ 183.) Avaya claims that Mr. Creswick, and later Defendants themselves, used the extraction procedure to retrieve passwords from encrypted outputs. (Pl.'s RSUMF at ¶ 183.) In addition, Avaya states that Mr. Creswick was also hired to secretly enable MSPs and/or DADMIN logins from translations. (Pl.'s SSUMF at ¶ 43.) TLI/C claims this was done rarely and only by or with the consent of the PBX end-user. (Def.'s Response to Pl.'s SSUMF at ¶ 43; Doc. No. 408-1.)
Sixth, Defendants assert that they gained access to PBX systems using an ASG Key. (Def.'s SUMF at ¶ 184.) Harold Hall, who is an employee of TLI/C and independent contractor of Avaya, used an Avaya-issued ASG Key to gain access to high level logins in order to change DADMIN or CRAFT login passwords. (Id.) Mr. Hall used an ASG Key "fob," which is a type of security token with a built-in authentication mechanism that successfully responds to an ASG challenge for certain PBX systems. (Id. at ¶ 189.) Avaya insists that Mr. Hall improperly and without authorization used the ASG Key in this capacity. (Pl.'s RSUMF ¶ 190.)
Finally, Defendants recommended that PBX system end-users install a type of lock and key device called a "Guardian." (Def.'s SUMF at ¶¶ 216-17.) The Guardian is described by Defendants as an external security device that requires a pin code in order to gain remote access to the PBX system. (Id.) It protects a customer's direct access line (the "INADS" line) from intrusion by preventing anyone without the pin code from remotely accessing the system. (Id. at ¶ 219.) Avaya contends that the purpose of the Guardian, as recommended and sold by Defendants, is to prevent Avaya from remotely accessing PBX systems to disable unauthorized DADMIN logins and MSPs. (Pl.'s RSUMF at ¶ 217.)
II. Discussion
A. Standard of Review
A party seeking summary judgment must "show that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(c); see also Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986); Hersh v. Allen Prods. Co., 789 F.2d 230, 232 (3d Cir. 1986). The threshold inquiry is whether there are "any genuine factual issues that properly can be resolved only by a finder of fact because they may reasonably be resolved in favor of either party." Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 250 (1986) (noting that no issue for trial exists unless there is sufficient evidence favoring the nonmoving party for a jury to return a verdict in its favor); Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 586 (1986) ("[the] purpose of summary judgment is to 'pierce the pleadings and to assess the proof in order to see whether there is a genuine need for trial.'"). In deciding whether triable issues of fact exist, a court must view the underlying facts and draw all reasonable inferences in favor of the nonmoving party. Matsushita Elec. Indus. Co., 475 U.S. at 587; Pa. Coal Ass'n v. Babbitt, 63 F.3d 231, 236 (3d Cir. 1995); Hancock Indus. v. Schaeffer, 811 F.2d 225, 231 (3d Cir. 1987). However, the nonmoving party "may not rest upon the mere allegations or denials of his pleading, but his response, by affidavits or as otherwise provided in this rule, must set forth specific facts showing that there is a genuine issue for trial. If he does not so respond, summary judgment, if appropriate, shall be entered against him." Matsushita, 475 U.S. at 586.
B. Digital Millennium Copyright Act
Avaya asserts claims under each of the DMCA's three anti-circumvention provisions— §§ 1201(a)(1), 1201(a)(2), and 1201(b)(1)—contending that Defendants' maintenance activities circumvent effective technological measures controlling access to works and rights protected under the Copyright Act. The Court will address each of these claims in turn. First, however, the Court will address the parties' arguments relating to an initial threshold inquiry to § 1201 analysis.
1. The Court Declines to Engage in a Threshold Inquiry
The threshold inquiry would involve the Court analyzing whether there is a "nexus" between Defendants' conduct and copyright infringement. But imposing a threshold inquiry for all DMCA anti-circumvention claims would require the Court to read into the statute language that Congress did not clearly intend. Defendants acknowledge that the "nexus requirement" is not explicitly mandated by the plain language of § 1201, but they nonetheless argue in favor of it. (Def.'s Br. at 22; Doc. No. 295.) The Third Circuit has not addressed this issue, and at least two circuits disagree as to whether a nexus is required.
Defendants argue, based on a reading of Murphy v. Millennium Radio Grp. 650 F.3d 295 (3d Cir. 2011), that the Third Circuit would readily apply the Federal Circuit's § 1201 nexus requirement. But Murphy provided only a cursory overview of § 1201 as the case was focused primarily on DMCA § 1202. Id. at 301. As such, this Court cannot consider Murphy as a logical extension of Chamberlain. In fact, the Third Circuit specifically refused to read into § 1202 a requirement advocated by one of the parties where no such requirement was expressed in the plain language of the statute. Id. at 302. If anything, the Third Circuit approach to statutory construction is on par with the Ninth Circuit's approach in MDY.
Defendants rely on Federal Circuit case law requiring "a reasonable relationship between the circumvention . . . and a use relating to protected rights." Chamberlain Group, Inc. v. Skylink Techs., Inc., 381 F.3d 1178, 1204 (Fed. Cir. 2004). The Chamberlain court reasoned that the DMCA "[does] not establish a new property right." Id. at 1192. Instead, the court stated that the § 1201 provisions "simply provide property owners with new ways to secure their property." Id. at 1194. The court found that the statute "links" "access to protection," and so imposing a nexus requirement achieves the balance that Congress sought to establish between "content creators and information users." Id. at 1194, 1196.
However, this Court agrees with the Ninth Circuit, which has refused to impose the threshold requirement. See MDY Indus., LLC v. Blizzard Entm't, Inc., 629 F.3d 928, 950 (9th Cir. 2010). The MDY court reasoned that it was "unable to follow [the Federal Circuit] approach because it is contrary to the plain language of the statute" and is "based on policy concerns that are best directed to Congress . . . ." Id. The MDY court and this Court recognize the concerns raised by the Defendants in this case that absent a reasonable relationship test, a copyright holder could "leverage its sales into aftermarket monopolies." See Chamberlain, 381 F.3d at 1201. But concerns that a copyright holder will use his DMCA rights to create a monopoly are, of course, externally limited by antitrust law. Indeed, antitrust law is an issue in this case, quieting concerns that anti-competitive behavior would go unchecked.
Additionally, the Ninth Circuit noted that the plain language of the statue was supported by the DMCA's legislative history. See id. at 946-48 (citing to several House and Senate reports distinguishing the anti-circumvention rights created in the DMCA from "traditional copyright rights."). For example, in an effort to move the DMCA out of Title 17 of the U.S. Code, a House Report stated that "these regulatory provisions have little, if anything, to do with copyright law. The anti-circumvention provisions . . . would be separate from, and cumulative to, the existing claims available to the copyright owners." H.R. Rep. No. 105-551, pt. 2, at 23-24 (1998).
The Court declines to impose a threshold inquiry for the reasons set forth in MDY—the plain language of § 1201 imposes no nexus requirement and it would be inappropriate to manufacture one. This Court's conclusion follows the settled practice of statutory construction requiring a court to apply statutory language if it is plain and unambiguous. See Johnson v. United States, 529 U.S. 649, 723 (2000). "We have stated time and again that courts must presume that a legislature says in a statute what it means and means in a statute what is says there." Arlington Cent. Sch. Bd. v. Murphy, 584 U.S. 291, 296 (2006) (citing Conn. Nat'l Bank v. Germain, 503 U.S. 249, 253-54 (1992)). To consider legislative history or the court's own sense of policy as dispositive of an issue is inappropriate. See Garcia v. U.S., 469 U.S. 70, 76 (1984). "Generally, where the text of a statute is unambiguous, the statute should be enforced as written and only the most extraordinary showing of contrary intentions in the legislative history will justify a departure from that language." Murphy, 650 F.3d at 302 (quoting In re Philadelphia Newspapers, LLC, 599 F.3d 298, 314 (3d Cir. 2010)).
Nothing in § 1201 requires that there be a reasonable relationship between circumvention and copyright infringement, and there is no extraordinary showing of Congress's intent otherwise. Rather, both the statutory language and the legislative history evidence Congress's intent that the new anti-circumvention right is distinct from claims stemming from infringement of a copyright. See MDY, 629 F.3d at 950. Consequently, the Court declines Defendants' invitation to require a threshold inquiry for the DMCA's anti-circumvention provisions.
2. Avaya's Claim Under § 1201(a)(1)
Avaya first asserts a claim under § 1201(a)(1), which provides, "[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title." To successfully establish a violation of § 1201(a)(1), a plaintiff must demonstrate (1) that the defendants' actions constitute circumvention, and (2) that the circumvention was of an effective technological measure.
a. Circumvention of a Technological Measure
Under the DMCA's "access" provisions—§§ 1201(a)(1) and 1201(a)(2)—to "circumvent a technological measure" means to "descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, deactivate, or impair a technological measure, without the authority of the copyright owner." 17 U.S.C. § 1201(a)(3)(A).
(1) TLI/C's Use of Logins and ASG Keys
The parties disagree as to whether the unauthorized use of a login combination constitutes circumvention under the statute, an issue of law. There is no material dispute over the fact that TLI/C used login combinations to gain access to PBX software, at times by use of an ASG Key; and while the parties appear to dispute whether TLI/C was authorized to use the login combinations and ASG Key, this by itself is not dispositive, as further explained below. Neither the Third Circuit nor this Court have addressed this precise issue, but several district court cases are instructive.
In I.M.S., the plaintiff brought an action claiming that the defendant violated § 1201(a)(1) when it accessed plaintiff's computer system using a valid login and password. I.M.S. Inquiry Mgmt. Sys. v. Berkshire Info. Sys., Inc., 307 F. Supp. 2d 521, 531 (S.D.N.Y. 2004). Specifically, I.M.S. alleged that Berkshire obtained login and password information issued to authorized users of the I.M.S. computer system, thereby "knowingly inducing that third party to breach an agreement with I.M.S." Id. at 523. In determining whether that conduct constituted circumvention, the court noted that the DMCA's inclusion of "avoid" and "bypass" in the definition of circumvention does "connote broader application." Id. at 532. But the court distinguished the definition from the defendant's conduct. Id. "More precisely and accurately, what defendant avoided and bypassed was permission to engage and move through the technological measure from the measure's author." Id. (emphasis in original). Ultimately, the defendant did not "avoid" or "bypass" the technology; he intentionally used it, despite "the impropriety." Id. at 533.
Other district courts have agreed with I.M.S. In Egilman, the court held that, regardless of how a login/password combination is obtained, such "unauthorized use of a technological measure without the authority of the copyright owner" does not fall within the definition of circumvention and therefore does not constitute a violation of § 1201(a)(1). Egilman v. Keller & Heckman, LLP, 401 F. Supp. 2d 105, 113-14 (D.D.C. 2005). The Northern District of Ohio found I.M.S. to be "persuasively reasoned," holding that the defendant in that case did not circumvent an effective technology when defendant "used a username and password that it was issued by" the plaintiff. R.C. Olmstead, Inc. v. CU Interface, LLC, 657 F. Supp. 2d. 878, 888-89 (N.D. Ohio 2009).
While not directly presented with a login/password access system, several cases yield results that appear incompatible with the I.M.S. line of cases. For example, in 321 Studios v. MGM Studios, Inc., the court determined that 321 Studio's software sales circumvented an effective technological measure in violation of §§ 1201(a)(2) and 1201(b)(1). See 307 F. Supp. 2d 1085, 1098 (N.D. Cal 2004). The software used keys licensed for use in DVD players to access the DVDs to be read and copied. Id. at 1089-90. The court stated that "while 321's software does use the authorized key to access the DVD, it does not have authority to use this key, as licensed DVD players do, and it therefore avoids and bypasses" the encryption measure. Id. at 1097. Similarly, the court in EEE Business found circumvention under § 1201(a)(2) where the defendant sold programming enabling a user to enter a 25-character alphanumeric code, which was required to be kept confidential under the terms of a licensing agreement. Microsoft Corp. v. EEE Business Inc., 555 F. Supp. 2d 1051, 1059 (N.D. Cal 2008). "By distributing [the 25-character alphanumeric code] without authorization, [the defendant] effectively circumvented Microsoft's technological measure to control access to a copyright work in violation of the DMCA." Id.
The Court disagrees with the reasoning in 321 Studios and EEE Business because those cases conflate the issues of authorization and circumvention. The act of circumvention, as defined in § 1201(a)(3)(A), does not turn on authorization alone. Gaining access to a protected work without authorization, by itself, is insufficient to constitute a DMCA violation. The Court also must determine whether a defendant descrambled a scrambled work, decrypted an encrypted work, avoided, bypassed, removed, deactivated, or impaired the login scheme.
In this case, the login method of access used by Defendants is indistinguishable from I.M.S. and Egilman. Regardless of how TLI/C obtained usernames or passwords—be it from its customers, current BPs, PBX translations, or the Internet—it used those logins to access maintenance functions. The same is true for the use of the ASG Key. Apart from how TLI/C got a hold of the ASG Key, it nonetheless used it to login to PBX systems. Had TLI/C avoided the necessity of physically entering a username, password, or ASG response altogether to access PBX systems functions, this would be a different case. See Healthcare Advocates Inc. v. Harding, Earley, Follmer & Frailey, 497 F. Supp. 2d 627, 644 (E.D. Pa. 2007) (reasoning that the terms bypass and avoid, "imply that a person circumvents a technological measure only when he affirmatively performs an action that disables or voids the measure that was installed to prevent them from accessing the copyrighted material."). However, like in I.M.S. and Egilman, what TLI/C did was to avoid asking permission to access PBX systems.
Avaya states that TLI/C, with the help of Mr. Creswick, decrypted some PBX translations to obtain passwords, but there is no claim that this action by itself was circumvention of a technological measure.
Despite whatever impropriety Avaya attaches to unauthorized access, it alone cannot give rise to a DMCA violation. Hence, it is not dispositive for purposes of the DMCA summary judgment motion that Avaya contests the legality of TLI/C's acquisition of login information or an ASG Key. Additionally, while there may be questions of fact regarding when methods of access were used by TLI/C and with which customers, this is not a material issue of fact because those questions would not affect the Court's legal conclusion. Consequently, there is no genuine issue of material fact surrounding TLI/C's access of its customers' PBX systems with logins and ASG Key responses. Defendants' use of the login scheme and ASG Key, as a matter of law, do not constitute circumvention under § 1201(a)(1) of the DMCA.
(2) TLI/C's Restoring of Enabled MSPs
The parties next disagree whether restoring enabled MSPs on PBX systems constitutes circumvention. It is not disputed that TLI/C re-enabled MSPs on customers' PBX systems by restoring back up translations. TLI/C states that the process by which it enables MSPs is essential for backing up data and restoring a PBX system. Because it uses the backup and restore process "as it was technologically designed," TLI/C concludes that it "cannot be viewed as a circumvention." (Pl.'s Br. at 41; Doc. No. 295.) But Avaya contends that this is circumvention, arguing that activating an MSP that had previously been deactivated amounts to avoiding, bypassing, or otherwise impairing a technological measure. (Def.'s Br. at 46; Doc. No. 351.)
Under §1201(a)(3)(A), one circumvents a technological measure by, inter alia, "deactivat[ing]" the measure, and in this case, TLI/C does just that. By restoring the activated MSPs itself, TLI/C essentially deactivates the measure that Avaya put in place to prevent access to PBX software functions. Put simply, TLI/C turns on an access switch that Avaya has turned off, thereby "deactivating" the measure. While TLI/C does not explicitly state that it does so without Avaya's authorization, that is a reasonable inference to draw in favor of Avaya, as well as a fair reading of TLI/C's briefs to the Court. Specifically, TLI/C notes that PBX systems either are delivered with MSPs activated or they can be remotely activated upon request. (Def.'s SUMF ¶¶ 74, 80.) So it may be reasonable inferred that if TLI/C is itself activating MSPs, the PBX systems had not already been activated by Avaya, nor were MSPs supposed to be activated. Consequently, restoring a PBX system so as to re-activate software permissions without authority constitutes circumvention.
The process by which TLI/C itself enables MSPs is both factually and legally distinct from TLI/C's practice of asking authorized BPs to request activated logins from Avaya. Whatever the impropriety and/or legal consequences outside of the DMCA, the later method of access falls under the I.M.S. line of cases as explained above.
--------
b. Effective Technological Measures
Circumvention of a measure put in place by a copyright holder is necessary, but not sufficient to give rise to a §1201(a)(1) violation. The measures put in place must be "technological measures that effectively control access to a work." 17 U.S.C. §1201(a)(1). A measure effectively controls access to a work "if the measure, in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work." Id. § 1201(a)(3)(B). The Third Circuit has not yet had the opportunity to address this requirement.
Defendants claim that Avaya's technological measures for its PBX systems are not "effective" as required by the DMCA. (Pl.'s Br. At 46; Doc. No. 295.) Defendants rely on the Sixth Circuit's opinion in Lexmark Int'l, Inc v. Static Control Components, Inc., 387 F.3d 522 (6th Cir. 2004). That case dealt with a printer and associated programming manufactured by the plaintiff that would function only with printer cartridges that were sold by the plaintiff. Id. at 529-30. The defendant sold a microchip that allowed the printer's programming to function with cartridges manufactured elsewhere by satisfying the programming's authentication requirement. Id. at 530-31. The court held that the authentication sequence was not an effective technological measure because it was the purchase of the printer, not the authentication sequence that protected access to the programming code. Id. at 546.
Anyone who buys a Lexmark printer may read the literal code of the [program] directly from the printer memory, with or without the benefit of the authentication sequence, and the data from the program may be translated into readable source code after which copies may be freely distributed . . . . The authentication sequence, it is true, may well block one form of "access"—the "ability to . . . make use of" the [program] by preventing the printer from functioning. But it does not block another relevant form of "access"—the "ability to obtain" a copy of the work or to 'make use of the literal elements of the program (its code).Id. at 546-47 (internal citations omitted). Thus, a technological measure, in order to be effective, must prevent all forms of access to a work. (Def.'s Br. at 47; Doc. No. 295.) As in Lexmark, Defendants contend that it is the purchase of a PBX system that allows a user to access the PBX software and concurrently view and copy the software code. (Id. at 51-52.) Avaya contends that a login must be recognized before a user can access any of the software on the PBX system. (Pl.'s Opp. Br. at 4; Doc. No. 351.)
The Court agrees with Defendants' position and the reasoning of the Sixth Circuit. In the ordinary course of operation, Avaya's login combinations, activation/deactivation mechanisms, and its ASG Key authentication system do not prevent all forms of access to the protected work. To be precise, those measures prevent access to PBX system functions (e.g., performing maintenance), but no login is needed to access the copyrighted aspect of the software—the source and object code. As the Lexmark and MDY courts aptly explained, "[j]ust as one would not say that a lock on the back door of a house 'controls access' to a house whose front door does not contain a lock . . . , it does not make sense to say that this provision of the DMCA applies to otherwise-readily-accessible copyrighted works." MDY, 629 F.3d at 952-953 (quoting Lexmark, 387 F.3d at 547).
Avaya points to an additional feature of its software in an attempt to distinguish this case from Lexmark and to try to demonstrate its measures protect all forms of access to protected works. Specifically, Avaya states that the PBX software generates a graphical user interface screen display ("GSD"), an example of which appears below, that includes layouts and designs and that allow the user to navigate the software's features and execute commands. (Pl.'s SUMF ¶ 63.) Avaya's measures control access to the PBX interface, which it argues is an independently copyrightable work.
Avaya sets forth three arguments in support of its conclusion that its screen shots are copyrightable. First, Avaya compares its screen displays to the audiovisual displays that were part of the World of Warcraft video game at issue in MDY. But the screen displays submitted by Avaya are not akin to the non-literal elements (video-game images and sounds) at issue in MDY, which found a DMCA violation where circumvention resulted in a user's ability to "call up and listen to the roar a particular monster makes within the game." MDY, 629 F.3d at 952. As is apparent from the appearance of PBX screenshots, the "GSD" is actually no more than a character-based interface, far different than the visually complex and unique World of Warcraft animation.
Second, Avaya argues that it is the policy of the U.S. Copyright Office that copyright registration of a computer program extends to non-literal elements of the program. See 36 Pat. Trademark & Copyright J. (BNA) 155 (1988). While one copyright registration may cover two copyright works under Copyright Office guidelines, the Copyright Office made clear in a later announcement that "to be regarded as an original work of authorship, a work must contain at least a minimum amount of original . . . material" and consequently that "menu screens and similar functional interfaces consisting of words or brief phrases in a particular format are not registrable." 38 Pat. Trademark & Copyright J. 1 (1989).
Finally, Avaya cites the Third Circuit's decision in Whelan Associates, Inc. v. Jaslow Dental Lab, Inc., 797 F.2d 1222 (3d Cir. 1986), for the proposition that screen pages generated by copyrighted software are literary or audiovisual works entitled to copyright protection. Whelan held that "copyright protection of computer programs may extend beyond the programs' literal code to their structure, sequence, and organization." Id. at 1248 (emphasis added). With respect to screen outputs specifically, the court merely stated that they can be "indirect, inferential evidence of the nature of the material covered by another copyright." Id. at 1244. Consequently, Whelan teaches that copyright protection for a screen display does not automatically flow from copyright of the software code, but that, like all works, screen displays must meet the basic Copyright Act requirements.
Therefore, in order for Avaya's character-based interfaces to be copyrightable, they must be an "original work[] of authorship fixed in any tangible medium of expression." 17 U.S.C. § 102(a). Yet the PBX screen displays lack originality because they are confined to defined lines of text and columns out of a need for efficiency and as a result of technical and functional limitations. Hence, it would be incorrect to say that a PBX screen display "owes its origin" to the author. See Burrow-Giles Lithographic Co. v. Sarony, 111 U.S. 53, 58 (1884). PBX screen displays are the product of technical constraints and functional considerations, not original, aesthetic-minded choices. The short phrases, typographical ornamentation, and minimal coloration lack originality, and thus are not protectable by copyright. See 37 C.F.R. § 202.1(a); Manufacturer's Tech., Inc. v. Cams, Inc., 706 F. Supp. 984, 990-98 (D. Conn. 1989); New Haven Copper Co. v. Eveready Machinery Co., No. 85-661, 1986 U.S. Dist. LEXIS 30103, at *11 (D. Conn. Jan. 23, 1986); see also Apple Computer v. Microsoft Corp., 35 F.3d 1435, 1444 (9th Cir. 1994) (distinguishing a copyrightable graphical user interface, which requires artistry and creativity, from a character-based interface). Accordingly, the screen displays are not works protected under the Copyright Act, and thus, it is irrelevant whether Avaya's technological measures prevent access to them.
In sum, the Court finds that, as a matter of law, Avaya's technological measures are not effective. None of the technological measures prevent an end-user from accessing the object or source code of the PBX system software. Logins limit access only to system functions; the ASG Key is a more advanced variation of the login scheme providing access to the same functions; and Avaya's activation or deactivation of MSPs simply allow the user to access advanced functions that facilitate performance of maintenance. Purchasing the PBX system and software allows access to the code. The technological measures do limit access to functions of the software, but the associated PBX software screen shots are not copyrightable. Therefore, because Avaya's technological measures do not prevent all forms of access to the copyrighted work at issue in this case, there can be no violation of §1201(a)(1).
3. Avaya's Claims Under § 1201(a)(2)
Section 1201(a)(2) is an "anti-trafficking" provision, focusing on whether the defendant trafficked in a device that circumvents an effective technological measure. See Universal City Studios, Inc. v. Corley, 273 F.3d 429, 440 (2d Cir. 2001). Here, Avaya's § 1201(a)(2) claim focuses on the Guardian device. The section provides:
No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—§ 1201(a)(2)(A)-(C).
(A) is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a work protected under this title;
(B) has only limited commercially significant purpose or use other than to circumvent a technological measure that effectively controls access to a work protected under this title; or
(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing a technological measure that effectively controls access to a work protected under this title.
As one court pointed out, "[f]or obvious reasons, § 1201(a)(2) trafficking liability cannot exist in the absence of § 1201(a)(1) violations." Chamberlain, 381 F.3d at 1196, n. 13. That is because § 1201(a)(2) uses the same definitions for "technological measure" and "circumvention" as used in § 1201(a)(1). And each subsection of §1201(a)(2) requires that there exist circumvention of an effective technological measure.
Consequently, Avaya's claim under §1201(a)(2) necessarily relies on its argument that its ability to activate or deactivate software permissions constitutes an effective technological measure. But the Court has already analyzed this argument and rejected it during its analysis of Avaya's § 1201(a)(1) claim. In the ordinary course of operation, the activation mechanism blocks access to software functions, but it does not prevent access to the object or source code— the protected work. See Lexmark, 387 F.3d at 547. Purchasing the PBX system and software is what actually allows access to the protected work. Therefore, as a matter of law, Avaya's activation scheme is not an effective technological measure as that term is defined in § 1201(a)(3)(B), and used in 1201(a)(2)(A)-(C). As a result, Avaya's § 1201(a)(2) claim must fail as a matter of law.
At this point, the Court notes that Defendants' specific methods of accessing each of the 1,299 PBX systems of its end-users were not necessary to the disposition of the claims arising under §§ 1201(a)(1) and 1201(a)(2). Neither Volume II of Defendants' Statement of Undisputed Materials Facts nor the Scott Graham Certification to which Volume II cites were required in order to analyze or decide these claims because the parties did not dispute the facts that were material in the Court's application of the law. While Plaintiff maintains that Defendants' methods of access were unauthorized or illegal, Plaintiff necessarily argues that Defendants gained access in the methods described in the background section of this Court's opinion. As a result, Plaintiff's Motion to Strike is denied moot.
4. Avaya's Claim Under § 1201(b)(1)
Avaya's last DMCA claim is under § 1201(b)(1), which is the only anti-circumvention provision that is rights-protective. Like Avaya's second DMCA claim, the § 1201(b)(1) claim arises from the use of the Guardian device. Section 1201(b)(1) provides:
No person shall manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that—17 U.S.C. § 1201(b)(1). "Section 1201(b)(1)'s prohibition is thus aimed at circumventions of measures that protect the copyright itself: it entitles copyright owners to protect their existing exclusive rights under the Copyright Act." MDY 629 F.3d at 944.
(A) is primarily designed or produced for the purpose of circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof;
(B) has only limited commercially significant purpose or use other than to circumvent protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof; or
(C) is marketed by that person or another acting in concert with that person with that person's knowledge for use in circumventing protection afforded by a technological measure that effectively protects a right of a copyright owner under this title in a work or a portion thereof.
Section 1201(b) employs different definitions than those used in §1201(a). Under § 1201(b)(1), "to 'circumvent protection afforded by a technological measure' means avoiding, bypassing, removing, deactivating, or otherwise impairing a technological measure." 17 U.S.C. § 1201 (b)(2)(A). "A technological measure 'effectively protects a right of a copyright owner under this title' if the measure, in the ordinary course of its operation, prevents, restricts, or otherwise limits the exercise of a right of a copyright owner under this title." Id. § 1201 (b)(2)(B).
a. Technological Measure that Effectively Protects a Right of a Copyright Owner
To prevail on its § 1201(b)(1) claim, Avaya must demonstrate that its ability to activate and deactivate software permissions "effectively protects a right" of Avaya under the Copyright Act. See MDY, 629 F.3d at 954. The rights afforded to copyright owners include reproduction, distribution, public performance, public display, and creation of derivative works. See 17 U.S.C. § 106. Access measures protecting rights can either "attempt to block initial access" or "revoke access if a secondary check determines that access was unauthorized." MDY, 629 F.3d at 943.
Here, Avaya argues that its measures protect against reproduction of its copyrights. Specifically, MSPs for PBX systems prevent access to on-demand maintenance commands, one of which is the "reset level 4" command. That command causes a PBX system to reboot, in turn allowing for the software to be copied into the system's random access memory ("RAM"). See MAI Sys. Corp. v. Peak Computer, 991 F.2d 511, 519 (9th Cir. 1993) ("[T]he loading of software into the RAM creates a copy under the Copyright Act."). Thus, according to Avaya, its security measures in this instance act as copy-control measures.
TLI/C, however, argues that the act of creating a copy of the software code during maintenance is not copyright infringement, and therefore, it cannot be said that Avaya's security mechanisms protect a right under the Copyright Act. To support this conclusion, TLI/C cites to § 117(c), which provides:
It is not an infringement for the owner or lessee of a machine to make or authorize the making of a copy of a computer program if such copy is made solely by virtue of the activation of a machine that lawfully contains an authorized copy of the computer program, for purposes only of maintenance or repair of that machine if —17 U.S.C. §117(c). The statute defines "maintenance" as the "servicing of the machine in order to make it work in accordance with its original specifications and any changes to those specifications authorized for that machine." Id. § 117(d)(1). Congress was concerned that a service provider could be held liable for copyright infringement by inadvertently creating a copy of software installed on the machine simply by turning on the machine. See H.R. Rep. 105-551 pt. 1.
(1) such new copy is used in no other manner and is destroyed immediately after the maintenance or repair is completed; and
(2) with respect to any computer program or part thereof that is not necessary for the machine to be activated, such program or part thereof is not accessed or used other than to make such new copy by virtue of the activation of the machine.
The factual record surrounding TLI/C's use of the reset level 4 command is limited. Avaya explains that the "command causes the PBX system to 'reboot,' i.e., it causes the object code of the PBX software to be copied into the PBX's electronic memory." (Pl.'s SUMF ¶65.) TLI/C states it has used the reset level 4 command for maintenance, but summarily states in its reply brief that the copy of the software is destroyed and that it does not use any other software programs on the PBX system after rebooting. But at the summary judgment stage, "a party must present more than just 'bare assertions, conclusory allegations or suspicions' to show the existence of a genuine issue." Podobnik v. United States Postal Serv., 409 F.3d 584, 594 (3d Cir. 2005) (quoting Celotex Corp., 477 U.S. at 325). The Court is left with little factual basis for determining whether TLI/C's use of the reset level 4 command satisfies the requirements of the §117(c) safe harbor.
Additionally, the nature of the maintenance TLI/C performs is not clear. In explaining its services, TLI/C states that it reviews system security, performs an analysis of the PBX, and inputs maintenance commands. (Pl.'s Br. at 6, 12; Doc. No. 295; Pl.'s Reply Br. at 10; Doc. No. 408). But Avaya contends that TLI/C's use of the reset level 4 command was not for maintenance, citing what appears to be a TLI/C work order directing the use of the reset level 4 command to preserve a copy of the system with MSPs activated several days before Avaya scheduled deactivation. (Pl.'s Br. at 33; Doc. No. 351.) TLI/C claims that there is no evidence this work order was ever carried out. (Def.'s Reply Br. at 24 n. 8; Doc. No. 408.)
At this time, it is impossible to conclude whether TLI/C's use of the reset level 4 command falls within § 117(c). There first must be a factual determination as to the nature and use of the reset level 4 command, which can be resolved properly only by a finder of fact. Such a determination is critical to the question of whether Avaya's technological measures protect a right afforded by § 106 of the Copyright Act, as required by § 1201(b)(1).
b. Trafficking a Device that Circumvents a Technological Measure
Summary judgment is also inappropriate on the § 1201(b)(1) claim because the parties dispute the facts surrounding the trafficking element of the claim. To succeed with its § 1201(b)(1) claim, Avaya must demonstrate that TLI/C trafficked in a device that "(A) is primarily designed or produced for the purpose of circumventing a technological measure protecting a right of a copyright owner," (B) has a "limited commercially significant purpose or use other than to circumvent" a technological protection, or (C) is marketed with "knowledge for its use" to circumvent a measure that effectively protects a copyright. Summary judgment on this claim is inappropriate for two reasons. First, the parties do not agree on whether TLI/C offered to the public, provided, or otherwise trafficked in the Guardian device. Second, they disagree as to the primary purpose and commercial significance of the device and whether TLI/C marketed the device with knowledge of its use to circumvent.
First, the parties dispute whether TLI/C manufactured, imported, offered to the public, provided, or otherwise trafficked in the Guardian device. Defendants state that the Guardian is an "off-the-shelf device not manufactured, sold or marketed by TLI/C, but rather is sold commercially." (Def.'s Br. at 3; Doc. No. 295.) During its set up process, TLI/C "encourages its customers to install" a lock-and-key device sold by a third party, CPS, Inc. (Id. at 12-13; Pl.'s SUMF ¶ 215.) Defendants argue that Avaya can point to no evidence showing TLI/C sold or trafficked in a device prohibited by the DMCA.
In response, Plaintiff insists that "Defendants sell the Guardian" to customers. Plaintiff supports that allegation with reference to an internal TLI/C email referencing a "proprietary custom built 'lock and key' security device" to be named the Continuant Guardian. (Def.'s Ex. 65 to La Rocco Cert.; Doc. No. 299.) But it is unclear exactly who manufactures the device or who sells it. With inferences draw in favor of the Plaintiff, there is at least a factual issue surrounding how the Guardian device was marketed to PBX customers and whether it was Defendants who trafficked in the device.
Second, whether a device is "primarily designed" to circumvent, "has limited commercially significant purpose" other than to circumvent, or is marketed with "knowledge" of its use to circumvent are all questions of fact. As an initial matter, the parties agree that PBX systems can be remotely accessed and that this creates a risk of hacking and unauthorized access. (Def.'s SUMF ¶ 204; Pl.'s RSUMF ¶ 204.) TLI/C argues that the Guardian is a response to that threat, describing it as "added security" to protect a customer's PBX INADs line from unauthorized access by third parties, including Avaya itself. (Def's Br. at 3, 13; Doc. No. 295.) TLI/C characterizes the Guardian device as having a commercially significant purpose as a "valid" or "bona fide" security device. (Id. at 56.) Defendants claim that the device's purpose and the reason it encourages customers to install the device is to protect against PBX security vulnerabilities. (Id. at 12, 56-57.)
However, Avaya strongly disputes the purpose for which the Guardian device is installed. Avaya maintains that the Guardian is used to block Avaya from remotely deactivating software permissions to prevent unauthorized access and use of PBX maintenance functions. (Def.'s Br. at 35; Doc. No. 351). Avaya cites to statements by Defendant employees to this effect, including an email to Scott Graham that refers to "securing" a PBX line that "prevents Avaya from accessing those switches to take away the permissions." (Pl.'s Ex. 39 to Sachs Cert; Doc No. 352-36.) Essentially, any legal conclusion under § 1201(b)(1)(A)-(C) turns on whether the fact-finder believes security threats are simply a pretext for preventing Avaya from deactivating software permissions. This type of factual determination must be left to a jury as it could be resolved in favor of either party. For these reasons, summary judgment on the §1201(b)(1) is inappropriate.
III. Conclusion
For the reasons stated above, the Court grants summary judgment in favor of Defendants on Plaintiff's §1201(a)(1) and § 1201(a)(2) claims, but denies summary judgment on Plaintiff's §1201(b)(1) claim. Furthermore, the Court denies as moot Plaintiff's Motion to Strike Volume II of Defendants' Statement of Undisputed Material Facts and the July 24, 2011 Certification of Scott Graham. An appropriate order is filed herewith.
GARRETT E. BROWN, JR., U.S.D.J.