CAPTCHAs and the DMCA

Yesterday I received an email Ben Maurer, one of the engineers for reCAPTCHA.

In addition to responding to a comment on a post from last week, he alerted me to a copyright case involving Tickmaster (TM) and RMG Technologies. According to the complaint and subsequent injunction (embedded below), RMG produced an application that allowed users to bypass a CAPTCHA system on TM’s site, thus enabling users to easily purchase thousands of tickets before actual humans could even get into the system.

According to the judge, this not only likely constituted an infringement of TM’s copyright, breach of contract and a violation of the computer fraud and abuse act, but also a violation of the DMCA anti-circumvention rules.

This ruling, if it actually stands up through the entire legal process, could have major implications for Webmasters who rely on CAPTCHA technology, including this one, and could introduce new ways to protect content on the Web, especially against automated tools such as scrapers.

Background

The anti-circumvention provisions of the DMCA are, with little doubt, the most controversial portions of the law. They are the portions that make it illegal to circumvent technological protections in order to gain access to copyrighted material as well as the providing of tools to circumvent either access or copy controls.

These rules have created a tremendous backlash due to their effect on fair use. Since it is a crime merely to produce tools that can circumvent copy protection schemes, copyright holders can lock down a work and prevent all use of the content, even use that would have likely been deemed fair if taken to court on its own merits.

However, this case put these provisions in something of a new light. According to the injunction, the CAPTCHA that TM used to protect its purchase pages constitutes a an access control mechanism and the page behind it is a copyrighted work. Thus, RMG’s software, which was designed to circumvent that CAPTCHA, amounts to a violation of the DMCA and, looking at the ruling, there seems to good reason to think that this logic will hold up.

In short, CAPTCHAs might not just be a form of protection against spammers and bots but might also themselves be protected under the DMCA.

A Tricky Application

CAPTCHAs are one of the most popular forms of site protection. They are used by everyone from Google to brand new blogs. Obviously, any additional legal protection CAPTCHAs can get will be a very big deal.

However, the TM case is a fairly unique one. Most bloggers use CAPTCHAs to protect their comment forms or emails, not multi-million dollar purchasing systems. To determine where a more typical use of CAPTCHA might fit in with with the DMCA, we first have to look at what one would have to prove to make such a claim.

  1. Ownership of a valid copyright on a work.
  2. That is effectively controlled by a technological measure, which has been circumvented
  3. That third parties can now access.
  4. That those third parties are unauthorized in their access
  5. That the access infringes a right protected under copyright law.
  6. And that the defendant made the product primarily for the purpose of circumvention, made it available despite limited commercial significance or promoted it as a tool for circumvention.

For most bloggers, the first two requirements are the greatest challenge. Though we use CAPTCHAs to protect comment forms and even our email addresses, neither of those things are copyrightable. One might claim the comment backend as being a copyrighted work, similar to Ticketmaster, but very few bloggers create their own platform meaning they don’t hold copyright in the code they use. Besides, it would be hard to call these files “effectively controlled” as most of them can be accessed directly from the Web.

Even if the blogger protects an email address with a CAPTCHA, that is just information and is not considered copyrightable.

The only exception would be if a blogger actually used the CAPTCHA to protect a copyrighted work. For example, if a CAPTCHA were used to protect a large MP3 file from leeching and another Webmaster implemented a service to let their users bypass the CAPTCHA and download the file directly.

These situations can and do happen, but are exceptionally rare. Fortunately, there are other laws, many of which we talked about when discussing scraping, that better fit this kind of abuse.

Still, there might be a place for these kinds of tactics, just not with your average blogger.

The Big Guns

The question becomes who could make the best use of this ruling? They would have to be someone who met the following criteria:

  1. Used CAPTCHAs heavily
  2. Protected copyrighted work they had ownership of with them
  3. Has the resources to target those who build such tools

Clearly, the list is short but the obvious answers are any of the big three, Google, Yahoo or Microsoft.

Of those three, Google fits best as they make very heavy use of CAPTCHAs, especially on Blogpsot, are frequent targets for circumvention and seem to be struggling to stay ahead of the software. However, it seems unlikely that they would use the law in this manner considering their hostile attitudes toward the DMCA in general.

However, any other company that meets the standards could certainly benefit from this case. It seems to only be a matter of time before a blogging platform takes advantage of this ruling in order to go after comment spammers and, possibly, scrapers.

After all, the DMCA not only applies to CAPTCHAs, but any other technological measure used to protect copyrighted works. I can think of many hosts and Webmasters eager to take advantage of that prospect.

Conclusions

I’m no fan of the anti-circumvention provisions of the DMCA, I want to make that clear. Also, I want to make it perfectly clear that this discussion is purely theoretical and academic and not an indication of a future legal strategy by any entity including Google, reCAPTCHA or anyone else mentioned in this. The best defense against CAPTCHA cracking remains better CAPTCHAs.

Still, even a bad law can be used for some good. Though I am no fan of walled gardens either, they are necessary sometimes. To that end, protecting the content behind a technological measure, such as a CAPTCHA, greatly increases the legal options you have should someone circumvent those protections.

However, the place this is most likely to assist bloggers and Webmasters is in the area of image and file hotlinking. If you use a technological means to prevent such hotlinking and another site circumvents those protections, there is a good chance it would be a violation of the DMCA, giving you legal ammunition above and beyond just traditional copyright claims.

In short, if you are going to restrict access to your content for any reason, make sure to protect it with technology that would have to be circumvented to gain access to it. Not only will this prevent a great deal of the infringement it could also greatly improve your legal options should an infringement occur.

I might disagree with that decision personally, but there is little doubt that, legally, it could open up some new doors.

Want to Reuse or Republish this Content?

If you want to feature this article in your site, classroom or elsewhere, just let us know! We usually grant permission within 24 hours.

Click Here to Get Permission for Free