David Hayes, of Fenwick & West in San Francisco, told a gathering of intellectual lawyers at the Advanced Computer and Internet Law Institute at Georgetown Law School last week that there are several ways in which redesigned software can be lawfully protected by the DMCA.
Recommending a two-prong approach so that protection measures can be enforceable, Hayes said the first step involves identifying which internal elements, access points, or data will be restricted. These might include maintenance diagnostic routines, data within a database or a remote function call.
The second step is selecting the best approach for securing the protected content when, for example, the guts of the software reside on the licensor's servers and authorized clients access it remotely.
Hayes recommended encrypting certain chunks of executable code — such as modules and subroutines — and then requiring the client to provide a “key” to decrypt the code before the computer will execute it.
In the course of the decryption using the key, a copy of the unencrypted code will be created. Hayes explained that the legal purpose of the key is to defeat attempts to hide behind the DMCA's reverse-engineering exemption, which allows circumvention "for the purpose of enabling interoperability of an independently created program" but only "to the extent doing so does not constitute copyright infringement."
The reverse-engineering exemption to the DMCA only applies to programs and not data, Hayes explained. So, if someone figures out a way to decrypt the data to permit it to run in an interoperable application, that activity might not be exempted under the DMCA — particularly if the data were not just "internal" data used by the program, which a court might view as part of the computer program itself.
The two federal cases Hayes cited as cutting back the scope of the DMCA’s encryption provisions were Storage Tech. Corp. vs. Custom Hardware Engineering Consulting Inc. and Chamberlain Group Inc. vs. Skylink Technologies.
In Storage Tech, the court rejected the defendant's reliance on this exemption in a case where a key was used to guard access to the copyrighted program. Custom Hardware, a competitor, bypassed the key so it could activate a diagnostics program hidden within the code of the software used to operate the client's modular library system. It alleged that this violated the anti-circumvention provision of the DMCA. The court agreed, ruling that where the circumvention results in copyright infringement, then the reverse engineering exemption does not apply.
Hayes said that the “key” approach, by requiring that decrypted copy of the code be made, also helps provide a link to an underlying "protected right," as required by Chamberlain Group Inc. vs. Skylink Technologies in which the court decided that the DMCA should not apply in situations where the bypass does not result in copyright infringement.