A Discovery Ruling in Synopsys, Inc. v. Uniquiti Networks, Inc., 2018 WL 577941, Case No. 17–cv–00561 (N.D. Cal. Jan. 29, 2018), Raises a Novel Issue as to Liability for “Cross-Border” Circumventions of the Digital Millennium Copyright Act
The 1998 Digital Millennium Copyright Act (“DMCA”), 17 U.S.C. § 1201(a)(1), and (2), prohibits circumvention of copyright protection systems. Although it has not yet been the subject of a published opinion, presumably the DMCA, like the Copyright Act, does not reach conduct that takes place entirely abroad. Assuming this is correct, if an end user in the United States circumvents a copyright protection system by accessing unlicensed software residing on a server in a foreign country, does the DMCA reach this type of conduct? This is the issue that a Northern District of California magistrate judge was required to consider in Synopsys, Inc. v. Ubiquiti Networks, Inc., 2018 WL 577941, Case No. 17–cv–00561 (N.D. Cal. Jan. 29, 2018). Although the standard for determining cross-border liability under the DCMA in this opinion was considered solely in the context of determining relevance of discovery requests, it highlights an issue that is likely to be more fully addressed by a district court in the future.
Synopsys is a leading producer of semiconductor design software. Ubiquiti designs networking technology, including semiconductor chips. Synopsys alleges that since 2014, Ubiquiti has used counterfeit license keys for Synopsys’ electronic design automation (“EDA”) software without a license. Synopsis further alleges that Ubiquiti violated the DMCA by fraudulently representing to Synopsys that it was interested in entering into a license agreement to obtain Synopsys software, when it in fact was planning to use counterfeit license keys. 2018 WL 577941 at *1.
Synopsys’ EDA software contains a tracking function that transmits to Synopsys information about computers that use counterfeit license keys, including the computers’ MAC addresses, IP addresses, and server host names. This function, known as “call-home” or “phone-home” data, allegedly showed that Ubiquiti used counterfeit license keys more than 39,000 times. Id. at *2.
Ubiquiti installed Synopsys’ software on a server in Taiwan and provided its employees with remote access. Accordingly, even if a Ubquiti employee accessed the software from a remote location, such as the United States, the call-home data Synopsys received would indicate the identifying information of the server located in Taiwan. As a result, the vast majority of the call-home data Synopsis received showed that the user was located in Taiwan. Id.
Synopsys issued inspection demands to Ubiquiti, demanding a forensic examination of Ubiquiti’s Taiwan computers. Ubiquiti refused to comply with the inspection demands, and Synopsys filed a motion to compel. Id. at *1.
Ubiquiti argued that this established that the alleged violating use occurred entirely in Taiwan, and therefore data on its Taiwan computers was not relevant. Synopsys argued that the majority of infringing use occurred in the United States, notwithstanding call-home data indicating use in Taiwan, and therefore the data on the Taiwan computers was relevant. Id. at *2.
The Court’s Analysis
The court first observed that neither party had specified the contours of what a forensic examination of Ubiquiti’s Taiwan computers would entail. Id. Accordingly, the court was unable to rule on the relevance, proportionality, or burden of permitting a particular forensic examination of Ubiquiti’s Taiwan computers for forensic artifacts that might be relevant to the case. Instead, it addressed whether some sort of forensic examination of Ubiquiti’s Taiwan computers could be relevant. Id. at *3.
The court crystallized the relevancy inquiry as follows:
“[W]hen an end user connects to a remote server and, through that remote server, circumvents a technological measure that controls access to a copyrighted work, where is that circumvention deemed to have taken place, and how (if at all) does that affect whether the circumvention gives rise to DMCA liability?” Id.
Ubiquiti made two arguments. First, relying on Subafilms, Ltd. v. MGM-Pathe Communications Co., 24 F.3d 1088 (9th Cir. 1994) (en banc), Ubiquiti argued that the DMCA does not cover circumventions that take place entirely outside the United States. (In Subafilms, the Ninth Circuit held that the Copyright Act does not reach copying that takes place entirely outside of the U.S. Both parties assumed that the DCMA also did not apply to conduct that takes place entirely outside of the U.S.) Ubiquiti argued that its alleged circumventions took place entirely outside the United States. Id.
Second, Ubiquiti argued that the DMCA does not cover circumventions that are “initiated” in the United States but are “completed” in a foreign country. Id. at *3. Neither of the parties identified any precedent that addressed the question of such “cross-border circumventions of the DMCA,” and the court was not aware of any such cases. The parties both argued that the court should apply the Copyright Act by analogy. Although the court expressed some skepticism about this approach, it observed that even if cases addressing violations of the Copyright Act were analogous, Synopsys could make a plausible argument under those cases that Ubiquiti’s alleged conduct is sufficiently related to the United States to give rise to DMCA liability. Id. at *4.
Because the parties had failed to provide sufficient descriptions of how Ubiquiti’s alleged circumvention took place, the court posed a hypothetical set of facts. It assumed that Ubiquiti obtained hacker software in Taiwan that allowed it to access Synopsys’ software. Under this hypothetical, Ubiquiti’s U.S. end users accessed and used Synopsys’ software that was installed on Ubiquiti’s server in Taiwan. Id.
The court turned by analogy to a Second Circuit copyright case, Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008). In Cartoon Network, the Second Circuit was faced with the question of who made a copy of copyrighted content—a DVR user or the cable company that provided DVR capabilities and storage of the copied content on its servers. The Second Circuit held that the copies were made by the DVR user, not the remote server, “because ‘the person who actually presses the button to make the records, supplies the necessary element of volition.’” 2018 WL 577941 at *5 (quoting Cartoon Network, 536 F.3d at 131). By analogy, a Ubiquiti user accessing Synopsys software could be liable for circumvention of the DMCA. Id.
Ubiquiti posed its own hypothetical set of facts at the hearing on Synopsys’ motion. Ubiquiti raised the possibility that “some person or persons outside the United States ‘hacked’ the Synopsys software to remove the license-key-protection system entirely, so that after that one act of circumvention, the software never again checked any license keys.” Ubiquiti users in the U.S. would then run the software without being prompted for a license, and therefore could not be held liable for circumvention under the DMCA. Id. at *6.
The court determined that it was not required to decide whether Ubiquiti would face DMCA liability under Ubiquiti’s hypothetical set of facts. Instead, it determined that discovery into Ubiquiti’s Taiwanese computers was relevant to determine liability. Id.
Perfect 10 Server Test
The court also rejected Ubiquiti’s attempt to rely on the “server test” set forth in Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007). In Perfect 10, the plaintiff was the registered owner of copyrights in certain photos. It alleged that Google violated its exclusive rights of public display and distribution by displaying the photos in a Google search result. Google pointed out that the photographs were not stored on its server, but instead were transmitted directly from third-party servers to end users without going through Google. Therefore, Google could not as a matter of law be the infringing party. The Ninth Circuit held that “only a server that actually stored the photographs as electronic information and ‘serves that electronic information directly to the user (“i.e., physically sending ones and zeroes over the Internet to the user’s browser”)’ could infringe the copyright holder’s rights, whereas a search engine like Google ‘that does not store and serve the electronic information to a user’ did not infringe on the copyright owner’s rights.” 2018 WL 577941 at *7 (quoting Perfect 10, 508 F.3d at 1159). The court observed that the Ninth Circuit’s “server test” was inapposite because it did not address the question of distinguishing between end users and remote servers. Id. at *6.
The court’s analysis seems correct in a “micro” sense: the court was not in a position to determine the issue of whether Ubiquiti’s conduct was subject to the DCMA because the factual record was undeveloped. Presumably, Ubiquiti’s counsel had the ability to support its hypothetical with declarations. Whether it intentionally chose not to submit declarations for strategic reasons is not clear. In any event, the court’s ruling that Ubiquiti was not entitled to categorically refuse discovery of its Taiwanese computers was reasonable. The court cautioned that it was not issuing a blanket order permitting unfettered discovery, and that discovery into Ubiquiti’s Taiwanese computers was subject to standard discovery factors, including proportionality, burden, and the defendants’ legitimate interests in maintaining the integrity of their systems and the confidentiality of their data. Id. at *7.
However, it is questionable whether the court’s analogy between a DVR user in Cartoon Network and a Ubiquiti employee using Synopsys software is apt. In the case of the DVR user, there can be no doubt that the DVR user alone decided to copy the copyrighted work. In the case of the Ubiquiti employee, it was almost certainly not an individual employee who made the decision to use Synopsys’ software, and he or she may have been wholly unaware that it was being used (not to mention that it was being used without authorization from Synopsis). This is consistent with how most larger companies handle software licenses: i.e., they are licensed in bulk and, typically, an I.T. department will be responsible for ensuring that the end users’ software is licensed.
Of course, as the court itself made clear, the issue was only raised in the context of determining relevancy for the purposes of deciding the bounds of permissible discovery. Ubiquiti ultimately may be able to evade liability under the DCMA by substantiating its hypothetical set of facts in which none of its U.S. personnel intentionally circumvented Synopsys’ copyright protection systems. Furthermore, it may prevail on an argument that its end users lacked the necessary volition to engage in conduct that violates the DCMA.