The second “circuit split” we’ll look into in this series is disagreements among federal circuits with how to apply the DMCA.
17 U.S.C. § 1201 of the Digital Millennium Copyright Act (DMCA) has a series of provisions aimed at targeting parties that engage in “anti-circumvention” of protected works. This law was designed in the early days of the internet when a lot of the major incumbents in the music and movie industries were losing their minds. Depending on your age, you may or may not recall that Napster got very big very fast, and all of the sudden everyone could share and stream every song that ever existed for free, and it scared the living bejeesus out of the music industry. That was one of the first flashpoints in applying the DMCA.
For anyone that is involved in web-scraping or data-access related issues, you can understand why the word “circumvent” could be a sensitive one. Host websites employ a series of anti-bot technologies to stop scrapers. And of course scrapers are always one step ahead of the game in getting around these technologies.
The key question for web scrapers is whether simple technologies like proxies, VPNs, headless browsers, and the like (and the companies that use them) violate the DMCA?
That is a very good question, and one that courts are only starting to work their way through.
I’ve organized this section by the key fault lines courts disagree on, including the leading cases and what each one means in real life.
—
1) Does § 1201(a) require a “nexus” to copyright infringement?
The first battleground with the DMCA is whether the “anti-circumvention” rights associated with the DMCA have to be connected to a copyrighted work, or whether DMCA “anti-circumvention” rights are a standalone claim independent of copyright law.
When I first started studying this issue, it came as a shock to me that many courts hold that anti-circumvention rights don’t need to be tied to any copyrighted work, but that’s the law in some jurisdictions.
- Second & Ninth Circuits — No nexus required.
- 2d Cir.: Universal City Studios v. Corley (DeCSS/CSS). The court sustained liability under § 1201(a)(2) for disseminating a DVD‑decryption tool; fair use is not a defense to the access‑circumvention ban. The opinion treats anti‑circumvention as its own prohibition, separate from infringement.
- 9th Cir.: MDY Industries, LLC v. Blizzard Entertainment (WoW “Glider” bot / Warden). The Ninth Circuit explicitly rejected the Federal Circuit’s “infringement nexus” requirement and held that § 1201(a) creates a distinct, stand‑alone anti‑circumvention right, independent of § 106 (the Copyright Act).
- Federal, Sixth, and (effectively) Fifth Circuits — Nexus required or functionally similar narrowing.
- Fed. Cir.: Chamberlain Group v. Skylink (garage‑door “rolling code”). Plaintiff must show a reasonable relationship between the access circumvention and protection of rights the Copyright Act affords (i.e., a nexus to infringement).
- 6th Cir.: Lexmark v. Static Control (printer chips). The “access control” at issue must actually control access to the copyrighted work itself; measures that only gate device functionality aren’t enough. The court repeatedly relies on a reading aligned with Skylink.
- 5th Cir.: MGE UPS v. GE (service software dongle/password). No violation where defendants used already‑cracked software (no “circumvention”), and the dongle did not protect against copyright violations—language that resonates with the Skylink/Lexmark approach.
Bottom line: In the 2d/9th Circuits, §1201(a) liability does not require a nexus to infringement, but the measure must control access to a copyrighted work. In the Federal Circuit/6th/5th, plaintiffs face a higher bar tying the bypass or circumvention to protected rights or true “access” to the work.
This obviously matters quite a bit, because more often than not, scrapers are after raw data that isn’t subject to copyright protection. If you need a nexus to actual infringement, no DMCA claim would apply to scrapers most of the time. If none is required, the DMCA could apply in a lot of different fact patterns. Requiring a nexus makes §1201 harder to use against scrapers focused on uncopyrightable facts. By contrast, in no-nexus jurisdictions, §1201 may still apply where the bypassed measure gates access to a copyrighted website or audiovisual experience.
—
2) What counts as a “technological measure that effectively controls access” to a copyrighted work?
Here, the question is what constitutes the kind of technological measure that effectively controls access to a copyrighted work in a way that gives rise to DMCA claims. Again, there are dozens if not hundreds of little things that anti-bot providers use to make things harder for scrapers. And there are just as many if not more techniques to get around them. Here, it’s probably not accurate to say there’s a circuit split on this issue as much as there are a hodgepodge of district court opinions that give us limited guidance to understand what constitutes a technological measure that gates control.
Here are some things that trigger liability:
- Encryption/DRM that gates playback or viewing:
- 9th Cir.: Apple’s boot process for macOS qualifies; using tools to install Mac OS X on non‑Apple hardware supported relief (appeal focused on misuse; the district court found DMCA liability and the Ninth Circuit affirmed the injunction).
- Measures that merely gate a device or service feature (not the work):
- 6th Cir.: Lexmark — the authentication sequence controlled the printer’s operation, not access to the Printer Engine Program’s expressive code (which purchasers could read from memory), so § 1201(a)(2) did not apply.
- 9th Cir.: MDY — Blizzard’s Warden did not control access to WoW’s literal code or “individual” non‑literal assets stored locally (accessible without contacting Blizzard’s server), so no § 1201(a)(2) as to those. But Warden did control access to WoW’s dynamic, server‑delivered audiovisual experience, so § 1201(a)(2) liability attached for that category. The opinion carefully divides “literal,” “individual non‑literal,” and “dynamic non‑literal” elements.
- CAPTCHAs:
- C.D. Cal. (9th Cir. district): Ticketmaster’s CAPTCHA was treated as an access control to copyright‑protected webpages; trafficking in CAPTCHA‑bypass tools supported § 1201 claims at the PI stage.
- There were a series of cases in the early 2010s involving Craigslist where Craigslist was able to state DMCA claims against defendants that allegedly circumvented CAPTCHAs and phone verification to auto-post ads.
Password sharing:
– S.D.N.Y. (2d Cir. district): Using someone else’s password to log into a site did not constitute “circumvention” under § 1201 (DMCA claim dismissed; the fight shifted to CFAA/contract). I.M.S. Inquiry Mgmt. Sys. v. Berkshire Info. Sys. (S.D.N.Y. 2004) and Egilman v. Keller & Heckman (D.D.C. 2005). Both reject §1201 circumvention where defendants simply used valid credentials. Also note recent iSpot.tv v. Teyfukova (C.D. Cal. 2023) dismissal on the same theory.
But:
– Just a few weeks ago, a case called CDK Global LLC v. Tekion on a motion to dismiss held CDK that the plaintiff plausibly alleged §1201(a)(1) circumvention because defendants allegedly used dealer credentials plus VPN/IP-whitelisting to avoid or bypass CDK’s password- and network-based access controls; it also found a plausible §1201(a)(2)(C) “marketing” claim tied to promoting a service for use in circumvention. It distinguished the “just using a password” cases like Egilman v. Keller & Heckman (D.D.C. 2005) and iSpot.tv v. Teyfukova (C.D. Cal. 2023) which reject DMCA liability for someone merely logging in with existing credentials because the defendants alleged got around “layered measures” like CDK’s VPN/IP restrictions. It’s worth noting that Tekion is a pleading-stage decision; I.M.S. was a merits dismissal. So it’s not a square circuit split, but there is clear doctrinal friction between SDNY/D.D.C. (no circumvention for mere password use) and a strand of N.D. Cal. decisions (password/keys + other measures or credential “trafficking” can be circumvention).
Proxies:
– In a lesser-known legal decision from the X Corp. v. Bright Data case, the court allowed a DMCA claim to proceed against Bright Data for its use of proxies to access X Corp. (or, more precisely, its users’) data. Given the ubiquity of proxies and VPN technology in modern internet usage (and particularly with scraping), I’m surprised there isn’t more case law on this question. But early indicators suggest that proxies can potentially lead to a DMCA claim.
3) Is fair use a defense to § 1201 anti‑circumvention?
Given that the Digital Millennium Copyright Act was drafted to create additional digital protections for online copyrighted works, you’d think that the DMCA would allow for the same kind of online fair use protections associated with copyright law. But the support for that is sparse, and even then, it’s holding on by a thread in basically just one jurisdiction.
- Second & Ninth Circuits: Fair use is not a defense to bypassing access controls. Corley and MDY both say the anti‑circumvention is standalone claim. VidAngel follows this logic too.
- Eleventh Circuit (indicative but not decisive): Apple v. Corellium (S.D. Fla. 2020; 11th Cir. 2023 on copyright fair use). The district court recognized that § 1201 claims can proceed independent of copyright claims; the appeal centered on fair use for infringement, not § 1201’s merits. (Illustrative of alignment with 2d/9th, but no definitive 11th Cir. § 1201 holding.)
- Federal Circuit (Skylink) relied on §1201(c)(1) to avoid interpretations that would nullify fair-use/other defenses, but it didn’t hold that Copyright Act fair is an affirmative defense to §1201.
Bottom line: Expect no fair‑use defense to a § 1201(a) claim in the 2d/9th; other circuits haven’t created a contrary rule. The federal circuit is likely the most favorable jurisdiction on this, with most courts not yet deciding the issue.
—
4) Can contracts waive the statutory reverse‑engineering/interoperability exception (§ 1201(f))?
This is some really inside baseball stuff. But the net-net of § 1201(f) is that it allows someone who has lawfully obtained the right to use a copy of computer program to circumvent access controls to achieve interoperability in certain contexts. So if you or a client has a legal right to use certain software and you have independently created software that can interact with that software, Section 1201(f) might allow you to circumvent access controls to do that.
BUT:
- In the Eighth Circuit, in a case called Davidson & Associates (Blizzard) v. Jung (the BnetD server‑emulator case) enforced EULA/TOU terms prohibiting reverse engineering and held defendants liable under the DMCA’s anti‑trafficking provisions. The court also held users could contractually waive § 1201(f) reverse‑engineering rights. This is a major Blizzard precedent from 2005 in the 8th Circuit.
—
Given the extent of the cat-and-mouse game between anti-bot technology and the web scrapers that almost always get past those technologies, the law related to web-scraping and the DMCA is surprisingly underdeveloped. Part of me thinks that’s because counsel for companies inclined to pursue these claims (including plenty of very expensive, high-powered law firms) have historically been unsophisticated with respect to how DMCA claims can apply to web scraping. But my prediction is that this will be changing as web-scraping legal disputes become more mainstream.
If you’ve made it this far, you understand by now that there are many risks for scrapers that need to get around anti-bot technology to do what they need to do. And conversely, there are many jurisdictional issues for those looking to pursue claims against web scrapers.
I don’t think that’s a dynamic that’s going to change any time soon. If anything, the environment is only likely to get more complicated in the foreseeable future.