LAUREL BEELER, Magistrate Judge.
This lawsuit centers on allegations by plaintiff Synopsys, Inc. ("Synopsys"), a software company, that the defendants (collectively, "Ubiquiti") "pirated" its software by installing it on Ubiquiti's computers and then using counterfeit license keys to run the software without obtaining a valid license. Among other claims, Synopsys alleges that Ubiquiti (1) circumvented technological measures that control access to copyrighted software, in violation of the Digital Millennium Copyright Act ("DMCA"), 17 U.S.C. § 1201(a)(1), and (2) committed fraud in representing to Synopsys that it was interested in entering into a license agreement to obtain Synopsys software when it in fact was planning to use counterfeit license keys. Synopsys issued discovery requests to "forensically inspect" Ubiquiti's computers for evidence to support its claims. Ubiquiti objects to Synopsys's requests.
The parties' discovery dispute involves two issues: (1) relevance and (2) burden. The parties' briefs focus almost entirely on relevance. Ubiquiti's main argument is that all but two of the computers at issue are located outside the United States, the DMCA and U.S. copyright law do not impose liability for activity that occurred outside the United States, and hence the computers outside the United States are not relevant to Synopsys's claims and should be excluded from discovery. Synopsys disagrees with Ubiquiti's factual and legal contentions. As for burden, the court previously instructed the parties to meet and confer on the specifics of an appropriate inspection protocol and, if they were unable to agree on a solution, to submit a joint letter brief with their respective positions on how inspection would work, exactly what would be inspected, and what burdens that inspection might impose.
The court held a hearing on January 25, 2018. Because the parties did not raise burden arguments before the hearing, this order does not address burden issues and addresses only the parties' relevance arguments. The court holds that Ubiquiti computers are not per se outside the scope of relevant discovery merely because they are located outside the United States.
Synopsys is a world leader in semiconductor design software.
Synopsys alleges that Ubiquiti downloaded Synopsys electronic design automation ("EDA") software onto Ubiquiti computers.
This software has a built-in feature: according to Synopsys, its software transmits basic information about computers that use counterfeit license keys, such as the computers' MAC addresses, IP addresses, and server host names, back to Synopsys.
Ubiquiti acknowledges that it installed Synopsys software on a "storage array" in Taiwan that is accessed through three computer servers located in Taiwan.
Ubiquiti also acknowledges that when its employees remotely access its servers to run Synopsys software, Synopsys's call-home data reports the MAC address and host name of the server (or virtual machines running on the server), not the MAC address or host name of the employee's local computer.
Ubiquiti maintains that of the approximately 39,000 alleged circumventions identified in Synopsys's call-home data, only 626 correspond to an IP address originating in the United States.
It is important to recall exactly what is before the court. This is a discovery motion. It is not a dispositive motion on the merits of Synopsys's claims. Synopsys is not limited to admissible evidence and need not prove its claims at this juncture. It must only show that, given its claims, the discovery it requests is (1) relevant and (2) proportional to the needs of this case. See Fed. R. Civ. P. 26(b)(1). "Information . . . need not be admissible in evidence to be discoverable." Id. In deciding whether the plaintiff has made that showing, the court can consider even inadmissible evidence. Cf. Fed. R. Evid. 104. See generally, e.g., Goes Int'l, AB v. Dodur, Ltd., No. 14-cv-05666-LB, 2016 WL 427369, at *2 (N.D. Cal. Feb. 4, 2016).
The parties have not presented specifics as to exactly what a forensic inspection would cover, and hence the court does not rule on the relevance (much less on the proportionality or burden) of any particular forensic artifact that may be on Ubiquiti's computers. The court is not issuing a blanket approval of a forensic inspection. But nor may Ubiquiti assert a blanket claim that its Taiwanese computers are not relevant to Synopsys's claims. As discussed below, Ubiquiti's Taiwanese computers and the forensic artifacts on them may be relevant to the case.
Among other things, the DMCA provides that "[n]o person shall circumvent a technological measure that effectively controls access to a work protected under this title" (i.e., a copyrighted work). 17 U.S.C. § 1201(a)(1)(A).
Ubiquiti asserts that the DMCA does not cover circumventions that take place entirely outside the United States, citing Subafilms, Ltd. v. MGM-Pathe Communications Co., 24 F.3d 1088 (9th Cir. 1994) (en banc). There, the Ninth Circuit held that "United States copyright laws do not reach acts of infringement that take place entirely abroad." Id. at 1098. Synopsys does not seriously contest that proposition.
The parties have not identified (and the court is not aware of) any case that has addressed the question of cross-border circumventions under the DMCA. The parties have therefore drawn analogies to, and have cited cases addressing, cross-border violations of the exclusive rights granted under the general Copyright Act of 1976. As a threshold matter, it is not clear that cases addressing violations of the general Copyright Act control how a court should address violations of the DMCA. See generally MDY Indus., LLC v. Blizzard Entm't, Inc., 629 F.3d 928, 944-45 (9th Cir. 2016) ("[17 U.S.C.] § 1201(a) prohibits the circumvention of any technological measure that effectively controls access to a protected work and grants copyright owners the right to enforce that prohibition. . . . Historically speaking, preventing `access' to a protected work in itself has not been a right of a copyright owner arising from the Copyright Act. . . . Accordingly, we read this term as extending a new form of protection[.]").
The parties dispute exactly how Ubiquiti allegedly circumvented Synopsys's license-key-protection system. Synopsys maintains that Ubiquiti had to pass a license-key check every time it wanted to access and run Synopsys software.
Suppose that to circumvent Synopsys's license-key-protection system, Ubiquiti downloaded a "key generator" program from a "hacker website" onto a Taiwanese computer server.
As noted above, the parties have not identified any cases where a court has addressed whether a remote act of circumvention, like the one in the hypothetical above, is an act by the remote server in Taiwan outside of the United States, or an act by the end user within the United States. At least one court has addressed the analogous situation, however, of whether a remote act of copying (as opposed to circumvention) is an act by the remote server or by the end user. In Cartoon Network LP, LLLP v. CSC Holdings, Inc., 536 F.3d 121 (2d Cir. 2008), the Second Circuit examined a system involving a remote server for digital video recorders ("DVRs"), analogous to the remote servers at issue here. The system there allowed end users to record television programs by pressing a button on their remote controls. See id. at 125. A signal then was sent from the end user's remote control in the user's home to the cable company's server in the company's central facility. See id. The server then made a copy of the television program and saved it on a hard drive that the cable company maintained at a remote location. See id. at 124.
The question that the Cartoon Network court confronted was "who made this copy": the end user or the remote server? Id. at 130 (emphasis in original). The court answered by holding that "copies produced by the [remote storage]-DVR system are `made' by the RS-DVR customer," not the remote server, id. at 133, because "the person who actually presses the button to make the recording, supplies the necessary element of volition," id. at 131.
By analogy, just as an end user who presses a button and thereby inputs the command to record a television program is making a copy of the program under the Copyright Act (even if that television program is saved on a remote server), an end user who inputs commands to use a counterfeit license key to bypass a software-protection system may be engaging in an act of circumvention under the DMCA (even if that counterfeit key and software are installed on a remote server). If that end user is located in the United States, his circumvention might give rise to DMCA liability despite its cross-border nature. See generally Automattic Inc. v. Steiner, 82 F.Supp.3d 1011, 1028 (N.D. Cal. 2015) (holding in the context of a different DMCA provision that "the application of the [DMCA] is not extraterritorial" when "key elements of the cause of action were performed in [the United States]").
Ubiquiti, for its part, proposes an alternative hypothetical where, instead of using a license-key-generator program, some person or persons outside the United States "hacked" the Synopsys software to remove the license-key-protection system entirely, so that after that one act of circumvention, the software never again checked any license keys.
The court need not decide at this juncture whether Ubiquiti would have no DMCA liability in that particular fact scenario. In the context of the current discovery dispute, it is enough to say that there are at least some fact scenarios (such as the first hypothetical) in which Ubiquiti may have potential DMCA liability, and hence discovery is necessary to determine what the actual facts are. Certainly, the factual record is too embryonic to rule that Ubiquiti's Taiwanese computers cannot be relevant to a valid DMCA claim as a matter of law. Cf. Goes, 2016 WL 427369, at *2. What exactly Ubiquiti did and did not do vis-à-vis Synopsys's license-key-protection system may matter, and discovery into Ubiquiti's Taiwanese computers is thus relevant to determine exactly what Ubiquiti did and did not do.
Ubiquiti argues that in Perfect 10, Inc. v. Amazon.com, Inc., 508 F.3d 1146 (9th Cir. 2007), the Ninth Circuit established a "server test," and that under this test, "it is clear that the site of the violative act (the alleged use of `counterfeit' license keys to circumvent Synopsys' license-key system) are the servers that actually hosted Synopsys software — because that is the only place where the act could be completed — and not an employee computer that remotely initiated the act or where the displayed results could be viewed."
The plaintiff in Perfect 10 was a copyright holder of photographic images that brought a copyright-infringement claim against the internet search engine Google, alleging (among other things) that copies of its photographs appeared in Google search results, see id. at 1155-56, and that Google was thereby violating its exclusive right to publicly display and distribute its photographs, see id. at 1159. Google responded that while the photographs in question appeared on users' screens in Google search results, the photographs actually were being transmitted directly from third-party servers to end users, without ever going through Google, and hence Google was not the party that was displaying or distributing the images. See id. at 1156 ("Google. . . does not communicate the images to the user; Google simply provides [computer] instructions directing a user's browser to access a third-party website. . . . Thus, the user's window appears to be filled with a single integrated presentation of the full-size image, but it is actually an image from a third-party website framed by information from Google's website.").
The district court and the Ninth Circuit applied a "server test" to determine which party — the remote server or Google (not the remote server or the end user) — was violating the plaintiff's copyright. Id. at 1159. The courts held that under the "server test," only a server that actually stored the photographs as electronic information and "serves that electronic information directly to the user (`i.e., physically sending ones and zeroes over the Internet to the user's browser')" could infringe the copyright holder's rights, whereas a search engine like Google "that does not store and serve the electronic information to a user" did not infringe on the copyright owner's rights. Id. at 1159 (citations and internal brackets omitted).
Contrary to Ubiquiti's claims, nothing in the "server test" holds that when an end user initiates a copyright violation through the use of a remote server, the violation occurs only at the site of the server and does not, as a matter of law, occur at the site of the end user. Consequently, the "server test" does not address the legal questions presented here, and nothing in the test alters the conclusion that Ubiquiti's Taiwanese servers may be relevant to Synopsys's DMCA claims, as discussed above.
In addition to DMCA claims, Synopsys brings other claims, including claims for fraud. Among other things, Synopsys alleges that Ubiquiti represented that it wanted to legitimately license Synopsys software, that Ubiquiti made these representations to induce Synopsys to provide Ubiquiti with copies of its software and temporary license-key files
In sum, the court holds that Ubiquiti may not per se exclude its Taiwanese computers from the scope of discovery merely because they are located outside the United States.
This order should not be interpreted, however, as a blanket approval of any and all forensic inspections of Ubiquiti's computers. As the court previously advised the parties,