Microsystems Software, Inc. v. Scandinavia Online AB

Microsystems Software, Inc. v. Scandinavia Online AB, 226 F.3d 35 (1st Cir. 2000), was a civil case filed in 2000 in the United States District Court for the District of Massachusetts and appealed to the United States Court of Appeals for the First Circuit. It received considerable attention in the online community because it involved reverse engineering and cryptanalysis of content-control software, allegedly in violation of copyright law and a clickwrap license agreement.

In early 2000, Eddy L. O. Jansson and Matthew Skala reverse engineered the content-control package Cyber Patrol and published a report titled The Breaking of Cyber Patrol 4 detailing what they found, including a cryptanalysis of the CRC-32-based hash function that concealed the configuration password and Web site and Usenet newsgroup blacklists. They commented critically on the content of the blacklist, and highlighted apparent errors in it, innocuous sites and newsgroups blocked as objectionable for no visible reason. Along with the essay, they included software in C and Delphi demonstrating the attacks and allowing users to disable the package, change its configuration, or browse the blacklists in decrypted form. The break was widely reported on March 11, 2000.

On March 15, Microsystems Software, the publisher of Cyber Patrol, and Mattel, its parent company, filed suit against Jansson, Skala, and the ISPs that hosted their personal websites, Scandinavia Online and Islandnet. They filed in US court, though Jansson and Scandinavia Online were located in Sweden and Skala and Islandnet were located in Canada. They alleged that the reverse engineering was copyright infringement by Jansson and Skala; that distributing the essay and software (or, in the case of Islandnet, the link on Skala's site pointing to the essay and software on Jansson's site) was copyright infringement by the ISPs; and that Jansson and Skala's actions constituted breach of the clickwrap license agreement on Cyber Patrol, interference with advantageous business relations, conversion, and theft of trade secrets. Once the lawsuit became known, it attracted considerable attention from the online community, far overshadowing the discussion of the reverse engineering itself.

In response to demands from the plaintiffs, Scandinavia Online deleted Jansson's website and Islandnet asked Skala to remove his link to Jansson's (now non-existent anyway) website. The document and software had already been mirrored on many sites worldwide, however. The plaintiffs asked for, and received, a temporary restraining order against distribution of what they termed the "bypass code", and were authorized to serve it by email on mirror sites, along with a subpoena demanding the identities of every Web user who accessed the information. Some commentators dubbed these email-distributed subpoenas "spampoenas"; use of email for official service of court documents was, and remains, highly unusual if not absolutely unheard of.

On March 27, Skala announced that he had settled the cases against him (including one filed in a Canadian court as well as the US case) out of court and that Jansson was close to doing the same, with an agreement to stop distributing the essay and software and assign its copyrights to the plaintiffs. Other parties had become involved, however, including three mirror site operators associated with Peacefire and backed by the ACLU. The suit continued with the main issue being whether those mirror sites would also be forced to stop distributing the material. When their motions on that topic were dismissed, the mirror sites took that as an indication that they could continue to distribute it safely.

Meanwhile, some controversy erupted when news sources suggested that the exploit software had been released under the GPL, making any restriction on its distribution problematic. Statements from Jansson and Skala denying any intention to place it under the GPL, the lack of any copyright notice in Skala's code, and a vague nonstandard GPL notice in Jansson's code, made it fall apart as a possible GPL test case. In 2001, Jansson stated on his website that he had in fact intended his code to be under the GPL after all, even if he had not put in the proper notices to make that stick.

At the time of the case, the DMCA was not relevant because its enforcement was under suspension pending a review by the United States Copyright Office of whether exceptions to its provisions should be made. Lawrence Lessig nonetheless used the Microsystems case as an example of tension between the DMCA and the First Amendment in his essay Battling Censorware; and when the Copyright Office issued their rulemaking on DMCA exemptions, they also cited this case in their discussion of why reverse engineering of content-filter blacklists was one of only two categories of activities exempted.