Ultrasoft Technologies Ltd v Hubcreate Ltd

The claimant (‘Ultrasoft’) and the defendant (‘Hubcreate’) are companies which create and market software. They compete in selling to organisations that provide serviced office space. Those who rent offices from such organisations require the space to be provided with computers to assist in the conduct of their business. Typically the computers should be able to manage inquiries, meetings, quotes, inventory, sales, billing and so on. Ultrasoft and Hubcreate both provide software that enables these functions. Before November 2014 Hubcreate traded as RJ Metis Limited, but I will refer to it as ‘Hubcreate’ in all contexts.

It is common ground that in 2009 and 2010 Hubcreate copied on to its system computer programs which are protected by copyright and database rights owned by Ultrasoft. Hubcreate has in consequence made limited admissions of infringement of both copyright and database rights. In Ultrasoft’s view the admissions did not go far enough. The trial was about further alleged infringements on the part of Hubcreate.

Ultrasoft and Hubcreate have for some years competed for the business of several customers, including Kingshott Business Centre (‘KBC’). In about August 2006 KBC transferred its software purchasing from Hubcreate to Ultrasoft. Then in February 2009 KBC was persuaded to return to Hubcreate as its source of some software, specifically that which performs functions known as ‘customer relationship management’ (usually abbreviated to ‘CRM’). In June 2009 KBC decided also to buy its billing software from Hubcreate instead of Ultrasoft. Both the CRM and billing products were part of Hubcreate’s suite of software sold under the name ‘CentreCharge’.

On 2 June 2009 representatives of KBC and Hubcreate met to discuss the practicalities of KBC’s proposed use of Hubcreate’s billing software. KBC said that transferring its billing data on to Hubcreate’s CentreCharge module was going to be very time consuming for KBC and asked Hubcreate to do the work. KBC informed Hubcreate that it wanted its accounts information, contacts, licence agreements and invoices all extracted from its existing Ultrasoft files and transferred on to the new software. Hubcreate agreed to try.

One of the standard tools for software developers and users in this field is a Microsoft program called ‘SQL Server’. A server is a computer program that provides services to other computer programs. SQL Server permits users to store data within their own database computer files and to retrieve the data when required. To enable the transfer of KBC’s data, KBC provided Hubcreate with a copy of its SQL database files. These contained within them files which had been provided to KBC by Ultrasoft, called ‘UltraBis’ and ‘UltraCRM’. These in turn were thought to contain the relevant KBC data.

Following a failed attempt by Hubcreate to download the UltraBis and UltraCRM files, backed up versions were copied on to CD by KBC and on 5 June 2009 they were sent to Darren Powell, Technical Director of Hubcreate. The files were identified on the CD as ‘UltraBiz.bak’ and ‘UltrasoftCRM.bak’. They were copied by Mr Powell onto Hubcreate’s SQL server, given the names ‘UltraBis.mdf’ and ‘UltrasoftCRM’, and restored.

When Mr Powell opened the UltrasoftCRM file, he found in it none of the data he had been asked to extract. Mr Powell said that this file was thereafter ignored. He opened UltraBis and extracted what he thought was the relevant KBC data. But after consulting KBC he realised that some of the wanted data had not been extracted. Neither Mr Powell nor Matt Kirsch, Mr Powell’s contact at KBC, could work out how the further data could be obtained by this method. Mr Powell said that thereafter the two Ultrasoft files KBC had sent (UltraBis and UltrasoftCRM) remained untouched on Hubcreate’s server until after this dispute began. For a while no further effort was made to transfer KBC’s data.

Towards the end of 2009 KBC wanted to expand the use of its billing software and it seems that a decision was taken to try again to transfer KBC’s billing data so that it could be used on Hubcreate’s CentreCharge billing module. At a meeting on 21 December 2009 it was decided that an updated copy of KBC’s UltraBis file would be provided to Hubcreate.

After several failed attempts, on 2 March 2010 a file from KBC called ‘UltraSoftBis’ reached Hubcreate’s SQL server, was restored and given the name ‘UltraBis2.mdf’. Mr Powell said that this time all of the data which KBC wished to have transferred was extracted by him and imported into Hubcreate’s CentreCharge billing module. He said that the restored UltraBis2 file was then left untouched on Hubcreate’s server until after this dispute began.

The presence of Ultrasoft’s files on Hubcreate’s server came to Ultrasoft’s notice in the following way. In the continuing competition for customers, around the end of 2013 Ultrasoft managed to persuade another customer, United Business Centres (‘UBC’), to move its business from Hubcreate to Ultrasoft. UBC asked Harunor Biswas, Managing Director of Ultrasoft, to see whether he could transfer UBC’s data on to Ultrasoft’s database program. Mr Biswas agreed to try and UBC supplied him with files. When Mr Biswas looked at the UBC files in January 2014 he found a Hubcreate file called ‘CentreCharge.ini’.

An ‘ini’ file is an initialisation file which may contain a ‘connection string’ that allows access to the database with which it is associated. Mr Biswas found that this ini file was unencrypted and permitted the user what is called ‘system administrator access’ to its associated database. Here it meant that rather than UBC having just been given access to one installation of a Hubcreate SQL server containing only UBC’s data, it had been provided with access to the SQL database files for all of Hubcreate’s current and previous customers. System administrator access even permitted the user to modify and manage all these customers’ data.

With this access Mr Biswas found copies of Ultrasoft’s UltraBis, UltraBis2 and UltraCRM database programs stored on Hubcreate’s server. It was that discovery which led to these proceedings. Ultrasoft’s solicitors sent a letter before action on 25 June 2014.

In about November 2014 Hubcreate deleted UltraCRM, UltraBis and UltraBis2 from its server, keeping only one copy of each of the files on a pen drive (a memory stick). Hubcreate also provided a copy of each of the three files to its solicitors.

Mr Powell gave evidence about how it was that UBC came to acquire system administrator access to the database files of all Hubcreate’s customers. He said that customers using Hubcreate’s billing module always had their own accounting software – for instance SAGE 200, a commonly used proprietary system. It was necessary to enable the export of data from the Hubcreate billing module to the accounting software. To do this, Hubcreate provided financial export software to the customer, which Hubcreate installed on to the customer’s system.

Mr Powell explained that there are two means by which the financial export software can be connected to the billing module. The first is designed for use by Hubcreate’s customers. An initialisation (ini) file is installed on the customer’s system and edited to introduce the customer’s user name and a password. It allows the customer access to its own data in the billing module on Hubcreate’s server, nothing more.

The second method of connection is intended for Hubcreate’s use only. Its purpose is to allow Hubcreate to install its software on the customer’s system and to check connections when faults are found in communication between the customer’s accounting system and the billing module. It uses a connection string allowing system administrator access.

A security system is installed by Hubcreate which allows only one means of access to its billing module at a time. Once Hubcreate has finished using the connection string for installation and/or investigating faults, the setting should be changed so that the customer can only use its own specific initialisation file and only gain access to its own data.

When Ultrasoft first raised the present complaint with Hubcreate in June 2014 it did not identify UBC as the customer which had been given global access to Hubcreate’s server. Mr Powell said that on being informed of Ultrasoft’s complaint, his first reaction and that of his colleagues was alarm that one of its customers – and now Ultrasoft – apparently had access to the data of Hubcreate’s other customers. He said that keeping one customer’s data confidential and unavailable to other customers was absolutely essential. Hubcreate therefore changed all of the internal passwords on its server. This had the effect of denying system administrator access to anyone without possession of the new passwords, i.e. anyone outside Hubcreate. Customers’ access to the Hubcreate server using the first method described above remained unaffected. In other words, customers could still use their own usernames and passwords to access their own data, but not that of any other of Hubcreate’s customers.

Mr Powell reviewed the configuration files of all Hubcreate’s customers. He said that he found that by mistake a connection string had been provided to UBC giving it system administrator access. He also said that this mistake was found to be unique to UBC.

There was no evidence that UBC had abused its global access or even realised that it was available. Despite misgivings voiced by Hubcreate, neither was there evidence that Mr Biswas or anyone else at Ultrasoft had misused the global access passed on to them from UBC, for the period it remained available.

It is not in dispute that the Ultrasoft files discovered among the UBC files were there because Hubcreate had copied UltraBis, UltraBis2 and UltraCRM, provided by KBC, on to Hubcreate’s server and that these were infringing acts. (The precise names of those files varied a little haphazardly in the evidence; I will stick with these three names). So far, so admitted, but Ultrasoft contended that Hubcreate’s infringements must have gone further in two ways.

First, Ultrasoft alleged that Hubcreate had allowed customers other than UBC – probably all of them – access to the three Ultrasoft files while they were stored on Hubcreate’s server. In so doing Hubcreate:

The second allegation was that Hubcreate must have exploited Ultrasoft’s database files to its own advantage, having had access to them for some years. This was never adequately pleaded and became an issue raised at the CMC and again at a later interim hearing. I came to the view that this aspect of Ultrasoft’s complaint had no basis in anything beyond speculation. Rather, it was being used to fish for disclosure in order to find out what, if anything, Hubcreate might have done with the databases it had copied. I struck out those parts of Ultrasoft’s Particulars of Claim which potentially supported this unparticularised part of Ultrasoft’s case. It formed no part of the trial.

In July 2015 Hubcreate made a Part 36 Offer in relation to the copying of three Ultrasoft database programs on to its server and the retention of them until about November 2014, admitting that this copying and retention constituted acts of infringement of Ultrasoft’s copyright and database rights. The Offer was accepted.

The list of the remaining issues to be resolved at trial took on a particular significance in this case. Despite my having struck out parts of the Particulars of Claim at an interim hearing, the Particulars were not amended in accordance with standard practice and so remained in their original form. This was not satisfactory. At the trial, with a little care it was possible to work out what should have been deleted from the Particulars of Claim pursuant to the interim orders made. More usefully, however, the list of issues, which had been amended in accordance with the order to strike out, for the most part helpfully defined in summary form what was left in issue.

The first three issues in the list concerned subsistence and ownership of the relevant rights. Having admitted acts of infringement, albeit to a limited extent, Hubcreate had accepted that copyright and database rights subsisted in the three Ultrasoft files they had copied and that these rights were owned by Ultrasoft. The files in question had been listed in full in Annex 1 to the Claimant’s Response dated 10 June 2015 to a Part 18 Request from the defendant, referred to in the list of issues as ‘Annex 1’. Therefore the first three listed issues fell away.

That left the issues relating to the further alleged acts of infringement and others concerning statutory defences run by Hubcreate. I here set out the remaining infringement issues as identified by the parties (with my further amendment to delete ‘alleged’ from the reference to the copyright works and database):

“4.

Did the Defendant’s restoration of the two SQL files “UltraBiz.bak” and “UltrasoftCRM.bak” prima facie amount to:

…

(b)

issuing copies to the public of;

(c)

communicating to the public;

…

the … copyright works identified in Annex 1?

5.

Did the hosting of the two restored SQL files “UltraBis.mdf” and “UltrasoftCRM.mdf” on the Defendant’s production server prima facie amount to:

…

(b)

issuing copies to the public of;

(c)

communicating to the public;

…

the … copyright works identified in Annex 1

…

7.

Did the hosting of the two restored SQL files “UltraBis.mdf” and “UltrasoftCRM.mdf” on the Defendant’s production server prima facie amount to extracting and/or re-utilising all or a substantial part of the … database identified in Annex 1?

(a)

Was the Defendant’s production server freely accessible to the public?

(b)

Did hosting the two restored files “UltraBis.mdf” and “UltrasoftCRM.mdf” on the Defendant’s production server prima facie permit the public to have access to the UltraBiz file?”

The qualification ‘prima facie’ reflected Hubcreate’s statutory defences pursuant to sections 50A to 50D of the Act and regulation 19(1) of the Database Regulations. Issues 8 to 10 concerned these defences.

It will be seen that infringement issues 4, 5 and 7 did not expressly refer to UltraBis2, but argument was advanced on the assumption that there was no relevant distinction between that file and UltraBis.

The parties agreed that the copyright allegations of (a) issuing and (b) communicating copies of Ultrasoft’s SQL database files to the public and the database right allegations of (a) extraction and (b) re-utilisation of those files all depended on whether the public had had access to the files while they remained on the Hubcreate server. Clearly UBC had had such access, whether UBC knew it or not. It was common ground that in order for Ultrasoft to succeed under any of the four heads of claim it had to establish that customers of Hubcreate other than UBC had had access to Ultrasoft’s files. There was no consensus as to what scale of access translated into infringement – i.e. how many further customers must have had system administrator access to the Hubcreate server – but certainly more than just UBC.

As to this, Mr Powell’s evidence, summarised above, was clear: it had not been possible for any customer other than UBC to gain access to Ultrasoft’s files. Only UBC, in error, had been given system administrator access to the Hubcreate server.

Ultrasoft challenged Mr Powell’s account, raising two related arguments. The first was a simple submission that I should just reject Mr Powell’s evidence, either wholesale or at least this part of it. I cannot see any reason for doing so. It is true that in cross-examination it emerged that Mr Powell had not accurately remembered certain peripheral matters but this proved nothing. As against that, I think it is telling that Ultrasoft could advance no reason why Hubcreate would ever have wanted to give all its customers access to each other’s data – a necessary consequence of having system administrator access to Hubcreate’s server and thus to Ultrasoft’s files. This would have been commercial suicide from Hubcreate’s point of view. Alternatively, to the extent it was alleged (and I am not sure it was) that all Hubcreate’s customers had been given system administrator access by mistake – in other words by the serial repetition of the same mistake made with UBC – this would have constituted a disastrously persistent error on Hubcreate’s part for which there was no support in the evidence and which to my mind was highly improbable.

In addition, as was pointed out by Mr Powell, when Hubcreate changed all the internal passwords having received the letter before action of 25 June 2014, if customers other than UBC had been using a connection string similar to that provided to UBC – i.e. one permitting system administrator access – they would have lost connection to Hubcreate’s server at that point and thus also lost access to their own data. They would have complained loudly about it. Mr Powell said that none did and there was no reason to doubt that this was true. Mr Biswas accepted that there would have been complaints if customers had lost access to their own data.

Ultrasoft’s second argument related to a Hubcreate document headed ‘Performing a local installation of CentreCharge’ taken from Hubcreate’s disclosure. Mr Biswas thought that a copy must have been passed to all Hubcreate’s customers. He said that if its instructions were followed the customers would have had global access to Hubcreate’s server and therefore to each other’s data and, most relevantly, to the three Ultrasoft files. In cross-examination Mr Biswas accepted that a password, which he conceded to be necessary for system administrator access, was missing from this document. Mr Biswas drew attention to an image of a screen shown in the document. In practice customers would have obtained such an image on their own screen and Mr Biswas speculated that it might have been possible to scroll to the left or to the right and this might have revealed the password.

Mr Powell in response insisted that the document in question was an internal document, available only to Hubcreate’s employees. He also firmly disputed Mr Biswas’s assertion that it could have been used to gain system administrator access to Hubcreate’s server. He said the password was not in the document.

The document begins:

“The following steps describe how to perform a local installation of CentreCharge for an ondemand customer.”

This appears to reinforce Mr Powell’s contention that it is an internal document for use when carrying out an installation for a customer, not a document the customer itself would be expected to use.

In addition, Mr Biswas’s theory seems to me to hit a wall already mentioned: no reason was given to explain why Hubcreate would want to encourage its customers to gain unlimited access to its server and thus access to each other’s data by distributing the document in question. By common consent, such a free-for-all was something companies like Hubcreate and Ultrasoft would strive to avoid.

I find that only one of Hubcreate’s customers, namely UBC, had access to the three Ultrasoft files in issue, or any of them, while they were stored on Hubcreate’s SQL server.

Hubcreate submitted that it had a defence to the further allegations of infringement pursuant to sections 50A to 50D of the Act in relation to copyright infringement and pursuant to regulation 19 of the Database Regulations in relation to database rights. Hubcreate also relied on the contractual terms under which Ultrasoft licenses the use of its software.

I will take this briefly since the defences do not arise on the findings I have made. The defences would only be of relevance if they permitted a licensee of Ultrasoft, and beyond that a party acting on the licensee’s behalf such as Hubcreate, to make Ultrasoft’s software freely available to third parties, including third parties of Hubcreate’s choosing. Hubcreate’s brief submissions on this topic did not go so far as to suggest that either the statutory defences, or Ultrasoft’s licence terms, or a combination of them, gave Hubcreate that degree of freedom.

Pursuant to my finding that none of Hubcreate’s customers other than UBC had access to Ultrasoft’s software, Hubcreate has not infringed Ultrasoft’s copyrights or database rights beyond the infringements already admitted.