DMCA §1201 Anti-Circumvention — Why we unlock sheet protection but not file-open passwords

TL;DR

• Sheet protection, workbook structure protection, and VBA project passwords are editorial markup stored as plain XML or hash values inside the OOXML container. They block the Excel UI from offering certain commands, but they do not encrypt anything. Removing them is not circumvention under DMCA §1201 in our reading and the reading of multiple legal analyses we cite below.
• File-open AES passwords are different. Office 2007+ workbooks set with "File → Info → Encrypt with Password" are actually encrypted using AES-128/256 with a key derived from the password. Recovering them requires brute force or dictionary attack — that does implicate §1201 in our reading. We do not operate in that space.
• We require an explicit Terms-of-Service checkbox confirming you own the file or have permission, irrespective of which protection type is in play. That's about basic ethical use, not §1201 — but it's the table-stakes bar.

1. The two types of "Excel password" that the industry routinely conflates

Walk through any free-Excel-unlock landing page and you'll see the same dark pattern: a single "Recover your Excel password" CTA that quietly serves two completely different products to two completely different users. We refuse to do this because the legal, ethical, and technical pictures of those two products are not the same.

Type 1 — Structural protection (what we lift)

Visible in the OOXML container as XML elements:

<workbookProtection workbookPassword="HASH" lockStructure="true" />
<sheetProtection password="HASH" sheet="true" objects="true" .../>
<fileSharing readOnlyRecommended="1" reservationPassword="HASH" />

The password="HASH" is a 16-bit hash. It is not a key. Excel never decrypts anything with it. When you double-click the file, Excel reads the cells in plaintext, then applies the protection elements as UI restrictions ("show me a dialog if the user tries to edit this cell"). Removing the XML element is text editing, not key recovery.

The OOXML specification (ECMA-376, Microsoft's own Open Document standard) explicitly classifies these elements as protection settings, not encryption. The Microsoft Office File Format Reference clarifies that protection is enforced in the application, not in the file format.

Type 2 — File-open AES password (what we refuse to touch)

Set via File → Info → Encrypt with Password. The entire workbook ZIP container is replaced with an OLE Compound Document containing AES-128 (Office 2007) or AES-256 (Office 2016+) ciphertext. The password is run through a key-derivation function (PBKDF2 with 100k+ iterations as of Office 2016) to produce the actual key.

Without the password, the file cannot be parsed at all. Excel itself shows you a password prompt before any cell content is loaded. Recovering this password requires either brute force (try every possible password) or dictionary attack (try a list of likely passwords). Both attempts treat the protection as a technological measure, and the act of trying to break one is what §1201 prohibits.

2. Why structural protection removal is not §1201 circumvention

DMCA §1201(a)(1)(A) prohibits circumventing "a technological measure that effectively controls access to a work." The statute defines "effectively controls access" in §1201(a)(3)(B): a measure effectively controls access to a work if "in the ordinary course of its operation, requires the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work."

Sheet protection and workbook structure protection do not gate access to the work. The cells, formulas, and content are visible to any user the moment the file is opened. The protection only blocks editing certain UI commands. There is nothing to "gain access to" — access is already granted. Multiple legal commentators (e.g., Aaron Perzanowski, Jonathan Bailey at Plagiarism Today, EFF analyses of the Chamberlain v. Skylink line of cases) treat editorial markup that does not gate access as outside the scope of §1201.

File-open passwords, by contrast, sit squarely inside §1201's definition: in the ordinary course of operation, the application of the password is required to gain access to the work. Removing it without the password is the textbook scenario the statute targets.

We are aware that the §1201(a)(2)(B) anti-trafficking provisions — which prohibit distributing tools "primarily designed for the purpose of circumventing" — could in principle reach our tool if a court took a maximalist view. We've published this position so a regulator, a competitor, or a user can see exactly where we draw the line. The structural-only scope is intentional, not accidental.

3. The third bucket — VBA project passwords

VBA (Visual Basic for Applications) projects embedded in .xlsm / .xltm files can carry their own "Lock project for viewing" password. Like sheet protection, this is a non-encrypting hash check: the macro source code is stored in plain compressed P-code inside xl/vbaProject.bin, and the password just makes the Visual Basic Editor refuse to display the source. Removing the password byte sequence from the OLE compound stream is, in our reading, the same kind of editorial-markup edit as sheet protection removal.

We are working on shipping a VBA-tier unlock in a future release. Until then, our tool detects the VBA password presence and surfaces it in the protection map but does not modify the VBA stream. Users who need VBA unlock today can use Straxx Excel Password Remover (free open-source add-in) or hex-edit the DPB header (tutorial linked from our forgot-password decision tree).

4. Required user attestation

DMCA §1201 protects copyright owners. Even when a tool isn't doing circumvention, the user might be doing something else illegal — modifying a file they have no right to modify, exfiltrating data from a former employer, redistributing copyrighted content. We can't legally vet every upload, so we require a one-checkbox attestation in the hero of our unlock page before any upload happens:

I confirm I own this file or have explicit permission from the owner. I understand this tool only removes structural protection (sheet / workbook / VBA project) — it does not break file-open AES passwords.

The attestation is hero-prominent (not buried in a footer) on purpose. Industry convention is to hide it; we surface it because the affirmative click sets the legal expectation up front. Users who can't make that statement honestly are not the users we want.

5. International equivalents

The U.S. DMCA §1201 is the most cited anti-circumvention statute, but most jurisdictions have analogous provisions. We've cross-checked our position against the major ones:

• EU Directive 2001/29/EC Article 6 (InfoSoc Directive) — same access-control framework. Our reading: structural-only protection removal is outside Article 6's scope for the same access-vs-editorial distinction. GDPR governs the upload data; we delete files within 1 hour and do not log content.
• UK Copyright, Designs and Patents Act 1988 §296ZA — UK-specific access-control circumvention rule. Same reasoning applies; structural protection isn't the "effective technological measure" the statute contemplates.
• Australia Copyright Act 1968 §10(1) — defines "technological protection measure" identically to U.S. DMCA. Same conclusion.
• China Copyright Law (2020 revision) — Article 49 covers "technological measures". Equivalent access-control vs editorial-markup distinction.

6. Why this matters for users (and competitors)

If you've landed here from a competitor's page that promised to "recover any Excel password" — read carefully what they're actually offering. The fast-and-free part is sheet protection removal (which is what we do, free, no signup). The slow-and-paid part is file-open password brute force, which lives in DMCA §1201 territory and which most reputable services (LostMyPass, Password-Find) gate behind explicit license terms acknowledging the legal risk.

We chose to be explicit about the line. If you have a structural protection problem, our tool is free, works in 200-1500 ms, and never asks for your email. If you have a file-open password problem, we'll tell you so up front and route you to a service that's transparent about what they're doing — see the forgot-password decision tree.

7. Disclaimer

This document is our legal posture and reasoning, not legal advice. We are not your lawyer; reading this does not create an attorney-client relationship. If you're in a high-stakes situation (e.g., recovering data from a former employer's file under disputed ownership, or modifying a file under a non-disclosure agreement), consult counsel for your jurisdiction before using any password-removal tool, ours or anyone else's.

We update this position as caselaw evolves. Substantive changes will be dated and announced on the page header.