Disappointing: Apple The Latest To Abuse DMCA 1201 To Try To Stifle Competition, Security Research, Jailbreaking And More
from the come-on-guys dept
Back in August, Apple kicked off an already questionable lawsuit against Corellium, makers of virtualization software that would let users create and interact with "virtual" iOS devices. It is a useful tool for a variety of reasons, including (importantly) for security researchers trying to hunt down bugs on a virtual iPhone. Over the last few months, security researchers in particular have been raising the alarm about this lawsuit. Then, just before the New Year, Apple made things much, much worse, with its amended complaint, that takes Section 1201 of the DMCA to new and even more ridiculous heights.
As Corellium's CEO Amanda Gorton noted in an open letter, this appeared to be Apple using copyright law to completely shutdown the idea of jailbreaking:
Apple’s latest filing against Corellium should give all security researchers, app developers, and jailbreakers reason to be concerned. The filing asserts that because Corellium “allows users to jailbreak” and “gave one or more Persons access… to develop software that can be used to jailbreak,” Corellium is “engaging in trafficking” in violation of the DMCA. In other words, Apple is asserting that anyone who provides a tool that allows other people to jailbreak, and anyone who assists in creating such a tool, is violating the DMCA. Apple underscores this position by calling the unc0ver jailbreak tool “unlawful” and stating that it is “designed to circumvent [the] same technological measures” as Corellium.
Apple is using this case as a trial balloon in a new angle to crack down on jailbreaking. Apple has made it clear that it does not intend to limit this attack to Corellium: it is seeking to set a precedent to eliminate public jailbreaks.
We are deeply disappointed by Apple’s persistent demonization of jailbreaking. Across the industry, developers and researchers rely on jailbreaks to test the security of both their own apps and third-party apps – testing which cannot be done without a jailbroken device. For example, a recent analysis of the ToTok app revealed that an Apple-approved chat app was being used as a spying tool by the government of the United Arab Emirates, and according to the researchers behind this analysis, this work would not have been possible without a jailbreak.
You really should read the Apple filing directly. It is not subtle in what it is seeking to argue. It claims that any virtualization of its software is copyright infringement, and that any attempt to jailbreak its software violates Section 1201 of the DMCA, which is the anti-circumvention or "digital locks" part of the DMCA. We've long found 1201 to be incredibly problematic in general, and believe it should be dumped entirely as it has served to regularly prevent perfectly legal uses that might create competition. Here, however, Apple is taking the argument much, much further, and suggesting that because some security researchers might use the product for bad reasons, that alone proves that Corellium's offering is not done in good faith.
A key argument is that because security researchers using Corellium don't always report bugs directly to Apple, that proves Corellium is a bad actor. This is a huge stretch and would be a very dangerous interpretation of the law.
Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple’s software, Corellium’s true goal is profiting off its blatant infringement. Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder. Indeed, Corellium’s largest customer admits that it has never reported any bugs to Apple.
Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher. Not only does Apple publicly credit researchers for reporting vulnerabilities, it has created several programs to facilitate such research activity so that potential security flaws can be identified and corrected. Apple’s programs include providing as much as $1 million per report through “bug bounty” programs in accordance with the provisions of those programs. Apple has also announced that it will provide custom versions of the iPhone to legitimate security researchers to allow them to conduct research on Apple devices and software. These efforts recognize the critical role that members of the security research community play in Apple’s efforts to ensure its devices contain the most secure software and systems available.
The purpose of this lawsuit is not to encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works. Accordingly, Apple respectfully seeks an injunction, along with the other remedies described below, to stop Corellium’s acts of naked copyright infringement.
Before we get into the legal issues, just note carefully what Apple is arguing in the above three paragraphs. It is saying, in effect, that the only "good-faith security research" is that done in accordance with Apple's concept of what is good-faith research. That should worry everyone. While it is true that Apple is rather accommodating of many security researchers, allowing the company determine what qualifies as good security research practices of its own products, with significant legal liability associated with falling on the wrong side, should scare everyone. Even if Apple is a good steward of the research community, tons of other companies are not. And such a precedent would be hugely problematic.
As for the specifics of the lawsuit, Apple seems particularly perturbed that Corellium advertises its products to security researchers to hunt down bugs.
In August 2019, Corellium specifically emphasized, at the international cybersecurity Black Hat USA Conference, that the Corellium Apple Product is an exact copy of Apple’s copyrighted works, designed specifically to allow researchers and hackers to research and test their vulnerabilities, by “run[ing] real iOS – with real bugs that have real exploits.” In other words, the Corellium Apple Product is designed to find and exploit flaws in iOS. And Corellium’s Apple Product does so by, among other things, enabling its users to circumvent the technological protection measures that are designed to limit where and how Apple’s copyrighted works can be used.
Relatedly, it is clear that Apple considers the process of jailbreaking itself to violate copyright laws, which is bullshit.
On April 1, 2019, Corellium again highlighted the unlawful ends to which its product is aimed by publicly acknowledging that it had given access to its platform to the developers of code used to jailbreak iOS devices called “unc0ver,” so the developers could test the jailbreaking code “on any device running any firmware” and distribute that code to the public. Within weeks, those developers released a new version of unc0ver that allowed jailbreaking of iOS 12.6 In other words, Corellium has admitted not only that its product is designed to circumvent technological protection measures Apple puts in place to prevent access
A decade ago, Apple had also tried to make the argument that jailbreaking your iPhone was copyright infringement, and partly as a result, the Library of Congress made it clear that jailbreaking mobile devices was not infringing under 1201. Indeed, the Library of Congress triennial exemptions still contain jailbreaking phones. But... part of the issue is that the exemptions only cover you jailbreaking your own device, and not a 3rd party company offering a service or software to do it for you.
The details of the 1201 claims here are important. Kyle Wiens, over at iFixit, has a really good breakdown of many of the issues. But Apple's claims seem incredibly weak here:
The Copyright Act prohibits trafficking in products that are used to modify iOS and circumvent technological controls that protect copyrighted works. These “anti-trafficking” provisions, 17 U.S.C. §ion 1201(a)(2) and (b), make it unlawful for any person to “manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof” that is primarily designed, produced, or marketed for the purpose of circumventing technological measures that either effectively control access to a copyrighted work (section 1201(a)(2)), or that protect the exclusive rights of a copyright owner (section 1201(b)).
But it's not at all clear how offering a virtualization product that allows for jailbreaking is "primarily designed... for the purpose of circumventing technological measures." It's primarily designed as a tool for security researchers. As Kyle points out, if Apple gets its way, that's bad news for lots of other products as well:
Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?
This isn’t academic. Last year, GM sued aftermarket parts company Dorman for “overriding the security measures used in [GM]’s vehicle control modules” in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.
John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. They opposed a DMCA exemption for farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.
As he notes, Apple understands all of this and should know better.
Meanwhile, Matt Tait, highlights that a separate, but equally problematic part of the lawsuit is the fact that Apple seems to be suggesting that the only acceptable security research is that done under Apple's approval. That's also worrying -- not because Apple is particularly bad in how it engages with security researchers (as noted above, the opposite is true). What's worrying is the precedent this would set for others, both about the nature of security work and how the DMCA 1201 might be further abused to shut down competition, ancillary markets, security research and more. It's a head-on attack on the concept of property rights and ownership, abusing the DMCA. It's an incredibly disappointing move from Apple, a company that should know better.
Filed Under: anti-circumvention, copyright, dmca, dmca 1201, good faith security research, jailbreaking, security, security research
Companies: apple, corellium