Part Of Apple's Abuse Of The DMCA Against Corellium Thrown Out... But Part Of It Lives On
from the not-great dept
Almost exactly a year ago, we wrote about a very troubling case in which Apple sued Corellium, arguing that it was copyright infringement for the company to create a virtualization tool to let users create and interact with virtual iOS devices. As we noted, virtualization is a useful tool for a wide variety of issues, including security researchers and app developers. A key part of Apple's lawsuit was that this virtualization violated Section 1201 of the DMCA. As we've explained for years, DMCA 1201 is the "anti-circumvention" part of the DMCA, and has been widely abused to try to stop perfectly legitimate activity that has nothing to do with copyright infringement. DMCA 1201 is a bad law and honestly we'd be better to just toss the whole thing in the garbage.
Apple's lawsuit against Corellium is a perfect example of why. One key thing that came out in the lawsuit is that Apple first tried to buy Corellium, and only filed the lawsuit after talks fell through, which certainly gives it the appearance of extra vindictiveness. Right before New Years a judge ruled on the summary judgment motions from both sides and tossed out some claims, but let others move forward. Unfortunately, reporters who apparently are unable to actually read through a full opinion, reported it (incorrectly) as Apple "losing" the case:
The reality is, unfortunately, not so clean. The court did toss out some copyright claims by ruling (correctly!) that Corellium's use is covered by fair use. But it also allowed the 1201 anti-circumvention claims to move forward -- and that's incredibly dangerous. Let's cover the dangerous parts first (which is the opposite of what the court did). The key issue is whether or not Corellium circumvents Apple's authentication server. Corellium argued both that it did not circumvent Apple's technological protection measures and that, even if it did, it was fair use. Unfortunately, the court (citing some other questionable decisions) says that there is no fair use defense to 1201 violations.
Here, if the Court were to adopt Corellium’s position that fair use is a defense to Apple’s DMCA claim, that would effectively render section 1201 meaningless. “A venerable canon makes clear that an interpreter must, if possible, give effect to every word and phrase in a statute.” Darrisaw v. Pennsylvania Higher Educ. Assistance Agency, 949 F.3d 1302, 1306 (11th Cir. 2020) (citation). “[Courts] cannot adopt an interpretation that would render a term meaningless . . . .” Id. (citation omitted, italics in original). Thus, the Court finds that the better reading is that adopted by the Corley court. Therefore, Corellium may make fair use of iOS, but it is not absolved of potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS. As noted earlier, this result may seem to undercut section 107’s fair use. However, in passing the DMCA, Congress adopted a “balanced” approach to accommodate both piracy and fair use concerns. Corley, 273 F.3d at 444 n.13. “The balance embodied in a federal law is not something this court can disturb, absent a Constitutional violation not at issue here.” Realnetworks, Inc., 641 F. Supp. 2d at 943. The Court, therefore, rejects Corellium’s fair use defense in the context of the DMCA.
The main case the court is citing here, the infamous Corley case is the shitty gift that keeps on giving us shit for security researchers. That was the case in which Eric Corley, the publisher of 2600, was found to have violated the DMCA for daring to publish the code for DeCSS, a simple program that decrypted the lame DRM on DVDs, as well as linking to other sites that had posted the code. This was something of an early protest against DRM, in which tons of people posted the DeCSS code widely to highlight how it was a free speech issue. While the court did (helpfully!) recognize the computer code was protected by the 1st Amendment, it also said that it could separate out the expressive part of the code and the functional part -- and that the functional part could violate 1201. Even worse, it effectively said, as this new ruling says, that you can't use fair use to get out of a 1201 claim.
That's bad and should be another nail in the coffin for 1201 itself. When 1201 was passed as part of the DMCA, we were told, repeatedly, that it was necessary to protect copyright covered works -- but it has been expanded and abused time and time again as a tool against competition. And wholly lopping off fair use as a defense only makes that worse -- as is the case here.
Given the court, citing Corley, saying that there's no real fair use defense to a 1201 claim, it says that there are issues of material facts to resolve, meaning that the case can't be decided on summary judgment, and needs to go to trial. This will put tremendous pressure of Corellium to settle, as the costs of a trial are massive (and the risk that a jury rules against them is also a concern). This is very bad news, and despite the headlines claiming that Apple won, I'm sure Apple lawyers are quite pleased with this result.
It's also a reason why we should be screaming louder about having Congress get rid of 1201 entirely to stop this kind of anti-competitive behavior.
As for the fair use claims related to the underlying copyright issues, that's good to see, but it also demonstrates what a mockery of copyright law 1201 has become that it allows this case to continue despite the fair use ruling for the main copyright claims. It shows, yet again, that 1201 is not about copyright, but about blocking competition.
However, for completeness, let's review the fair use ruling. The court does the traditional four factors test, starting with a look at whether or not the Corellium product is transformative, and finds it is, citing the important ruling that found Google's book search to be transformative:
Here, like Google’s search and snippet functions, the Corellium Product makes available significant information about iOS. A user can see running processes, halt execution of the virtual device, amend the kernel, look at lists of files, clone snapshots, among other things––giving great introspection into aspects of iOS and its operation on iOS devices. These tools are useful to security research and testing. The product creates a new, virtual platform for iOS and adds capabilities not available on Apple’s iOS devices. See Sony Comput. Entm’t, Inc. v. Connectix Corp., 203 F.3d 596, 599, 606 (9th Cir. 2000) (finding fair use where defendant made intermediate copies of defendant’s copyrighted software program and, by reverse engineering, created defendant’s own software program which emulated the functioning of plaintiff’s game console so users could play plaintiff’s games on their computer as opposed to on the console; the court found that the alleged infringing work was “modestly transformative” because it (1) created a new platform or environment in which consumers could play games designed for plaintiff’s product, and (2) notwithstanding the similarity of uses and functions between the copyrighted and secondary work, defendant’s program was “a wholly new product”).
The fact that even Apple concedes that Corellium is targeting its product at the security market cements the transformative nature of the product:
Here, there is evidence in the record to support Corellium’s position that its product is intended for security research and, as Apple concedes, can be used for security research. Further, Apple itself would have used the product for internal testing had it successfully acquired the company. Both Corellium’s CEO and its VP of Sales have testified to the use cases for the Corellium Product for which they fielded inquiries. These inquiries pertain to, for example, application security testing and operating system security testing. Apple has presented no evidence to raise a genuine issue of material fact on this point. Apple points to the testimony of Corellium’s reseller. In the quoted portion of the transcript, the deponent merely speculates––stating he “believe[s]” (not “knows”)––that Corellium wanted to “sell their product to whoever was interested in acquiring it.” (Azimuth Dep. 102:25-103:3.) The deponent offers no facts that contradict evidence presented by Corellium regarding the use of the Corellium Product for security research.
Therefore, the Court finds that the Corellium Product serves a transformative purpose.
The court basically punts on the 2nd factor (the nature of the work), despite noting that courts have found only limited ability to protect software with copyright, and says that the 2nd fair use factor basically never matters in the larger analysis, and thus it's not even worth bothering.
The 3rd factor, on the size and significance of the copying, the court again sides with Corellium, again citing the Google books case, noting that the key factor here is not the absolute amount used, but whether or not the use goes beyond what is "proportional and necessary" for the use. So while it may seem that Corellium uses a lot of iOS in its product, it does not do so in a disproportionate way.
Corellium’s copying, modifying, and using of iOS is reasonable in relation to the purpose of the copying. The testimony is that the Corellium Product is intended to create a virtual environment in which users can, for instance, examine, test, and research iOS or portions of iOS code. To be an efficient and effective research environment that accurately reflects the operation of iOS on Apple’s devices, the Corellium Product necessarily utilizes iOS. In line with this purpose, the Corellium Product excludes or does not virtualize the full functionality of features available on iOS devices, like Face ID, Touch ID, baseband, camera, the App Store, and so on. Users of the Corellium Product cannot make calls or send text messages, which can be done on an iPhone.
[....]
Upon reviewing the evidence, the Court finds that Corellium’s use of iOS (in terms of quantity, quality, and importance) is proportional and necessary to achieve Corellium’s transformative purpose. Therefore, this third factor weighs in favor of finding fair use.
Then there's the final factor, the effect on the market. Generally speaking, the fair use determination is made based on some combination of the 1st factor (and whether the use is transformative) and the 4th factor on the impact on the market. And this one is an easy win for Corellium as well:
The Court does not find any significant market impact on iOS. Thus, this fourth factor also favors a finding of fair use.
No one's buying Corellium as a replacement for iOS.
The court adds on a 5th factor: good faith. While fair use law requires courts to look at the named four factors, it is explicit that courts are not limited to adding other factors in making a decision (which, in theory, gives more leeway to courts). The good faith one is an interesting one, and apparently it was raised by Apple, not Corellium. While part of this is redacted, the judge is clearly not impressed:
Apple’s position is puzzling, if not disingenuous.
Not a good sign. And, thus it's not a surprise that the court then says on the underlying copyright claims, Corellium gets the easy fair use win, and those claims are tossed.
Of course, that just makes the 1201 claims that much more of a travesty. The big concern that many of us have raised for decades regarding 1201 is that it is used to stop competition for reasons having nothing to do with copyright. And this case and this ruling just puts a giant exclamation point on that: the use of iOS is clearly protected by fair use. Yet the case gets to move forward on 1201 grounds, because it's not clear that fair use can even be applied to 1201 claims.
1201 has always harmed the security community the most, and the fact that this case is moving forward just drives that point home.
It's also ridiculous that at a time when we have all of these people out there arguing about antitrust claims and Section 230 as a way to hold back anti-competitive behavior by large tech companies, no one seems interested in revisiting laws like DMCA 1201 that are a huge part of the problem.
Filed Under: anti-circumvention, copyright, dmca, dmca 1201, fair use, ios, security research, virtualization
Companies: apple, corellium