By Pamela C. Maloney, J.D.
A company that developed a virtual product designed to test Apple’s iOS for vulnerabilities successfully asserted the fair use defense against infringement claims, but fell short of defeating DMCA antitrafficking claims.
The fair use defense protected a company that developed a commercial product that allowed users to create and interact with virtual devices by loading firmware for operating like iOS, Android, and Linux, from infringement claims brought by Apple, a federal district court in Ft. Lauderdale, Florida, ruled, grating the company’s motion for summary judgment. However, the fair use defense did not apply to Apple’s Digital Millennium Copyright Act claim, and numerous questions of fact mitigated against granting either parties’ motion for summary judgment on Apple’s antitrafficking claims under the DMCA (Apple Inc. v. Corellium, LLC, December 29, 2020, Smith, R.).
Apple designs and manufactures mobile communication devices, personal computers, and media devices, and it also sells a variety of related software, services, accessories, and third-party digital content and applications. It developed iOS as the mobile operating system (OS) for certain devices like the iPhone and made the OS publicly available online for free download from Apple’s servers as part of a packaged file. Around 2016 or 2017, Apple removed encryption from the kernel, which is the core of the operating system that has complete control over all system resources. In addition, Apple provided a number of security measures to protect its devices as well as customers’ experience. In 2017, Corellium developed a commercial product (the Corellium Product) that allowed users to create and interact with virtual devices by loading firmware, including files for OS like iOS, Android, and Linux. According to Corellium’s founders, the Corellium Product was developed with the primary intent of facilitating security testing, research, and development by allowing researchers to examine aspects of iOS code for vulnerabilities. The Corellium Product, which has a relatively limited functionality, did not virtualize the Apple App Store, and users could not make phone calls or use the camera, among other things. Apple and Corellium engaged in acquisition talks beginning in January 2018, during which Apple employees informed Corellium that it needed a license to utilize iOS in connection with the Corellium Product. The potential deal fell apart when the parties could not agree on a price.
About one year after the acquisition efforts ended, Apple filed a lawsuit against Corellium, alleging that the latter had infringed Apple’s copyrights in iOS and circumvented its security measures in violation of the Digital Millennium Copyright Act (DMCA). Corellium moved for summary judgment, arguing that (1) the Corellium Product contained no copyrighted Apple code; (2) the fair use doctrine made any use of protectable elements of Apple’s work permissible; (3) Apple misused its copyright; (4) Apple should be estopped from asserting a copyright claim against Corellium; (5) Apple could not show that Corellium infringed any of the 17 copyrights at issue; and (6) the Corellium Product did not violate the DMCA. Apple moved for partial summary judgment on the DMCA issue, arguing that Corellium violated the antitrafficking provisions of the Act.
Transformative purpose. The evidence established that the Corellium Product was not merely a repackaged version of iOS. Instead, Corellium made several changes to iOS and incorporated its own code to create a product that served a transformative purpose. Specifically, the Corellium Product made available significant information about iOS that allowed users to see and halt running processes, halt execution of the virtual device, amend the kernel, look at lists of files, clone snapshots, among other things, all of which provided great introspection into aspects of iOS and its operation on iOS devices that was useful in conducting security research and testing. The product also created a new, virtual platform for iOS and added capabilities not available on Apple’s iOS devices. Furthermore, the Corellium Product added significant features that were not available on Apple’s devices running iOS. Finally, Corellium was not a direct competitor with Apple in the iOS device market. The fact that the Corellium product could be used for purposes other than security research and that Corellium was willing to sell it to anyone did not negate the transformative nature of the product.
Commercial or nonprofit educational purpose. The district court rejected Apple’s argument that because the Corellium product was sold commercially for significant amounts, the court was compelled to find in Apple’s favor. Given the transformative nature of the product and considering the public benefit derived from it, Corellium’s profit motivation did not undermine the fair use defense.
Size and significance of copied material. Apple further contended that Corellium could not assert the fair use defense because it took too much of the copyrighted work by extracting, copying, publicly displaying, and modifying the entire IPSW files for iOS. However, there was no categorical rule that the copying of the entire copyrighted work could not be considered fair use. According to the district court, Corellium’s copying, modifying, and using of iOS was reasonable in relation to its purpose. The evidence showed that the Corellium Product was intended to create a virtual environment in which users could examine, test, and research iOS or portions of iOS code. To be an efficient and effective research environment that accurately reflected the operation of iOS on Apple’s devices, the Corellium Product necessarily utilized all of the IPSW files for iOS. Furthermore, in line with this purpose, the Corellium Product excluded, or did not virtualize, the full functionality of features available on iOS devices, like Face ID, Touch ID, baseband, camera, the App Store, and users of the Corellium Product could not make calls or send text messages, which can be done on an iPhone. Based on the evidence, Corellium’s use of iOS in terms of quantity, quality, and importance, was both proportionate and necessary to achieve the company’s transformative purpose and, therefore, weighed in favor of a finding fair use, the district court concluded.
Effect on value of original work. Apple’s argument that Corellium marketed its product as an alternative to an iPhone and listed Apple’s iOS Simulator as a direct competitor did not undermine the fair defense because there was no evidence that the Corellium product affected Apple’s market or the market value for iOS. Nor did Apple’s claim that the Corellium Product would compete with Apple’s own security research device program negate the fair use defense. The relevant question was whether the Corellium Product impacted the market for the copyrighted work itself and whether Apple could expand into the security research or virtualization market. Although a copyright holder could always asset some degree of adverse effect on its potential licensing revenues as a result of a secondary use of its work, copyright law did not confer a monopoly over all markets related to a protected work.
Good faith and fair dealing. The district court also rejected Apple’s argument that Corellium’s conduct was improper because the company dealt with bad actors and did not require users to report bugs to Apple.The evidence showed that Corellium had a vetting process in place and that the company had withheld the product from purchasers it suspected would use the product for "nefarious purposes." The district court also noted that Apple itself did not impose a reporting requirement on users under its own Bug Bounty Program.
DMCA claim. According to Apple, Corellium violated the DMCA by circumventing the following iOS security measures: authentication server validation check, secure boot chain, Buddy program, and trust cache. Corellium countered, claiming that the IPSW files were left unencrypted, unprotected, unlocked, and out in the open for the public to access, copy, edit, distribute, perform, and display. Corellium also argued that it was entitled to a fair use defense, as well as defenses under sections 1201(f), (g), and (j) of the DMCA, which provide exemptions for reverse engineering and security testing and encryption research.
Acknowledging that tension existed between DMCA’s antitrafficking provisions and the Copyright Act’s fair use defense, the district court relied on a number of federal court decisions in concluding that fair use was not a blanket defense to DMCA’s circumvention provisions, adding that to adopt Corellium’s position that fair use was a defense to the DMCA claim would render the antitrafficking provisions meaningless. Thus, although Corellium could make fair use of iOS, the company was not absolved from potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS.
The district court found that several issues of material fact precluded summary judgment on the DMCA claim, including: (1) whether Apple had copyrights in all of iOS or only portions of it; and (2) what was the nature of Apple’s technological measures and how did those measures apply to the IPSW files and, by extension, to the elements of iOS in those files. In addition, Corellium asserted a number of statutory defenses to the DMCA claim raising factual questions that precluded summary judgment.
This case is No. 9:19-cv-81160-RS.
Attorneys: Emily Louise Pincow (Lash & Goldberg LLP) for Apple Inc. Thomas Lee Hunker (Cole, Scott & Kissane, P.A.) for Corellium, LLC.
Companies: Apple Inc.; Corellium, LLC
MainStory: TopStory Copyright TechnologyInternet FloridaNews GCNNews
Interested in submitting an article?
Submit your information to us today!Learn More
IP Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on intellectual property legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.