Apple v. Corellium Demonstrates a Clear Example of Fair Use | #ios | #apple | #iossecurity | #education | #technology | #infosec



By John Bergmayer
February 16, 2022

Public Knowledge has been tracking the lawsuit by Apple against Corellium for a while. Corellium is a company that offers various services for software developers and security researchers. Some of these involve creating virtual iPhones for testing and research purposes, which involves making copies of Apple’s iOS software. Apple sued, arguing both that Corellium violated the “anticircumvention” provisions of the Digital Millennium Copyright Act (DMCA) by simply accessing iOS, and substantive copyright law, by making new copies of it.  

The judge ruled both that Corellium did not violate copyright law by making new copies of iOS, finding that given the circumstances, even making a complete copy of Apple’s operating system could be a fair use. He also found that, nevertheless, accessing iOS could still violate the DMCA. This stood as a clear example of how the DMCA can interfere with valuable lawful uses. Apple appealed the fair use ruling.

Today, Public Knowledge, joined by the Electronic Frontier Foundation and expert security researchers, filed an amicus brief with the Eleventh Circuit Court of Appeals. The brief argues that Corellium’s copying of iOS was, in fact, a fair use.

One of the arguments is worth pulling out because it is a bit counterintuitive. One of the factors that judges look to when determining whether something is “[t]he effect of the use upon the potential market for, or value of, the copyrighted work.” But this is largely intended to ensure that judges are considering whether an alleged fair use doesn’t merely substitute for the original. Particularly when the uses are critical in nature, it does not mean that uses of a copyrighted work that are commercially harmful to the market for the original are less likely to be considered fair.

This has been very clearly established with parodies and critical commentary. You don’t need permission from an author to review her book, including whatever quotations are appropriate for the use. The review might be devastating, totally killing any demand for the work. But this is still a paradigmatic fair use. (The only relevant “market” to consider from a fair use perspective is any market for licensing quotations from books in order to savage them. This market does not exist for obvious reasons, so there is not even a relevant effect on the market to consider at all.)

A similar logic is why song parodies that make fun of the original songwriter are more likely to be considered fair uses. Fair use balances freedom of expression with copyright, and allows for uses of copyrighted material that the rightsholder does not like and would not license.

Our brief demonstrates how security research should be viewed in the same way. Security researchers discover flaws in software that can put user’s privacy or safety at risk. While software companies have an incentive to deliver secure software, their relationship with outside security researchers is often adversarial — a security researcher might want to widely publicize a certain flaw, for instance, to incentivize the company to fix it, to raise awareness among users and companies about vulnerabilities, or to share knowledge that could help other researchers detect similar flaws. A company may want any flaws to be kept secret until a fix is already widely deployed — but while this might be good for a company’s image or bottom line, it might not be good for user security.

It’s not just companies, either — as part of what appears to be a vendetta against a particular newspaper, Missouri Governor Mike Parsons has threatened to criminally prosecute a journalist who pointed out how a state website was leaking private information of state employees. (Before the governor decided to make his statements, state government employees were more appropriately planning to thank the journalist.) These kinds of bizarre and unfounded legal threats against computer security professionals are not new, and copyright law should be no part of it.

It is this dynamic that makes it important that rightsholders not be able to impede security research with copyright claims. Copyright law does not allow rightsholders to silence or control critical uses. Fair use, among other things, protects the First Amendment rights of researchers (and critics) while still protecting the legitimate interests of rightsholders. In this case, it’s not just that fair use balances copyright and free expression — it also promotes the Constitutional purpose of copyright itself, “to promote the progress of science and useful arts.” Ensuring the security and reliability of software does that a lot more than a system where you need to first get permission from a company before pointing out that its products are flawed.

There’s quite a bit more in our brief, and of course the DMCA issue is still floating out there. But as so much of our lives is dependent on or mediated by computers and software, we hope the court recognizes that copyright law does not allow rightsholders to control or prevent criticism.  



Source link