Corellium notches partial victory in Apple iOS copyright case

By | December 30, 2020
Just some of the iDevice types that Corellium didn't break one law—but may still have broken another—by emulating.
Enlarge / Just some of the iDevice types that Corellium didn’t break one law—but may still have broken another—by emulating.

Security firm Corellium, which develops software that researchers can use to analyze Apple products, has been handed a partial victory in Apple’s lawsuit against it, as a judge ruled that its creation of virtual iOS environments does not violate Apple’s copyrights.

Corellium has since 2017 been creating iOS environments that can run on desktop computers, for use as a research and development tool. Apple sued Corellium in 2019, alleging, “Corellium’s true goal is profiting off its blatant infringement” of iOS, and claiming that the firm “encourages its users to sell any discovered information [about system vulnerabilities] on the open market to the highest bidder.”

Earlier this year, Apple amended the suit to include allegations that Corellium’s work violated the Digital Millennium Copyright Act’s (DMCA) prohibition circumventing or breaking DRM.

US District Judge Rodney Smith for the US District Court for Southern Florida yesterday issued his ruling (PDF) in the case, denying Apple’s motion for summary judgement, and granting part, but not all, of Corellium’s motion for same, finding that Corellium’s actions were fair use but “issues of material facts” still exist.

Granted in part

Smith found for Corellium on the matter of the copyright claim, determining that Corellium was not simply cloning iOS as a means of competing with Apple, but instead was genuinely using Apple’s work as the basis of creating something new.

“Corellium makes several changes to iOS and incorporates its own code to create a product that serves a transformative purpose,” Smith wrote. “Hence, Corellium’s profit motivation does not undermine its fair use defense, particularly considering the public benefit of the product.”

Apple also alleged that Corellium’s behavior “has been entirely improper” and that the company has not acted in good faith. Smith, however, wrote that “Apple’s position is puzzling, if not disingenuous,” as Corellium has a vetting process for clients and “has exercised discretion to withhold the Corellium product from those it suspects may use the product for nefarious purposes.

In short, the court “does not find a lack of good faith and fair dealing” on Corellium’s part, Smith ruled, and “further, weighing all the necessary factors, the Court finds that Corellium has met its burden of fair use.”

Denied in part

Apple’s second claim, that Corellium circumvented its DRM unlawfully under section 1201 of the DMCA, is trickier to handle.

Under Section 1201, creating any kind of end-run around “a technological measure that effectively controls access to a work” is itself unlawful—even if you have a really good reason, such as research or repair, for doing so. Apple, as you would assume, has several technological measures through which it protects iOS.

There are, however, some enumerated exemptions from Section 1201. Every three years the US Copyright Office reviews the list, and can choose to add new exemptions. In 2015, for example, it became legal for researchers to hack voting machines and medical devices in controlled environments for purposes of good-faith security research.

There are Section 1201 exemptions for smartphones, but they are limited specifically to jailbreaking, for software interoperability reasons, and for unlocking devices to move between carrier networks.

Even though Smith found Corellium was engaging in fair use as far as the copyright claim, he rejected the fair use argument as far as the 1201 claim goes. “Here, if the court were to adopt Corellium’s position that fair use is a defense to Apple’s DMCA claim, that would effectively render Section 1201 meaningless,” Smith wrote. “Therefore, Corellium may make fair use of iOS, but it is not absolved of potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS.”

The legal proceedings related to the Section 1201 claim, therefore, will continue into the new year.