Clinic Supports Independent Cybersecurity Research, Files Brief in Apple v. Corellium

On February 16, 2022, the Cyberlaw Clinic filed an amicus brief in the United States Court of Appeals for the Eleventh Circuit in support of Corellium, LLC.  The Clinic filed this brief on behalf of the Electronic Frontier Foundation–a non-profit civil liberties organization dedicated digital privacy, free speech, and innovation–along with Public Knowledge and several cybersecurity researchers.  The brief supports Corellium in seeking an affirmance of the United States District Court for the Southern District Florida’s opinion that found Corellium’s software to be a fair use of Apple’s iOS.  Signatories to the brief included independent computer security researchers, the Electronic Frontier Foundation, and Public Knowledge, a non-profit public interest organization that defends consumer rights online.

At issue in the case is Corellium’s commercial software product that creates virtualized machine models of iPhones by copying Apple’s iOS and running it in a tailored environment. The purpose of the software is to enable computer security researchers to examine the iPhone’s operating system for flaws and vulnerabilities that hackers might exploit.  Corellium’s product does not enable the user to make calls or use the camera, so it does not serve as a replacement for an iPhone that consumers would want to buy.  Initially, Apple expressed interest in acquiring Corellium.  After the deal fell apart, however, Apple filed suit in August 2019 alleging copyright infringement and violations of the DMCA.  Apple also asked the court to consider Corellium’s allegedly improper conduct by dealing with bad actors and not requiring users to report the bugs they find to Apple.

The District Court granted summary judgment to Corellium on the copyright infringement claim, holding that its product constitutes a permissible fair use of Apple’s iOS. The Court analyzed the Corellium product in light of the four fair use factors and found that its product constitutes a transformative use of Apple’s iOS software.  It does not merely copy and repackage Apple’s product, but “creates a new, virtual platform for iOS and adds capabilities not available on Apple’s iOS devices,” and it does not harm Apple’s market for iPhones because the Corellium product cannot be used as a phone. The Court rejected Apple’s argument that Corellium behaves badly by not requiring researchers to report the bugs they find to Apple. It found Apple’s argument “puzzling,” since Apple does not require this under its own Bug Bounty Program. Apple seeks a reversal of the District Court’s decision, arguing that Corellium’s product is “flagrant copyright infringement.”

The Cyberlaw Clinic’s amicus brief supports the District Court’s finding that Corellium’s product constitutes a permissible fair use of Apple’s software, and argues that good faith and fair dealing should not be part of the fair use analysis.  The brief seeks to highlight to the Court the importance of independent, permissionless computer security research to the public interest. It points out that the phones and devices upon which the public increasingly relies are highly vulnerable to hacking by malicious actors.  For various reasons, software companies are often unwilling or unable to find and repair the bugs in their own products. Hence, independent security researchers perform a service vital to the public good by identifying and disclosing the flaws in our devices’ software before they can be exploited by others.

The brief also points out the irrelevance of good faith and fair dealing to the fair use analysis in this case.  Apple is concerned that Corellium’s product will be put to malicious ends by enabling researchers to find and exploit bugs in its software more easily. Amici point out that this concern, which Corellium shares, is directed not at Corellium itself, but by possible users of its product. As there is no doctrine of “secondary bad faith,” the potentially illicit use of its software by third parties is irrelevant to the fair use analysis.

This brief was authored by Fall 2021 Cyberlaw Clinic students Karen Gover and Sibo Wang, collaborating closely with HLS Clinical Instructors Alejandra Caraballo and Mason Kortz. The Clinic looks forward to the Eleventh Circuit’s decision in this case.

Read the brief here.