Corellium’s Bite of Apple’s iOS for Security Research Is Fair Use but DMCA Claims Loom
Corellium, LLC won a partial victory in its defense against Apple Inc.’s copyright infringement lawsuit in the Southern District of Florida. The court granted Corellium’s motion to dismiss Apple’s copyright claim on summary judgment. In doing so, the court held that Corellium’s creation of virtualized iOS devices for security research products was fair use under Section 107 of the Copyright Act.
In determining whether Corellium’s use of iOS constituted fair use, the court evaluated the four factors laid out in Section 107: (1) the purpose and character of the use; (2) the nature of the copyrighted work; (3) the size and significance of the portion of the copyrighted work copied; and (4) the effect of infringing use on the potential market for or value of the original.
First, the court held that Corellium’s use of iOS was transformative under the first factor, favoring a finding of fair use, reasoning that “the Corellium Product is not merely a repackaged version of iOS—this time in a virtual environment as opposed to an iPhone.” Instead, Corellium incorporated its own code to create a security product with a transformative purpose, drawing comparisons to Authors Guild v. Google, Inc., in which Google’s use of snippets of scanned books was also deemed transformative. 804 F.3d 202 (2d Cir. 2015).
Second, the court breezed over the nature of the copyrighted work, noting Apple’s failure to address Corellium’s arguments and citing Authors Guild for the proposition that the second factor “has rarely played a significant role in the determination of a fair use dispute.” Id. at 220.
Next, the court found that Corellium’s copying of iOS was in proportion to its purpose of providing security research products. In evaluating this factor the court noted that Corellium’s virtualized iOS didn’t include core features most users would recognize on their iOS devices, such as Face ID, the camera, or the ability to make calls. Instead, “Corellium’s use of iOS (in terms of quantity, quality, and importance) [was] proportional and necessary to achieve Corellium’s transformative purpose.”
Finally, the court rejected Apple’s argument that Corellium’s products displaced Apple’s market to license iOS devices to security researchers. Specifically, the court explained that Apple failed to address the truly relevant question under the fourth factor: whether Corellium’s products affect the market for iOS itself, not the market for security research products. As such the fourth factor, like the rest, favored a finding of fair use.
Although the fair use ruling will help Corellium breathe a sigh of relief, an open question remains as to whether Corellium’s fair use victory is a hollow one because the court did not dismiss Apple’s claim that Corellium circumvented Apple’s own security measures to protect iOS code in violation of the Digital Millenium Copyright Act (DMCA). Citing precedent from the Federal Circuit recognizing a “tension between the use of such access control measures and fair use,” and pointing to the legislative history of the DMCA that culminated in the balance struck between the two by Congress, Chamberlain Grp., Inc. v. Skylink Techs., Inc., 381 F.3d 1178, 1196-97 (Fed. Cir. 2004), the court permitted the DMCA claims to move forward.
A successful fair use defense may not mean much to Corellium if it is unable to virtualize iOS without being liable for damages or subjected to an injunction, both of which are remedies available under the DMCA. Alternatively, one can speculate that a modest damages verdict may strike a balance wherein the Corelliums of the world can exist profitably but must pay a “DMCA fee” as the cost of doing business.
The case is Apple Inc. v. Corellium, LLC., 9:19-cv-81160-RS (S.D. Fla. Dec. 29, 2020).