fbpx
December 27, 2024

Federal Appeals Court Gets It: Fair Use Protects Security Research Tools

Federal Appeals Court Gets It: Fair Use Protects Security Research Tools

In a refreshingly direct opinion, the Eleventh Circuit Court of Appeals has ruled that creating and selling virtualization software for security research is a fair use. Along the way, it provides a kind of master class in applying copyright’s fair use doctrine to functional works like computer programs.

Here’s how the case came about: Corellium, the defendant, created a software platform that simulates an iPhone, allowing developers and researchers to test Apple’s iOS operating system for vulnerabilities without having to get permission from Apple or pay for the privilege of finding flaws in the system. Corellium’s platform lets researchers peer closely into the workings of iOS in ways that can’t be done on an actual iPhone. Apple sued for copyright infringement, and lost in district court on fair use grounds. Apple appealed. EFF, along with Public Knowledge and a number of security experts, filed an amicus brief supporting Corellium.  We explained that the public can’t protect itself from security flaws if independent testers aren’t allowed to find them—or if Apple gets to control who can do research.

The court begins by calling out the purpose of copyright: the “utilitarian goal” of stimulating the production of new works. This is a necessary rebuke to ongoing efforts to frame copyright’s limited but lengthy monopoly as a kind of natural right or reward. After all, the Constitution defines copyright’s purpose as promoting progress. Fair use serves this purpose by giving follow-on creators the ability to build on what has come before.

Turning to the merits, the court concludes that while Corellium’s use is clearly commercial, it is also (moderately) transformative because it adds features that are designed to serve the needs of researchers, rather than consumers. Apple had argued that Corellium might integrate consumer-oriented features down the line; the court rightly declined to speculate about these hypothetical facts. The court also rejected Apple’s complaint that security research wasn’t the only use of Corellium’s software, noting that that the purpose of a use may overlap at least partially with that of the original creator, as long as the work has some new and different purpose.

As with most software-related cases, the court finds that iOS is primarily functional and therefore the scope of fair use should be broader. No surprises there, especially after the Supreme Court’s Google v Oracle decision.

The court also finds, in keeping with virtually every fair use case of the past four decades, that extensive copyright is permitted where it is necessary to serve the transformative purpose. What’s interesting here is the court’s rejection of Apple argument that Corellium included portions of iOS that some individual researchers may not need, i.e., some of its creative elements. The court holds that Corellium can’t know in advance which parts a given customer might want to study or where their research might lead, so it only makes sense to provide a modified copy of the whole thing.  

The court goes on: “fair use doesn’t require inventors to follow the least efficient solution or engage in wasted efforts simply to avoid liability.”

Amen. Score another point for Corellium and everyone else who depends on fair use protections to build general purpose tools.

Finally, the court again returns to first principles to assess whether Corellium’s software might cause harm to Apple’s market for iOS or the derivative market for security products, such that it would.” Specifically, it asks whether Corellium’s software might cause “substantial economic harm” that might “materially impair Apple’s incentive to innovate.” In other words, the court ties the fair use analysis to copyright’s overriding purpose: encouraging new creativity to the benefit of the general public. Minor or hypothetical market harms aren’t enough. If the incentive to create is not impaired, this part of the analysis should favor fair use. 

And it does so here. As to iOS, the court easily concludes that Corellium poses no threat. As to the second, the court concluded that Apple does not hold a monopoly over transformative tools that help researchers better understand its products. Put another way, there may be a market for derivative security tools, but that is not a market Apple gets to control through copyright.

On balance, this is a great opinion that will be widely cited in future cases, as fair use continues to stand as a bulwark against copyright creep in the digital age. 


Published May 10, 2023 at 06:47PM
Read more on eff.org

%d bloggers like this: