Day two of Fair Use Week opens with UVA’s Brandon Butler tackling critical takeaways from the recent case addressing fair use & software in Apple Inc. v. Corellium, LLC, Case No. 19-81160-CIV-SMITH, 2020 U.S. Dist. LEXIS 249945 (S.D. Fla. Dec. 29, 2020) – Kyle K. Courtney

Apple v. Corellium: Some Early Takeaways for Software Fair Use

by Brandon Butler

What uses of software are fair? What uses are transformative – the category of use that courts most consistently find to be fair? The question is increasingly urgent for libraries, archives, and museums, as we already live in a world where most information (from government archives to fine art) is stored in digital formats that can’t be read without the right software. In addition, software itself is also an artifact and a source of information that researchers want to consult and explore. Fair use is a key tool in library digital stewardship, but fair use’s application to software is rarely, if ever, litigated.

That’s why the opinion last December in Apple v. Corellium is so interesting, even though it’s (so far) just one district court judge’s take, and not binding precedent on anyone else. In a field with so few entries, any judicial opinion is likely to be read with interest by other courts and would-be litigants.

The other reason the opinion is so interesting is that in some ways, Corellium resembles the kind of emulation technology that libraries and archives can use to run old software on servers and make it available to end-users over the internet. The basic contours of Corellium’s fair use argument are essentially the same as the ones that justify software preservation and reuse in the library and archives context—in a phrase, that our service is a transformative use (in the fair use sense) that serves copyright’s purpose of increasing access to information without displacing the copyright holder’s reasonable or traditional market.

First, some background. You can find a pretty good summary of the lawsuit in this somewhat misleadingly-headlined story in The Washington Post. (The headline, “Apple loses copyright battle…” is misleading because Apple hasn’t really lost, yet; they lost on fair use, but as I’ll explain below, Apple may still win on their remaining DMCA claim). The very short version is that Corellium provides developers and security researchers with a platform that lets them run and explore Apple’s iOS software in a server environment, which has advantages over trying to run and manipulate the software on an iOS device (an iPhone or an iPad). After failing to acquire Corellium, Apple filed a lawsuit claiming that Corellium infringed the copyright in iOS by loading the software into its platform, and later, added a DMCA claim, alleging that Corellium’s platform circumvented technical protection measures for its users, and therefore Corellium was “trafficking” in circumventing technology. We’ll get to the second claim later, but first let’s look at some key takeaways from Judge Smith’s opinion on fair use.

Takeaway 1: Research is a transformative purpose, and add-on features help bolster your case.

Judge Smith holds that Corellium’s use is transformative – it serves a different function than iOS, and it adds value and information in the process. That’s important, because transformative uses almost always win on fair use (and non-transformative ones lose more than they win). Judge Smith cites a few key facts that lead him to this conclusion, but most important seems to be that Corellium does not “merely repackage” iOS in a new platform. Instead, it “makes several changes to iOS and incorporates its own code to create a product that serves a transformative purpose.” Judge Smith calls out several things users can do with the Corellium platform that “make available significant information about iOS”:

“(1) see and halt running processes; (2) modify the kernel; (3) use CoreTrace, a tool to view system calls; (4) use an app browser and a file browser; and (5) take live snapshots.”

Because these features serve security research, Corellium’s avowed transformative purpose, and are not available in stock iOS, they help show that Corellium’s platform is transformative – it does something different and new.

Judge Smith returns to these features, and the ways that they allow the user to learn new things about the software, over and over again. Libraries and archives interested in making software available for research purposes (and the technical experts building the tools to support this) should strongly consider adding features like Corellium’s to facilitate deeper engagement with the software.

Takeaway 2: A few bad apples don’t spoil the fair use bunch.

Apple argued that because some Corellium users might not be engaged in bona fide security research, the tool shouldn’t be considered transformative. Judge Smith rejected this argument, saying that the record showed Corellium’s intended use was for security research, and the possibility that it may not always be used for that purpose does not undermine the finding of fair use. This reasoning would be handy for libraries who have to contend with the notion that not all library users would consult software (especially games or art) for purely research purposes.

Takeaway 3: Software is a weird hybrid of functional and creative work, but that doesn’t make the second fair use factor any more important.

The second fair use factor — the nature of the work — has become kind of a vestigial organ. Courts go through a kind of rote recitation that use of more factual works is favored while use of more creative works can be less favored, but many important fair uses involve creative works…. and blah blah blah. Given this mushy mess, courts are increasingly comfortable saying explicitly that this factor doesn’t really matter in the final calculus. The Corellium opinion takes judicial indifference to the second factor to a new level. Judge Smith does lay out arguments from Apple and Corellium, and acknowledges that software is a kind of hybrid of functional and creative work – iOS is fundamentally a tool, but it has aesthetic and creative aspects, etc.. But he concludes by quoting Judge Leval in the Google Books case saying that the second factor rarely matters, and then… he just moves on, without even expressing an opinion on how the factor should be weighed in this case!

Takeaway 4: Consider turning off features that aren’t useful for research (but might be commercially competitive)

In considering whether the amount of iOS used in the Corellium product is appropriate, Judge Smith considers how much is needed for the transformative purpose of security research. Downloading and copying all of iOS as part of the installation process is reasonable, he says, but he also notes approvingly the features of iOS that are *not* ultimately made available to Corellium users. Face ID, Touch ID, baseband, camera, and the App Store are some examples of iOS features not available to Corellium users. Corellium users also can’t make calls or send messages.

Arguably, most library and archival software uses will face less scrutiny on this point, as they will not involve software that is still commercially available. The prospect of providing a commercial substitute for the original should be much less threatening in that case. Still, it might strengthen the fair use argument to think about the ways research access to software does not offer the full range of services available to an ordinary consumer. For example, when providing access to software titles used to create files, such as word processing, design, or music production software, consider limiting the ability to save or export those creations.

Takeaway 5: Software copyright does not convey a monopoly on research platforms

One of Apple’s attacks on Corellium was that their platform unfairly competes with an iOS security research offering that Apple itself is developing and plans to release in the future. Judge Smith quickly dismisses this argument, saying Apple cannot use its copyright over iOS to create a monopoly over the separate market for security research. The same logic would apply to a variety of uses in cultural heritage institutions, who could argue that copyright does not confer a monopoly on the preservation and research tools and services they offer.

Takeaway 6: Reasonable vetting of users helps prove good faith.

Apple’s final argument was that Corellium should not benefit from fair use because it does not act in “good faith” (a factor not in the fair use statute, and arguably not relevant to it, but frequently invoked nonetheless). The primary basis for this claim is that users of Corellium’s products could be bad actors – they could discover bugs in iOS and, rather than reporting them to Apple, they could sell them to malicious hackers. Judge Smith rejects this argument, pointing out that in fact Corellium does do some vetting of potential users, rejecting those it suspects could be interested in malicious uses. Cultural heritage institutions might similarly consider whether, in some cases, potential users could be screened to help ensure their purposes are bona fide. This vetting doesn’t need to be perfect – as mentioned in Takeaway 2, Judge Smith acknowledges that any tool is capable of misuse, and a tool or service can still be legitimate and transformative even if some users may not behave as the creator intended.

Takeaway 7: The DMCA can still screw everything up.

Since its passage in 1998, the most glaring failure of the Digital Millennium Copyright Act (from a user perspective) is the way it seems to undermine the balance in copyright. This case is another example of the law’s glaring failure on that score. Briefly, the DMCA created a new right for copyright holders – a right against the circumvention of technological protection measures. In other words, when copyright holders use digital locks (encryption, authentication servers, etc.) to block access to copyrighted works, the DMCA gives them a right to sue anyone who breaks those locks. While this issue is not settled, Judge Smith sides with the courts who have found that the DMCA bars breaking digital locks *even if the ultimate use of the work is legitimate fair use*. It is as if the law gave someone a right to fence off sections of any public park, and to sue anyone who took down the fence, even though the public has the right to access the land inside.

Here, Apple has implemented a series of digital protections that prevent installation of iOS on non-Apple hardware, which they say Corellium circumvents as part of adding iOS to its research platform. Notably, Apple claims that Corellium not only engages in circumvention itself, but also that they “trafficked” in circumventing technology by providing their platform to users. This is important because another major flaw in the DMCA is that although it does include statutory exemptions for users (and it empowers the Librarian of Congress to create new ones every three years), there are no exemptions from the prohibition on trafficking in circumvention tools. So, while Corellium’s users arguably qualify for the exemptions related to security research, if Corellium itself is found to be trafficking in circumvention tools, there is no exemption or defense to protect them.

Judge Smith doesn’t rule on the DMCA claim in this opinion. He says there are genuine issues of material fact that need to be determined first, so the case will move forward with further fact-finding and a trial. But the startling takeaway, here, is that despite the headlines, Corellium is still very much in danger of losing this case, even though its platform is perfectly legitimate fair use. Libraries, archives, and museums have secured exemptions for preservation (and are working on a modified exemption that would enable broader access), so they can take some comfort in that. However, if the court finds that Corellium’s use is “trafficking,” then exemptions will not help. Given the prevalence of digital rights management in software, this result could chill a substantial body of legitimate fair uses.

Brandon Butler is Director of Information Policy at University of Virginia.  There he focuses on intellectual property, copyright, licensing and user privacy as they are related to the acquisition, dissemination and preservation of various forms of information and cultural artifacts, and as they are related to scholarly communication. He serves as an expert consultant to UVA librarians, to groups and individuals within the University, and to national and international efforts focused on relevant questions. He was previously a Practitioner-in-Residence at the Glushko-Samuelson Intellectual Property Law Clinic at American University’s Washington College of Law. Before that, Brandon was Director of Public Policy Initiatives at ARL from 2009 to 2013.