Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Apple

Apple Loses Copyright Battle Against Security Startup Corellium (washingtonpost.com) 84

krakman writes: Corellium, a security research firm sued by Apple, has won a major legal victory against the iPhone maker. In a ruling that has wide-reaching implications for iPhone security research and copyright law, a federal judge in Florida threw out Apple's claims that Corellium had violated copyright law with its software, which helps security researchers find bugs and security holes on Apple's products. Corellium, co-founded in 2017 by husband and wife Amanda Gorton and Chris Wade, was a breakthrough in security research because it gave its customers the ability to run "virtual" iPhones on desktop computers. Corellium's software makes it unnecessary to use physical iPhones that contain specialized software to poke and prod iOS, Apple's mobile operating system. The judge in the case ruled that Corellium's creation of virtual iPhones was not a copyright violation, in part because it was designed to help improve the security for all iPhone users. Corellium wasn't creating a competing product for consumers. Rather, it was a research tool for a comparatively small number of customers.
This discussion has been archived. No new comments can be posted.

Apple Loses Copyright Battle Against Security Startup Corellium

Comments Filter:
  • by Sebby ( 238625 ) on Tuesday December 29, 2020 @11:37PM (#60877898)

    Apple initially attempted to acquire Corellium in 2018, according to court records. When the acquisition talks stalled, Apple sued Corellium last year, claiming its virtual iPhones, which contain only the bare-bones functions necessary for security research, constitute a violation of copyright law.

    When bully doesn't get what he wants, bully picks a fight.

    And now bully lost.

    • par for course (Score:5, Insightful)

      by Gravis Zero ( 934156 ) on Tuesday December 29, 2020 @11:56PM (#60877924)

      When bully doesn't get what he wants, bully picks a fight.

      This is par for course. Corporations make threats (even when no legal action can be taken) and they sue when they think they can defeat a percieved enemy either in court or through attrition (a long legal battle that is too expensive).

      You need to remember that publicly traded corporations are sociopathic entities, composed of individuals that are willing to go a little further than their predecessors for their particular job. Legal department will crush you in a legal battle, marketing department puts out propaganda, executives screw all the workers. Everyone has a part and nobody claims responsibility, even invoking the "just doing my job" akin to those who were "just following orders".

      • by oblom ( 105 )

        Funny you should mention sociopathy. It's not just corporations though. Legal bullying is a common tactic with small "entrepreneurs" as well.

        • Look a patent trolls. They're essentially small legal firms whose whole business model is bullying people into paying. It's no different to a protection racket
        • Legal bullying is a common tactic with small "entrepreneurs" as well.

          Those would be actual, not effective sociopaths.

      • Except they failed to crush or bully this little startup company
      • by twdorris ( 29395 )

        You need to remember that publicly traded corporations are sociopathic entities

        You misspelled psychopathic. Sociopaths are considered to have at least some empathy and sense of conscience.

        • They are both described as having a significantly decreased (or no) capacity for empathy. The distinction between them was thought to be merely specious rather than clinical so they were thus merged into AntiSocial Personality Disorder in the DSM 5. Sociopathy and psychopathy are now considered terms to be on par with "maniac" and "lunatic". I used it purely because society takes much longer to catch up with terminology for accurately describing mental illness.

      • Agreed. Executive Vice Presidents are actually five times more likely to be sociopaths than members of the general public.

        What's interesting is the Federal/State US government and their willingness to push at basic freedoms at various points in history. If you study constitutional law eventually this pattern emerges of certain issues being poked at again and again with unlimited time and taxpayer money. They, along with Corporations, can just engage in endless battles of attrition.

        This copyright claim is

    • Seems like it only lost on the premise of the suit, rather than for not-being-wronged. If the case had been against the smaller company for revealing trade secrets, seems like it could stand a decent chance.
  • Would go after a company that HELPS them improve security or many its that Apple doesn't want them found due to bad history of being slow to fix problems?
  • They should sue to have their legal fees covered because this was bullshit from start to finish and Apple knew it the entire time. Large corporations like this mostly prevail using the legal system as a weapon, not to make a fair argument but to drain their opponent of resources.

    • by oblom ( 105 )

      You don't always get the fees paid even when you win. Not a straightforward process in US.

  • Doesn't make sense (Score:2, Interesting)

    by the_B0fh ( 208483 )
    Eh...  So, if I'm not targeting your entire market but just a small segment "for security" then it is ok?  In other words, if I created a version of Tesla's driving/navigation system "for security testing", I can sell that service without paying Tesla?
    • by Cyberax ( 705495 )

      I can sell that service without paying Tesla?

      If you indeed sell it to security researches in a way that does not cause competition with Tesla, then I don't see why not.

      • by MrL0G1C ( 867445 )

        /Devil's advocate

        Because that's not what copyright laws says?

        I'm surprised this didn't go Apple's way. I expect Apple will appeal because I they don't want anybody to copy their code for any reason without paying them also when they decide they want copies made.

        Any copyright lawyers here? I got the impression the law in America doesn't care whether the copyright infringer is making money, a lot of casual personal use copiers have been sued.

        I hate law, judges just make shit up as they go along, known as 'pre

        • by Cyberax ( 705495 )

          Because that's not what copyright laws says?

          The US copyright laws have "fair use" provisions that are specifically designed for these kinds of uses, that are in public benefit.

        • by esme ( 17526 ) on Wednesday December 30, 2020 @07:26AM (#60878446) Homepage

          Any copyright lawyers here? I got the impression the law in America doesn't care whether the copyright infringer is making money, a lot of casual personal use copiers have been sued.

          The win here was a finding that Corellium's use was a fair use and one of the four factors [stanford.edu] for that finding is what impact the copying has on the market. I'm not a lawyer, but I work in a library, and the impact of copying on the market is absolutely an important factor for us every time we consider whether it's OK for us to scan an in-copyright book for one of our patrons. The same goes for Corellium, if they are not having a significant impact on Apple's iPhone sales, then that supports the finding that their use is a fair use.

          -esmé

          • Usually "fair use" is not commercial in nature.  Are you telling me Corellium is not selling a commercial service?
            • Not true: news, education/research, parody are the leading uses of fair use, and most have a 'commercial interest' in the copyrighted content. The key is that the "fair use" is sufficiently transformative so that it no longer competes in the same market as the original. Example: As long as Weird Al makes his parodies 'weird' enough, he can claim that they are only marketed to persons looking for parodies, not the original, and thus the owners of the original song cannot claim damages.
              • Fair use is limited in nature.  You cannot take a whole Disney movie, encapsulate it into another movie, and call it fair use.
            • Which part of the difference between giving away a copy or selling a service, do you not grasp?
              Correlium is not giving away copyrighted material, hence it is not infringing copyright.

              Commercial or not has absolutely nothing to do with it, it only changes the punishment if there is indeed damage to the copyright owner. And here the judge ruled: Apple has no damage from Correlium.

              • So, you selling a service that runs on top of Windows in AWS means you don't have to pay for Microsoft Windows licenses?
                • Most likely not.
                  That is included in the AWS fees.

                  Or do you really think MS makes me a bill for AWS usage plus a second bill for windows licencing?

                  • Most likely not. That is included in the AWS fees.

                    The question isn't how the fees are collected. The question is whether Microsoft gets paid.

                    https://aws.amazon.com/windows... [amazon.com]

                    Or do you really think MS makes me a bill for AWS usage plus a second bill for windows licencing?

                    Whether you pay AWS for the Windows license or your bring your own license is irrelevant.

                    I can't believe there are people this ignorant in IT.

                    • AWS is a service.
                      I order a windows based service or a linux based one.
                      I order it from Amazon

                      I pay what they bill me, or take another service, like Telekom in Germany, 1&1, or Azure from MS.

                      I do not know and I do not care how they come to the end price and if there is a license cost included or not, because that is completely irrelevant. And its also completely irrelevant for the topic.

                      And: I'm not worming in IT, I'm a mere software developer.

                    • AWS is able to provide that service because AWS paid Microsoft for a Windows license for that instance that you are running. Just like AWS paid Apple for a license for the instance of macOS you are running in a macOS virtual machine.

                      Corellium pays Apple zero dollars for that. I cannot believe a software developer can be this willfully ignorant about licensing requirements.

                    • I'm very well aware of this.

                      You are simply a pedantic idiot.

                      You asked me if *I* would pay for an ms license, and *I* said: no. I pay a bill, and licensing is not included.

                      And that was clear from my answers before ...
                      And again: this has nothing to do with the topic.

                    • That is exactly the point. There's a license involved for using Windows, regardless of how it is paid - at the end of the day, you are paying for a license to use, and Microsoft gets paid, irregardless of how many/little middlemen there is between you and Microsoft.

                      With Corellium, you are not paying for a license to use iOS. Apple isn't getting paid. You keep trying to define the problem in such a way that you can ignore it, but this is the exact issue.

                    • Because they are not running a copy of iOS.
                      Can't be so hard to grasp.

                      No, that is not the issue. If it was, the court had ruled according to it. Seriously, why argue about stuff which is already clear from the headline, let alone the summary?

                    • Because they are not running a copy of iOS.

                      Are you kidding me?! If they are not running iOS, then what fucking use is it for a researcher to use Corellium to search for security issues in iOS?

                    • As far as I understood it, they research the attack surface of the Apps of their clients ...

                    • You really love commenting without understanding the issues don't you?
                    • I do not need to "understand any issue".

                      I followed the news, and agree with the court.

                      You do not agree. That is your point/right, I do not care.

            • Fair use actually extensively covers (fair) commercial use of copyrighted material.
              One of the points in the litmus test is even a commercial example.
  • I hate new Apple, down from the bottom of my heart, almost as much as I hate corporations, but I'm not sure if I can jump on this one bandwagon. Recreating a virtual iPhone, even for the purpose of catching security holes and improving the product, is still infringing on the copyright. Now if they actually purchased physical iPhones and ran a firmware O/S underlying iOS and trapped security issues, that would be a different story.
    • by jonwil ( 467024 )

      I don't know how this particular tool works but on the surface it sounds like its an emulator. Where exactly is the copyright infringement?
      Are these guys distributing Apple copyrighted software?

      • by lsllll ( 830002 )
        If it's truly an emulator, and they achieved writing it without looking at any specifications from Apple, ie. via reverse-engineering code the way the IBM BIOS came undone in the early 80s, then I'm with you. But something tells me they did not go the route of clean-room disassembly.
      • > Are these guys distributing Apple copyrighted software?

        Yes. They are arguing that it's fair for them to sell unauthorized copies of Apple's iOS because they are selling iOS to different people than the market Apple primarily targets.

        • by dnaumov ( 453672 )

          > Are these guys distributing Apple copyrighted software?

          Yes. They are arguing that it's fair for them to sell unauthorized copies of Apple's iOS because they are selling iOS to different people than the market Apple primarily targets.

          This decision will absolutely be overturned. You can't sell something you don't own and they neither own iOS, nor own a license to sell or otherwise distribute iOS. It's a pretty obvious copyright infringement.

        • No, they are not _selling_copies_ .

    • MUH CORPERATIONS!!
    • by Ichijo ( 607641 )

      Remember, the purpose of copyright is to prevent others from profiting from your work at your expense. So if the emulator doesn't deny Apple any income, it might fall under fair use.

      • That's not a good definition of its purpose. If that were the case, a product that finds flaws in your product could be considered to be "profiting from your work at your expense."

        • No, that is profiting from one's negligence

          (real or perceived by the consumers). So it's not at their "expense".

          • OK, how about doing a review of it? For this purpose, a positive review of features and its security .. wouldn't that be profiting off it?

            • by Ichijo ( 607641 )

              Would it deprive the copyright holder of any revenue?

              • It's possible. For example, if you google the product name and my review comes up as the first link .. now I've made it extra work to find and buy the product .. maybe the person would get bored reading my long ass review and forget about purchasing it. Additionally, the review may state that certain features can be found in similar but cheaper competing software (that I get a commission on for selling). Also, I'm not buying that "negligence" is any feature that a user isn't happy with and that it negates "

            • #notsureif I understand...
  • Incorrect Summary (Score:5, Informative)

    by mveloso ( 325617 ) on Wednesday December 30, 2020 @12:21AM (#60877956)

    The WaPo paints this as a loss, but its not. The judge ruled against a summary judgment. He:

    * said it was fair use
    * did not rule on the DMCA aspects

    This isn't even round 1 of a long fight.

    https://www.courthousenews.com... [courthousenews.com]

    • Re:Incorrect Summary (Score:4, Informative)

      by fred911 ( 83970 ) on Wednesday December 30, 2020 @03:03AM (#60878142) Journal

      ''This isn't even round 1 of a long fight.''

      Exactly. The question one has to ask is, how have they defended themselves up to this point. The closest income data I could find was this. ''Current estimates show this company has an annual revenue of 50780 and employs a staff of approximately 3.'' https://www.manta.com/c/mhq7rg... [manta.com]

      Looks like mom and pop decided to tell the gorilla to fuck off. Apparently the gorilla no likey.

      ''Reed Albergotti, at The Washington Post:

      Apple initially attempted to acquire Corellium in 2018, according to court records. When the acquisition talks stalled, Apple sued Corellium last year, claiming its virtual iPhones, which contain only the bare-bones functions necessary for security research, constitute a violation of copyright law. Apple also alleged Corellium circumvented Appleâ(TM)s security measures to create the software, thereby violating the Digital Millennium Copyright Act. That claim has not been thrown out.'' https://daringfireball.net/ [daringfireball.net]

  • Apple doesnt have the right to stop people from using iOS without paying? What?
    • Corellium is a Virtual Machine/Emulator.

      There is no law which prevents someone from writing an emulator or Virtual Machine that emulates some other piece of hardware.

      If there are any Copyright issues, those issues lie against the party making the copy of the software that is run inside the emulator/virtual machine and not against the author of the emulator/vm software.

      For example, if someone, lets say "VMWare" writes some software that "emulates" a PC in a VM, and someone buys that "VMWare" product and runs

      • > If there are any Copyright issues, those issues lie against the party making the copy of the software that is run inside the emulator/virtual machine

        That would be Corellium.

        They are arguing that it's fair for them to sell unauthorized copies of Apple's software because they are selling to different purchasers than Apple sells to.

        • by fred911 ( 83970 )

          ''They are arguing''

          Why yes they are. Mom and Pop stood up and made a defense against a 10 foot gorilla that has all the money and lawyers in the world, in Federal court where a loss for them has a real price to pay. It appears that they made a values judgement over a monetary judgement. And that takes balls. Especially after refusing to sell their product to the gorilla. They've not won anything but a battle, gorilla has too many resources [regardless of the merit of either case].

          They made an argument, a

        • But they are not selling copies to anyone ...

          • They're renting it, at 50 cents / hor or $20/month, which amounts to the same thing

            • No, it is not.

              As they do not ship a copy to the customer.

              Every library is "renting" books for a token fee, without that it is considered a copy.

              • You do know that libraries BUY each and every copy they have, right?

                • Yes.
                  And you do know that the company renting the test environments out did buy the iOS versions it is renting out, right?
                  And most importantly: those "instances" do not even leave the house.

                  • Really. Do you happen to have the URL where one can buy a virtualization-ready copy of iOS?

                    That would be interesting, because Apple told the court that they don't sell such a thing.

                    • Download XCode, a "virtualized iOS" is included.
                      That would be interesting, because Apple told the court that they don't sell such a thing.
                      Did they? That is strange. I have about 5 ...

                    • You seem to be referring to Simulator.

                      Guess why it's called Simulator and not virtual machine, or iOS?
                      I'll give you three guesses, and the last two don't count.

                      Off the top of my head, I can think of half a dozen iOS APIs that aren't present in Simulator.

            • No, what they are doing commercially isn't what is at issue.
              The basis of Apple's claim is that the license for iOS does not allow them to use it in an emulator, and that they cannot possibly be providing the service they provide without copying iOS in an unauthorized fashion.

              They could be providing access to a hacked iPhone for all it matters- the claim would be the same.

              Apple is abusing the spirit of copyright law. They have been for a long time. It's not just them, it's a cancer within the industry.
        • They are arguing that it's fair for them to sell unauthorized copies of Apple's software because they are selling to different purchasers than Apple sells to.

          Not quite.
          They are arguing that it's fair for them to make unauthorized copies of Apple's software into a hardware emulator that a third-party user has access to.
          It's already a stretch that copyright includes acts such as "copying our software from your disk to your RAM", which is essentially the basis of Apple's complaint.

          It's good for everyone if this is the beginning of the end of that horseshit interpretation of copyright.

  • In case you'd like to read the actual ruling, from the Judge, in original PDF form, you can find it here. .
  • The Technical Aspect (Score:4, Informative)

    by ytene ( 4376651 ) on Wednesday December 30, 2020 @05:35AM (#60878306)
    I just posted a link to the Court's ruling [see previous post] and here, in the order, you can find the details relevant to the ruling.

    The court finds that Apple makes available OS update files available via servers. It also finds that it is possible to download update files without first having to agree to any terms and conditions. The court notes that many of these files [for example portions that contain code not proprietary to Apple] are not encrypted.

    From this ruling, see part B (IPSW Files), part C (Apple's Technical Control Measures) and Part D (The Corellium Product, which goes in to considerable detail to describe the way that the Corellium offering basically emulates the hardware environment of an iOS device so that Apple downloaded files will "pass" the validation checksums they perform and therefore run). These are relevant in the context of this case, since Apple are essentially asserting that Corellium's software contrives to give the "false impression" that the software is running on Apple hardware. The specific code in iOS which performs these checksums is an implementation designed to validate the DMCA... and through this Apple are claiming that the Corellium product is designed to circumvent DMCA protections. The ruling determines that it is not possible to establish this as a matter of summary judgment, but will require a trial.

    One of the key statements in the ruling is: "While Apple’s legal department did not formally discuss copyright violations with Corellium, there is a dispute as to whether, and to what extent, Corellium was told by Apple employees that Corellium needed a license to utilize iOS in connection with the Corellium Product. (Wade Dep. 276:4-15, 278:1-5; Federighi Dep. 42:9-44:8, 115:12-14, 128:2-9, 132:8-133:4.)"

    This rather hints that Apple initially saw this as a licensing issue, not a copyright violation. Such a position remains broadly in line with the view Apple have taken when 3rd parties have produce Mac clones (see e.g. "Hackintosh" [hackintosh.com]).

    It is interesting to note that Corellium are offering the "fair use" doctrine [enshrined in the Copyright Act] as their defence against Apple's claim. The ruling contains that Section 107 of the Copyright Act, which states the following:-

    "[T]he fair use of a copyrighted work, including such use by reproduction in copies . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include

    (1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
    (2) the nature of the copyrighted work;
    (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole [my emphasis]; and
    (4) the effect of the use upon the potential market for or value of the copyrighted work.
    "

    Take a look at the 3rd element of that quotation. In the case of Corellium, they aren't using a portion of iOS (where I used and quoted a small portion of the ruling to illustrate the observations pertaining to the Copyright Act), rather they are using the entire iOS operating system. That seems a bit of a stretch, even with the most generous interpretation of the Copyright Act that we could form.

    In total, the ruling is 38 pages long, but we might summarize it like this:-

    At the point where Apple allow 3rd parties to download the iOS operating system, or portions thereof [i.e. for the purpose of updating the operating system on an Apple original iOS device [such as an iPod, iPhone or iPad], the user is not required to agree to any EULA or licensing terms, i.e. as a condition of being permitted to receive the download. If
    • That's gonna be interesting. Does the DMCA win, or is this covered by the same logic as being able to use the required strings in your game carts to load your game on a console? Because that's apparently essentially what's going on here.

      • by ytene ( 4376651 )
        Information being made available [as opposed to "established facts", since I'm not sure we're there yet] strongly suggest that Apple's iOS binaries perform various "environmental checks" - they would have to do this at least in part, for example, in order to determine which model of device they are operating on, thereby enabling them to understand things like display resolution, available RAM, etc

        If Apple could point to one or more functions that execute as part of that process which are designed to impl
        • If Apple could point to one or more functions that execute as part of that process which are designed to implement controls that prevent use of the software on un-approved, competitor technology, then Apple will be in a very strong position to argue that the Corellium solution is circumventing exactly the types of safeguard envisaged by the DMCA. There are hints in the Court's order that Corellium's software does exactly that - i.e. it emulates hardware responses. That's the avenue Apple will explore if they wish to push the DMCA argument, and on its face seems pretty weak.

          FTFY. Circumventing runtime access controls for security research purposes is legal [federalregister.gov].

          Integrate the download with a component that is physically present on the iOS device (for example integrated with the Secure Enclave) in a manner that can't readily be replicated in software, and can't legally be replicated anywhere without breaking DMCA law).

          The former is impossible on a general purpose computer. The hardware can always be replicated. If you're referring to a secret key stored within the Secure Enclave, Apple's own design also prevents that. First, because the Secure Enclave refuses to accept an externally generated key, so Apple couldn't load its own publisher key into it without circumventing that (and it may be a hardware limitation), and second because i

      • by ytene ( 4376651 )
        Also, just a point of note... In my first post I included a quote from the order that notes the parties dispute whether or not Apple told Corellium that use of iOS by Corellium would incur a licensing issue. Clearly Corellium have disputed the assertions made by at least two Apple employees, so this would need to be decided at trial.

        That could become crucial. In law there is a principle known as "estoppel", which is basically a legal mechanism to prevent people "going back on their word". See here [wikipedia.org] for a
    • by MobyDisk ( 75490 )

      IANAL.

      This rather hints that Apple initially saw this as a licensing issue, not a copyright violation..

      Copyright is what gives Apple the power to license their product. So there is no "is this licensed" or "is this copyrighted" - it is controlled by copyright, and Apple offers a license in accordance with copyright law. Unfortunately, a few US court cases screwed this up [eff.org] by granting another kind of other "licensing" power beyond copyright, and software companies are quick to call upon the resulting confusion. In other cases where licensing was involved [eff.org] beyond copyright, the issue was really about an

      • by ytene ( 4376651 )
        IANALE (Either)...

        Totally agree with your synopsis. It's why I think that Apple *have* to try and go through the motions with this case in order to: make their intent clearer; try and stop the bleeding; give themselves enough time to address this technically.

        I totally expect to see Apple change their software deployment such that you must agree to the EULA before you get the software; and for brand new devices being unlocked by their first user, you have to agree before you can use the device. As you
    • Apple would prefer a ruling on this one, because it's going to take quite a bit of expensive re-engineering to modify iOS to handshake more tightly with the software update servers and to require EULA agreement before a download is commenced. Long term, I'd suspect this is what Apple [and other companies] will do.

      Many companies already do, including Microsoft. If you download a Microsoft Windows update from Microsoft's website, you are prompted to agree to an EULA before the download starts. At least for Windows 7. I don't know what it does for Windows 10 manual downloads, if there even is such a thing. Intel, Adobe, Autodesk, all do this.

    • These are relevant in the context of this case, since Apple are essentially asserting that Corellium's software contrives to give the "false impression" that the software is running on Apple hardware.

      That's a ridiculous argument from Apple. The human user of Corellium's software is not even remotely confused that the software may be running on Apple hardware. They know very exactly that it isn't. That's the whole point. Software that "contrives to give the false impression" to other software that it's running on Apple hardware for research purposes is perfectly legal. The DMCA has a mechanism in it to create explicit exemptions and the Librarian of Congress created the security research exemption i [ftc.gov]

  • Knowing how petty and vindictive Apple is, their next move will probably to be produce their own equivalent of this software to drive Corellium out of business.

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...