Apple Loses Copyright Battle Against Security Startup Corellium (washingtonpost.com) 84
krakman writes: Corellium, a security research firm sued by Apple, has won a major legal victory against the iPhone maker. In a ruling that has wide-reaching implications for iPhone security research and copyright law, a federal judge in Florida threw out Apple's claims that Corellium had violated copyright law with its software, which helps security researchers find bugs and security holes on Apple's products. Corellium, co-founded in 2017 by husband and wife Amanda Gorton and Chris Wade, was a breakthrough in security research because it gave its customers the ability to run "virtual" iPhones on desktop computers. Corellium's software makes it unnecessary to use physical iPhones that contain specialized software to poke and prod iOS, Apple's mobile operating system. The judge in the case ruled that Corellium's creation of virtual iPhones was not a copyright violation, in part because it was designed to help improve the security for all iPhone users. Corellium wasn't creating a competing product for consumers. Rather, it was a research tool for a comparatively small number of customers.
Apple plays the bully game (Score:5, Insightful)
Apple initially attempted to acquire Corellium in 2018, according to court records. When the acquisition talks stalled, Apple sued Corellium last year, claiming its virtual iPhones, which contain only the bare-bones functions necessary for security research, constitute a violation of copyright law.
When bully doesn't get what he wants, bully picks a fight.
And now bully lost.
par for course (Score:5, Insightful)
When bully doesn't get what he wants, bully picks a fight.
This is par for course. Corporations make threats (even when no legal action can be taken) and they sue when they think they can defeat a percieved enemy either in court or through attrition (a long legal battle that is too expensive).
You need to remember that publicly traded corporations are sociopathic entities, composed of individuals that are willing to go a little further than their predecessors for their particular job. Legal department will crush you in a legal battle, marketing department puts out propaganda, executives screw all the workers. Everyone has a part and nobody claims responsibility, even invoking the "just doing my job" akin to those who were "just following orders".
Re: (Score:2)
You can't fault them for trying.
Yes, you can.
Every legal department that goes after a gray area copyright claim has evaluated the fair use applicability of the suit.
They did a calculus and decided that they could convince a Judge or Jury that it wasn't fair use, but internally, they already accepted that it may very well be.
Companies have attacked fair use since it came into existence.
As parent said, they're sociopathic entities.
You can blame them for that.
They sued someone that wasn't breaching the spirit of copyright law. They di
Re: (Score:2)
Funny you should mention sociopathy. It's not just corporations though. Legal bullying is a common tactic with small "entrepreneurs" as well.
Re: (Score:3)
Re: (Score:2)
Legal bullying is a common tactic with small "entrepreneurs" as well.
Those would be actual, not effective sociopaths.
Re: (Score:1)
Re: (Score:2)
You need to remember that publicly traded corporations are sociopathic entities
You misspelled psychopathic. Sociopaths are considered to have at least some empathy and sense of conscience.
Re: (Score:3)
They are both described as having a significantly decreased (or no) capacity for empathy. The distinction between them was thought to be merely specious rather than clinical so they were thus merged into AntiSocial Personality Disorder in the DSM 5. Sociopathy and psychopathy are now considered terms to be on par with "maniac" and "lunatic". I used it purely because society takes much longer to catch up with terminology for accurately describing mental illness.
Re: (Score:1)
Agreed. Executive Vice Presidents are actually five times more likely to be sociopaths than members of the general public.
What's interesting is the Federal/State US government and their willingness to push at basic freedoms at various points in history. If you study constitutional law eventually this pattern emerges of certain issues being poked at again and again with unlimited time and taxpayer money. They, along with Corporations, can just engage in endless battles of attrition.
This copyright claim is
Re: (Score:1)
only crApple (Score:1)
Re: (Score:1)
Good. (Score:2)
They should sue to have their legal fees covered because this was bullshit from start to finish and Apple knew it the entire time. Large corporations like this mostly prevail using the legal system as a weapon, not to make a fair argument but to drain their opponent of resources.
Re: (Score:2)
You don't always get the fees paid even when you win. Not a straightforward process in US.
Doesn't make sense (Score:2, Interesting)
Re: (Score:3)
I can sell that service without paying Tesla?
If you indeed sell it to security researches in a way that does not cause competition with Tesla, then I don't see why not.
Re: (Score:3)
/Devil's advocate
Because that's not what copyright laws says?
I'm surprised this didn't go Apple's way. I expect Apple will appeal because I they don't want anybody to copy their code for any reason without paying them also when they decide they want copies made.
Any copyright lawyers here? I got the impression the law in America doesn't care whether the copyright infringer is making money, a lot of casual personal use copiers have been sued.
I hate law, judges just make shit up as they go along, known as 'pre
Re: (Score:3)
Because that's not what copyright laws says?
The US copyright laws have "fair use" provisions that are specifically designed for these kinds of uses, that are in public benefit.
Re:Doesn't make sense (Score:5, Informative)
Any copyright lawyers here? I got the impression the law in America doesn't care whether the copyright infringer is making money, a lot of casual personal use copiers have been sued.
The win here was a finding that Corellium's use was a fair use and one of the four factors [stanford.edu] for that finding is what impact the copying has on the market. I'm not a lawyer, but I work in a library, and the impact of copying on the market is absolutely an important factor for us every time we consider whether it's OK for us to scan an in-copyright book for one of our patrons. The same goes for Corellium, if they are not having a significant impact on Apple's iPhone sales, then that supports the finding that their use is a fair use.
-esmé
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Which part of the difference between giving away a copy or selling a service, do you not grasp?
Correlium is not giving away copyrighted material, hence it is not infringing copyright.
Commercial or not has absolutely nothing to do with it, it only changes the punishment if there is indeed damage to the copyright owner. And here the judge ruled: Apple has no damage from Correlium.
Re: (Score:2)
Re: (Score:2)
Most likely not.
That is included in the AWS fees.
Or do you really think MS makes me a bill for AWS usage plus a second bill for windows licencing?
Re: (Score:2)
Most likely not. That is included in the AWS fees.
The question isn't how the fees are collected. The question is whether Microsoft gets paid.
https://aws.amazon.com/windows... [amazon.com]
Or do you really think MS makes me a bill for AWS usage plus a second bill for windows licencing?
Whether you pay AWS for the Windows license or your bring your own license is irrelevant.
I can't believe there are people this ignorant in IT.
Re: (Score:2)
AWS is a service.
I order a windows based service or a linux based one.
I order it from Amazon
I pay what they bill me, or take another service, like Telekom in Germany, 1&1, or Azure from MS.
I do not know and I do not care how they come to the end price and if there is a license cost included or not, because that is completely irrelevant. And its also completely irrelevant for the topic.
And: I'm not worming in IT, I'm a mere software developer.
Re: (Score:2)
Corellium pays Apple zero dollars for that. I cannot believe a software developer can be this willfully ignorant about licensing requirements.
Re: (Score:2)
I'm very well aware of this.
You are simply a pedantic idiot.
You asked me if *I* would pay for an ms license, and *I* said: no. I pay a bill, and licensing is not included.
And that was clear from my answers before ...
And again: this has nothing to do with the topic.
Re: (Score:2)
With Corellium, you are not paying for a license to use iOS. Apple isn't getting paid. You keep trying to define the problem in such a way that you can ignore it, but this is the exact issue.
Re: (Score:2)
Because they are not running a copy of iOS.
Can't be so hard to grasp.
No, that is not the issue. If it was, the court had ruled according to it. Seriously, why argue about stuff which is already clear from the headline, let alone the summary?
Re: (Score:2)
Because they are not running a copy of iOS.
Are you kidding me?! If they are not running iOS, then what fucking use is it for a researcher to use Corellium to search for security issues in iOS?
Re: (Score:2)
As far as I understood it, they research the attack surface of the Apps of their clients ...
Re: (Score:2)
Re: (Score:2)
I do not need to "understand any issue".
I followed the news, and agree with the court.
You do not agree. That is your point/right, I do not care.
Re: (Score:2)
One of the points in the litmus test is even a commercial example.
Not Sure About This One (Score:1, Troll)
Re: (Score:3)
I don't know how this particular tool works but on the surface it sounds like its an emulator. Where exactly is the copyright infringement?
Are these guys distributing Apple copyrighted software?
Re: (Score:3)
Re: (Score:2)
> Are these guys distributing Apple copyrighted software?
Yes. They are arguing that it's fair for them to sell unauthorized copies of Apple's iOS because they are selling iOS to different people than the market Apple primarily targets.
Re: (Score:3)
> Are these guys distributing Apple copyrighted software?
Yes. They are arguing that it's fair for them to sell unauthorized copies of Apple's iOS because they are selling iOS to different people than the market Apple primarily targets.
This decision will absolutely be overturned. You can't sell something you don't own and they neither own iOS, nor own a license to sell or otherwise distribute iOS. It's a pretty obvious copyright infringement.
Re: (Score:2)
No, they are not _selling_copies_ .
Re: (Score:1)
Re: (Score:2)
Remember, the purpose of copyright is to prevent others from profiting from your work at your expense. So if the emulator doesn't deny Apple any income, it might fall under fair use.
Re: (Score:2)
That's not a good definition of its purpose. If that were the case, a product that finds flaws in your product could be considered to be "profiting from your work at your expense."
Re: (Score:2)
(real or perceived by the consumers). So it's not at their "expense".
Re: (Score:2)
OK, how about doing a review of it? For this purpose, a positive review of features and its security .. wouldn't that be profiting off it?
Re: (Score:2)
Would it deprive the copyright holder of any revenue?
Re: (Score:2)
It's possible. For example, if you google the product name and my review comes up as the first link .. now I've made it extra work to find and buy the product .. maybe the person would get bored reading my long ass review and forget about purchasing it. Additionally, the review may state that certain features can be found in similar but cheaper competing software (that I get a commission on for selling). Also, I'm not buying that "negligence" is any feature that a user isn't happy with and that it negates "
Re: (Score:2)
Re: (Score:2)
Incorrect Summary (Score:5, Informative)
The WaPo paints this as a loss, but its not. The judge ruled against a summary judgment. He:
* said it was fair use
* did not rule on the DMCA aspects
This isn't even round 1 of a long fight.
https://www.courthousenews.com... [courthousenews.com]
Re:Incorrect Summary (Score:4, Informative)
''This isn't even round 1 of a long fight.''
Exactly. The question one has to ask is, how have they defended themselves up to this point. The closest income data I could find was this. ''Current estimates show this company has an annual revenue of 50780 and employs a staff of approximately 3.'' https://www.manta.com/c/mhq7rg... [manta.com]
Looks like mom and pop decided to tell the gorilla to fuck off. Apparently the gorilla no likey.
''Reed Albergotti, at The Washington Post:
Apple initially attempted to acquire Corellium in 2018, according to court records. When the acquisition talks stalled, Apple sued Corellium last year, claiming its virtual iPhones, which contain only the bare-bones functions necessary for security research, constitute a violation of copyright law. Apple also alleged Corellium circumvented Appleâ(TM)s security measures to create the software, thereby violating the Digital Millennium Copyright Act. That claim has not been thrown out.'' https://daringfireball.net/ [daringfireball.net]
Apple and IOS (Score:2)
Re: (Score:1)
Corellium is a Virtual Machine/Emulator.
There is no law which prevents someone from writing an emulator or Virtual Machine that emulates some other piece of hardware.
If there are any Copyright issues, those issues lie against the party making the copy of the software that is run inside the emulator/virtual machine and not against the author of the emulator/vm software.
For example, if someone, lets say "VMWare" writes some software that "emulates" a PC in a VM, and someone buys that "VMWare" product and runs
Re: (Score:2)
> If there are any Copyright issues, those issues lie against the party making the copy of the software that is run inside the emulator/virtual machine
That would be Corellium.
They are arguing that it's fair for them to sell unauthorized copies of Apple's software because they are selling to different purchasers than Apple sells to.
Re: (Score:2)
''They are arguing''
Why yes they are. Mom and Pop stood up and made a defense against a 10 foot gorilla that has all the money and lawyers in the world, in Federal court where a loss for them has a real price to pay. It appears that they made a values judgement over a monetary judgement. And that takes balls. Especially after refusing to sell their product to the gorilla. They've not won anything but a battle, gorilla has too many resources [regardless of the merit of either case].
They made an argument, a
Re: (Score:2)
But they are not selling copies to anyone ...
Re: (Score:2)
They're renting it, at 50 cents / hor or $20/month, which amounts to the same thing
Re: (Score:2)
No, it is not.
As they do not ship a copy to the customer.
Every library is "renting" books for a token fee, without that it is considered a copy.
Re: (Score:2)
You do know that libraries BUY each and every copy they have, right?
Re: (Score:2)
Yes.
And you do know that the company renting the test environments out did buy the iOS versions it is renting out, right?
And most importantly: those "instances" do not even leave the house.
Re: (Score:2)
Really. Do you happen to have the URL where one can buy a virtualization-ready copy of iOS?
That would be interesting, because Apple told the court that they don't sell such a thing.
Re: (Score:2)
Download XCode, a "virtualized iOS" is included. ...
That would be interesting, because Apple told the court that they don't sell such a thing.
Did they? That is strange. I have about 5
Re: (Score:2)
You seem to be referring to Simulator.
Guess why it's called Simulator and not virtual machine, or iOS?
I'll give you three guesses, and the last two don't count.
Off the top of my head, I can think of half a dozen iOS APIs that aren't present in Simulator.
Re: (Score:2)
The basis of Apple's claim is that the license for iOS does not allow them to use it in an emulator, and that they cannot possibly be providing the service they provide without copying iOS in an unauthorized fashion.
They could be providing access to a hacked iPhone for all it matters- the claim would be the same.
Apple is abusing the spirit of copyright law. They have been for a long time. It's not just them, it's a cancer within the industry.
Re: (Score:2)
They are arguing that it's fair for them to sell unauthorized copies of Apple's software because they are selling to different purchasers than Apple sells to.
Not quite.
They are arguing that it's fair for them to make unauthorized copies of Apple's software into a hardware emulator that a third-party user has access to.
It's already a stretch that copyright includes acts such as "copying our software from your disk to your RAM", which is essentially the basis of Apple's complaint.
It's good for everyone if this is the beginning of the end of that horseshit interpretation of copyright.
The Actual Ruling (Score:2)
Re: (Score:3)
Sigh.
It's late. very late.
The Technical Aspect (Score:4, Informative)
The court finds that Apple makes available OS update files available via servers. It also finds that it is possible to download update files without first having to agree to any terms and conditions. The court notes that many of these files [for example portions that contain code not proprietary to Apple] are not encrypted.
From this ruling, see part B (IPSW Files), part C (Apple's Technical Control Measures) and Part D (The Corellium Product, which goes in to considerable detail to describe the way that the Corellium offering basically emulates the hardware environment of an iOS device so that Apple downloaded files will "pass" the validation checksums they perform and therefore run). These are relevant in the context of this case, since Apple are essentially asserting that Corellium's software contrives to give the "false impression" that the software is running on Apple hardware. The specific code in iOS which performs these checksums is an implementation designed to validate the DMCA... and through this Apple are claiming that the Corellium product is designed to circumvent DMCA protections. The ruling determines that it is not possible to establish this as a matter of summary judgment, but will require a trial.
One of the key statements in the ruling is: "While Apple’s legal department did not formally discuss copyright violations with Corellium, there is a dispute as to whether, and to what extent, Corellium was told by Apple employees that Corellium needed a license to utilize iOS in connection with the Corellium Product. (Wade Dep. 276:4-15, 278:1-5; Federighi Dep. 42:9-44:8, 115:12-14, 128:2-9, 132:8-133:4.)"
This rather hints that Apple initially saw this as a licensing issue, not a copyright violation. Such a position remains broadly in line with the view Apple have taken when 3rd parties have produce Mac clones (see e.g. "Hackintosh" [hackintosh.com]).
It is interesting to note that Corellium are offering the "fair use" doctrine [enshrined in the Copyright Act] as their defence against Apple's claim. The ruling contains that Section 107 of the Copyright Act, which states the following:-
"[T]he fair use of a copyrighted work, including such use by reproduction in copies . . . for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include
(1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;
(2) the nature of the copyrighted work;
(3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole [my emphasis]; and
(4) the effect of the use upon the potential market for or value of the copyrighted work."
Take a look at the 3rd element of that quotation. In the case of Corellium, they aren't using a portion of iOS (where I used and quoted a small portion of the ruling to illustrate the observations pertaining to the Copyright Act), rather they are using the entire iOS operating system. That seems a bit of a stretch, even with the most generous interpretation of the Copyright Act that we could form.
In total, the ruling is 38 pages long, but we might summarize it like this:-
At the point where Apple allow 3rd parties to download the iOS operating system, or portions thereof [i.e. for the purpose of updating the operating system on an Apple original iOS device [such as an iPod, iPhone or iPad], the user is not required to agree to any EULA or licensing terms, i.e. as a condition of being permitted to receive the download. If
Re: (Score:2)
That's gonna be interesting. Does the DMCA win, or is this covered by the same logic as being able to use the required strings in your game carts to load your game on a console? Because that's apparently essentially what's going on here.
Re: (Score:3)
If Apple could point to one or more functions that execute as part of that process which are designed to impl
Re: (Score:2)
If Apple could point to one or more functions that execute as part of that process which are designed to implement controls that prevent use of the software on un-approved, competitor technology, then Apple will be in a very strong position to argue that the Corellium solution is circumventing exactly the types of safeguard envisaged by the DMCA. There are hints in the Court's order that Corellium's software does exactly that - i.e. it emulates hardware responses. That's the avenue Apple will explore if they wish to push the DMCA argument, and on its face seems pretty weak.
FTFY. Circumventing runtime access controls for security research purposes is legal [federalregister.gov].
Integrate the download with a component that is physically present on the iOS device (for example integrated with the Secure Enclave) in a manner that can't readily be replicated in software, and can't legally be replicated anywhere without breaking DMCA law).
The former is impossible on a general purpose computer. The hardware can always be replicated. If you're referring to a secret key stored within the Secure Enclave, Apple's own design also prevents that. First, because the Secure Enclave refuses to accept an externally generated key, so Apple couldn't load its own publisher key into it without circumventing that (and it may be a hardware limitation), and second because i
Re: (Score:3)
That could become crucial. In law there is a principle known as "estoppel", which is basically a legal mechanism to prevent people "going back on their word". See here [wikipedia.org] for a
Re: (Score:2)
IANAL.
This rather hints that Apple initially saw this as a licensing issue, not a copyright violation..
Copyright is what gives Apple the power to license their product. So there is no "is this licensed" or "is this copyrighted" - it is controlled by copyright, and Apple offers a license in accordance with copyright law. Unfortunately, a few US court cases screwed this up [eff.org] by granting another kind of other "licensing" power beyond copyright, and software companies are quick to call upon the resulting confusion. In other cases where licensing was involved [eff.org] beyond copyright, the issue was really about an
Re: (Score:2)
Totally agree with your synopsis. It's why I think that Apple *have* to try and go through the motions with this case in order to: make their intent clearer; try and stop the bleeding; give themselves enough time to address this technically.
I totally expect to see Apple change their software deployment such that you must agree to the EULA before you get the software; and for brand new devices being unlocked by their first user, you have to agree before you can use the device. As you
Re: (Score:2)
Apple would prefer a ruling on this one, because it's going to take quite a bit of expensive re-engineering to modify iOS to handshake more tightly with the software update servers and to require EULA agreement before a download is commenced. Long term, I'd suspect this is what Apple [and other companies] will do.
Many companies already do, including Microsoft. If you download a Microsoft Windows update from Microsoft's website, you are prompted to agree to an EULA before the download starts. At least for Windows 7. I don't know what it does for Windows 10 manual downloads, if there even is such a thing. Intel, Adobe, Autodesk, all do this.
Re: (Score:2)
These are relevant in the context of this case, since Apple are essentially asserting that Corellium's software contrives to give the "false impression" that the software is running on Apple hardware.
That's a ridiculous argument from Apple. The human user of Corellium's software is not even remotely confused that the software may be running on Apple hardware. They know very exactly that it isn't. That's the whole point. Software that "contrives to give the false impression" to other software that it's running on Apple hardware for research purposes is perfectly legal. The DMCA has a mechanism in it to create explicit exemptions and the Librarian of Congress created the security research exemption i [ftc.gov]
Guess what Apple will do next (Score:2)