Apple has unleashed their legal juggernaut on an innovative iOS security company, and if they win their lawsuit, the damage will reverberate beyond the security community and into the world of repair and maintenance.
Corellium’s software creates virtual iPhones in a web browser, so that app developers and security researchers can tinker without needing a physical device. It’s nerdy stuff that most people will never need, but it’s genuinely useful. So useful, in fact, that Apple tried to buy the company. When the founders refused, Apple decided to sue them into oblivion.
In a just-filed revision to their lawsuit, Apple has invoked section 1201 of the DMCA, the infamous and often abused copyright law. This claim dramatically raises the stakes for this lawsuit, and puts Apple squarely in the crosshairs of copyright experts concerned about unintended precedents it could set if Apple is successful.
But before we talk about section 1201, let’s look at Apple’s original complaint. They accuse Corellium of doing exactly what they promise customers: providing virtualized access to iOS. “Corellium has simply copied everything: the code, the graphical user interface, the icons—all of it, in exacting detail,” the lawsuit states.
This is an annoying thing for Apple to complain about, because they don’t provide a way to license iOS for virtualized purposes. If they did, loads of developers would be happy to pay. Apple gives iOS away with every device, and doesn’t sue people for pirating iOS the way that Microsoft has been notorious for. Running virtualized operating systems is a pretty commonplace thing to do these days—a working Windows setup on Amazon’s AWS servers costs about $0.03/hour. Apple should charge for this and Corellium should pay.
The Digital Millennium Copyright Act Strikes Back
Despite a lack of apparent interest in enforcing their copyright to iOS software, in this specific case Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the US copyright act, section 1201. This is the very law that made it illegal for farmers to work on their tractors and for you to fix your refrigerator. It’s the same law that we’ve been whacking away at for years, getting exemptions from the US Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.
Enter Apple with the latest terrible, awful, no-good application of 1201. Apple claims that in making virtual iPhones for security and development use, Corellium is engaged in “unlawful trafficking of a product used to circumvent security measures in violation of 17 U.S.C. § 1201.”
In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work. Apple knows that you can’t use Corellium’s software to create your own knock-off iPhone. But they can claim that Corellium’s software is illegal, and they might technically be right. That’s terrifying.
Circumventing Technological Protection Measures
Back in 1998, when the law was written, digital locks were very rare—they were really only used to protect movies on DVDs
So how did we get here? Well, 1201 works in two ways: One, it makes it illegal to bypass digital locks. And two, it makes it illegal to distribute tools to bypass locks. Back in 1998, when the law was written, digital locks were very rare—they were really only used to protect movies on DVDs. But nowadays, legitimate cybersecurity needs have driven companies to use digital locks on just about everything, and they are not providing anyone the key. You might have to modify your Samsung refrigerator’s software to fix its outdated calendar. But in order to do that, you have to jailbreak its Android operating system. And, as the name implies, jailbreaks require breaking digital locks.
“Anytime someone puts a lock on something you own, against your wishes, and doesn’t give you the key, they’re not doing it for your benefit.” — Doctorow’s Law
Fortunately, Congress built an escape hatch into the law, and allows motivated types like us to apply for specific ‘exemptions’ — permission to pick digital locks that are in the public interest. For the last decade, iFixit has joined EFF and digital activists from around the country to apply for, and win, numerous exemptions for repair and security research every three years. One of those exemptions, most recently granted last October, is for jailbreaking iPhones. (Notably, Apple did not oppose this exemption request.)
Sounds great! So why can’t Corellium just send the judge a link to the jailbreaking exemption and wave this lawsuit goodbye? Well, there’s a fatal flaw with 1201. The Copyright Office believes only it has the power to grant exemptions for individuals to bypass their own locks, not for third parties to do it for you. So you can write the code to make your own virtualized iOS container, but you can’t hire Corellium to do it for you.
This shows how ridiculous the law is. Cory Doctorow puts it well: “Even computer scientists don’t hand-whittle their own software tools for every activity: like everyone else, they rely on specialized toolsmiths who make software.” The Electronic Frontier Foundation vehemently disagreed with the Office on this and requested a tool exemption, but the Copyright Office ignored them and excluded tool distribution from the most recent exemptions.
Making Tools Should Not Be a Crime
Apple is upset that Corellium has created a tool that grants access to iOS in an innovative medium that Apple is (so far) unwilling to provide.
“Corellium, by offering the Corellium Apple Product for sale or license without authorization from Apple, is trafficking in technologies, products, or services that are primarily designed to avoid, bypass, remove, deactivate, or otherwise impair technological measures that effectively control access to Apple’s copyrighted works, in violation of 17 U.S.C.§ 1201(a)(2).”
According to Apple, Correllium does this by “disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the ‘trust cache,’ and instructing the restore tool not to contact Apple servers for kernel / device tree / firmware signing.” That allows them to “jailbreak” or otherwise bypass one or more feature of iOS and iOS devices that are designed to prevent access to the software or other material that could be stored on the iOS device.
Of course, Apple includes those copyrighted works for free with every iOS device. Corellium is not enabling piracy of iOS—they’re supporting security research. But because 1201 doesn’t require theft of a copyrighted work, Apple has a chance of succeeding with this ‘tool trafficking’ argument.
If Apple Wins, We All Lose
As the world embraces internet-connected hardware, more and more of the devices that we use will integrate digital locks. Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?
This isn’t academic. Last year, GM sued aftermarket parts company Dorman for “overriding the security measures used in [GM]’s vehicle control modules” in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.
John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. They opposed a DMCA exemption for farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.
This is a massive change from the status quo. For decades, people have used aftermarket car parts and those parts have created competition in the industry. For decades, farmers have been self-reliant and able to fix their own gear without the manufacturer breathing down their neck and squeezing money out of them.
That GM and John Deere can abuse copyright law in this way is terrible. It’s clearly in the public’s interest to have aftermarket parts options for automobiles: it keeps manufacturers competitive on both price and quality. This law has the unintended consequence of giving manufacturers a monopoly on repairs of any product containing software and a digital lock.
Apple knows this. They understand the ethical implications of using a bad law as a cudgel, and they don’t care. Every successful suit that invokes 1201 sets a precedent for further abuse. The purpose of copyright is set out in the US constitution as simply “to promote the progress of science and useful arts.” Apple’s suit does the opposite—it seeks to limit who can make security tools to improve iOS. It’s beyond the pale to abuse copyright to preserve a monopoly position and deter security research.
It’s Time to Fix the DMCA
So where do we go from here? The EFF has sued the Copyright Office arguing that section 1201 is an unconstitutional violation of the First Amendment. If they succeed, it’s possible that 1201 could go away entirely. But that suit has languished on the court’s desk for three years, and it’s unclear when it will be heard.
The more expeditious path would be for Congress to pass something like Rep. Zoe Lofgren’s Unlocking Technology Act and fix section 1201 once and for all.
The future of ownership is at stake. If we can’t investigate the security of the software that runs on our devices or make software changes in order to fix them, then we don’t really own our stuff anymore.
It’s time to decriminalize toolmaking.
Top image by Daniel Aleksandersen/Flickr
30 Comments
Is it really terrifying or are you a little paranoid like Doctorow who seems to think he has a god-given right to steal other’s intellectual property?
If you’d spent decades and millions of pounds creating a successful product, only to see someone else come along and rip it off verbatim, you’d probably also be miffed. But you haven’t. You just want to cheat and steal. Thank God for the copyright office.
Ray Scott - Reply
Nobody is “stealing” anything. Nor did Doctorow ever claim he has a right to do so. Everything being done here should be a Fair Use, which is a core part of Copyright law. But Section 1201 is so badly implemented that it completely ignores Fair Use and any other safeguards (hence why EFF sued to have it struck down as blatantly unconstitutional).
And you do realize this is Apple we’re talking about, right? They are not the ones who invented the products they’re so well known for selling. All of them were built on the work of others. Why do they get to decide that nobody else is allowed to do it when they found their own success by doing the same?
John Roddy -
Perhaps you haven’t read the same writings of Doctorow that I have, but he has said on occasions that he thinks he has the right to reverse engineer other people’s IP in order to figure out how it works. This is a blatant attempt at IP theft (Apple’s IP, or the IP they license from others). Obviously he’s not going to say it in so many words. His usual excuse is that it’s being done in the name of “security research”. And if you think I’m wrong, ask him why he complains about IOT devices that use encryption to provide a more secure product, such as encrypting the communications to back end services. He ironically claims that the security that is build into IOT products prevents security researchers from carrying out their jobs. How nonsensical is that statement? And if the encryption weren’t there in the first place, they’d be up in arms. A ridiculous argument really.
Ray Scott -
Yes, I know we’re talking about Apple. OK you seem to know very little about technology, patents or licensing. It’s perfectly legal to license patented technology from other inventors to build a product and sell it, legally, which is exactly what Apple have done. In other cases, such as their A series of chips, they have designed and developed the components themselves. I’m not sure why you think the user of a product that contains 3rd party IP is suddenly allowed to use that 3rd party IP to develop a product without paying a licensing fee to the patent owner. You’re suggesting that everyone can just use everyone else’s copyrighted IP, just because you think everyone else is violating patent laws and licensing
Ray Scott -
The OP said Apple should license it and the third parties pay for it. The problem is Apple won’t license it. Instead they attempt to employ a capture and kill strategy by buying out the company but not releasing the service so they only they can effect repairs. When that failed, they go to a DCMA lawsuit to kill without capturing.
jkgarrett17 -