We live in a world increasingly governed by technology. Too often, that technology includes security vulnerabilities that could allow malicious actors access to our most important and private information. That’s why it’s so important that security researchers be allowed to do their work without fear that they might infringe copyright in the software they are testing. Thanks to the doctrine of fair use, which creates a “safety valve” for research, commentary and so on, they usually don’t have to worry.
Apple is putting that principle at risk in its lawsuit against Corellium. Corellium created a virtualization of Apple’s iOS operating system that allows developers and researchers to test iOS for vulnerabilities without having to get permission from Apple or pay for the privilege of finding flaws in the system. Apple sued, and lost in district court on fair use grounds. Apple’s hoping for a different ruling on appeal.
It shouldn’t get one. EFF, along with Public Knowledge and a number of security experts, filed an amicus brief with the court explaining one reason why: the public’s interest in greater security, more innovation, and more competition in mobile software. We can’t protect ourselves from security flaws if independent testers aren’t allowed to find them.
Companies use legal threats, like a threat of suing over copyright infringement, to silence researchers and keep users from knowing that there’s something wrong with their devices. Without meaningful protection from such claims, organizations like Corellium cannot develop research tools, researchers cannot conduct independent testing, and the public loses out on the benefits of innovation and competition to enhance security.
When that threat is based in copyright, fair use is supposed to protect the researchers. Because independent security researchers use copies of software to facilitate understanding, not to exploit its copyrighted elements or provide a market substitute for the software, their activities fall under the fair use doctrine, and do not infringe copyright.
EFF, Public Knowledge, and the security experts urged, in our brief, that the fair use finding of the lower court should be preserved.