Under traditional copyright law, security research is a well-established fair use, meaning it does not infringe copyright. When it was passed in 1998, Section 1201 of the Digital Millennium Copyright Act upset the balance of copyright law. Since then, the balance has been further upset as it has been interpreted so broadly by some courts that it effectively eliminates fair use if you have to bypass an access control like encryption to make that fair use.
The District Court’s ruling in Apple v. Corellium makes this shift crystal-clear. Corellium is a company that enables security researchers to run smartphone software in a controlled, virtual environment, giving them greater insights into how the software functions and where it may be vulnerable. Apple sued the company, alleging that its interactions with Apple code infringed copyright and that it offered unlawful circumvention technology under Section 1201 of the Digital Millennium Copyright Act.
Corellium asked for “summary judgment” that it had not violated the law. Summary judgment is decided as a matter of law when the relevant facts are not in dispute. (Summary judgment is far less expensive and time-consuming for the parties and the courts, while having to go to trial can be prohibitive for individual researchers and small businesses.) Corellium won on fair use, but the court said that there were disputed facts that prevented it from ruling on the Section 1201 claims at this stage of the litigation. It also rejected Corellium’s argument that fair use is a defense to a claim under Section 1201.
Fair use is part of what makes copyright law consistent with both the First Amendment and the Constitution’s requirement that intellectual monopoly rights like copyright – if created at all – must promote the progress of "science and the useful arts."
We’re disappointed that the District Court failed to uphold the traditional limitations on copyright law that protect speech, research, and innovation. Applying fair use to Section 1201 would reduce the harm it does to fundamental rights.
It’s also disappointing that the provisions of Section 1201 that were enacted to protect security testing are so much less protective than traditional fair use has been. If those provisions were doing their job, the 1201 claim would be thrown out on summary judgment just as readily as the infringement claim, saving defendants and the courts from unnecessary time and expense.
We’ll continue to litigate Section 1201 to protect security researchers and the many other technologists and creators who rely on fair use in order to share their knowledge and creativity.