Apple Is Bullying a Security Company With a Dangerous DMCA Lawsuit

Making tools should not be a crime

This op-ed was written by Kyle Wiens, the founder and CEO of iFixit, a company that publishes repair manuals for electronics and sells parts and tools to consumers. A previous version of this story was originally published on iFixit’s website; it has been updated for OneZero.

Apple has unleashed its legal juggernaut on an innovative iOS security company, and if they win their lawsuit, the damage will reverberate beyond the security community and into the world of repair and maintenance.

Corellium’s software creates virtual iPhones in a web browser so that app developers and security researchers can tinker without needing a physical device. The software is kind of like VirtualBox or Parallels — a container that you can run your own iOS image inside of. It’s nerdy stuff that most people will never need, but it’s genuinely useful. So useful, in fact, that Apple tried to buy the company, according to a court filing from November. When the founders refused, Apple decided to sue them into oblivion.

In a just-filed revision to its lawsuit, Apple has invoked Section 1201 of the Digital Millennium Copyright Act (DMCA), the infamous and often abused copyright law. This claim dramatically raises the stakes for this lawsuit and puts Apple squarely in the crosshairs of copyright experts concerned about unintended precedents it could set if Apple is successful.

But before we talk about Section 1201, let’s look at Apple’s original complaint. It accuses Corellium of infringing on Apple’s copyrighted works by providing virtualized access to iOS. “Corellium has simply copied everything: the code, the graphical user interface, the icons — all of it, in exacting detail,” the lawsuit states.

This is an annoying thing for Apple to complain about because it doesn’t provide a first-party way for people to virtualize iOS. If it did, loads of developers would be happy to pay. Apple gives iOS away with every device, and it doesn’t sue people for pirating iOS the way that Microsoft has become notorious for in regards to Office and Windows. Running virtualized operating systems is a pretty commonplace thing to do these days: A working Windows setup on Amazon’s AWS servers costs about $0.01 per hour.

Corellium also doesn’t provide iOS firmware — contained in an IPSW file — itself, instead allowing you to provide your own copy or download one directly from Apple’s servers.

“Corellium does not host, cache, or distribute the IPSWs,” Amanda Gorton, Corellium’s CEO, told OneZero. “Apple’s IPSW files are freely available, unencrypted, to download from their servers… For our cloud product, when a user creates a new device, the user selects a desired model and OS version, and a download request is sent for the corresponding IPSW. Users are only able to select OS versions available from Apple.”

Rumors are that Apple is working on a virtualized environment for developing on iOS, so this lawsuit could be an aggressive form of Sherlocking, Apple’s practice of copying popular third-party apps.

The Digital Millennium Copyright Act strikes back

Despite a lack of apparent interest in enforcing its copyright to iOS software, in this specific case, Apple has decided to exert control over iOS. And they’ve crossed a red line by invoking the most notorious statute in the U.S. Copyright Act, Section 1201. This is the very law that made it illegal for farmers to work on their tractors and for you to fix your refrigerator. It’s the same law that iFixit has been whacking away at for years, getting exemptions from the U.S. Copyright Office for fixing, jailbreaking, and performing security research on everything from smartwatches to automobiles.

Enter Apple with the latest terrible, awful, no-good application of 1201. Apple claims that in making virtual iPhones for security and development use, Corellium is engaged in “unlawful trafficking of a product used to circumvent security measures in violation of 17 U.S.C. § 1201.”

In other words: Corellium sells a way to use iOS that works around the way Apple intended it to work. Apple knows that you can’t use Corellium’s software to create your own knock-off iPhone. But it can claim that Corellium’s software is illegal, and it might technically be right. That’s terrifying.

Circumventing technological protection measures

So how did we get here? Well, Section 1201 works in two ways. First, it makes it illegal to bypass digital locks. And second, it makes it illegal to distribute tools to bypass locks. Back in 1998, when the law was written, digital locks were very rare — they were really only used to protect movies on DVDs. But nowadays, legitimate cybersecurity needs have driven companies to use digital locks on just about everything, and they are not providing anyone the key. You might have to modify your Samsung refrigerator’s software to fix its outdated calendar. But in order to do that, you have to jailbreak its Android operating system. And, as the name implies, jailbreaks require breaking digital locks.

Fortunately, Congress built an escape hatch into the law and allows motivated types like us to apply for specific “exemptions” — permission to pick digital locks that are in the public interest. For the last decade, iFixit has joined the Electronic Frontier Foundation and digital activists from around the country to apply for, and win, numerous exemptions for repair and security research every three years. One of those exemptions, most recently granted last October, is for jailbreaking iPhones. (Notably, Apple did not oppose this exemption request.)

Sounds great! So why can’t Corellium just send the judge a link to the jailbreaking exemption and wave this lawsuit goodbye? Well, there’s a fatal flaw in Section 1201. The U.S. Copyright Office believes only it has the power to grant exemptions for individuals to bypass their own locks, not for third parties to do it for you. So you can write the code to make your own virtualized iOS container, but you can’t hire Corellium to do it for you.

This shows how ridiculous the law is. Cory Doctorow puts it well: “Even computer scientists don’t hand-whittle their own software tools for every activity: like everyone else, they rely on specialized toolsmiths who make software.” The EFF vehemently disagreed with the Office on this and requested a tool exemption, but the Copyright Office ignored them and excluded tool distribution from the most recent exemptions.

Making tools should not be a crime

Apple is upset that Corellium has created a tool that grants access to iOS in an innovative medium that Apple is (so far) unwilling to provide. It argues: “Corellium, by offering the Corellium Apple Product for sale or license without authorization from Apple, is trafficking in technologies, products, or services that are primarily designed to avoid, bypass, remove, deactivate, or otherwise impair technological measures that effectively control access to Apple’s copyrighted works, in violation of 17 U.S.C.§ 1201(a)(2).”

According to Apple, Correllium does this by “disabling loadable firmware validation, disabling self-verification of the FIPS module, adding Corellium software to the ‘trust cache,’ and instructing the restore tool not to contact Apple servers for kernel/device tree/firmware signing.” That allows Corellium to “jailbreak” or otherwise bypass features of iOS that are designed to prevent access to the software stored on the iOS device.

Of course, Apple includes those copyrighted works for free with every iOS device. Corellium is not enabling piracy of iOS — it’s supporting security research. But because Section 1201 doesn’t require theft of a copyrighted work, Apple has a chance of succeeding with this “tool trafficking” argument.

If Apple wins, we all lose

As the world embraces internet-connected hardware, more and more of the devices that we use will integrate digital locks. Apple is arguing that no one else should be able to make tooling for performing security research on their products. What happens if other companies start making the same claims?

This isn’t academic. Last year, GM sued aftermarket parts company Dorman for “overriding the security measures used in [GM]’s vehicle control modules” in their transmission repair tool. Dorman’s aftermarket transmissions moved the firmware from an existing transmission into their aftermarket part, so that it would be recognized by the vehicle and work.

John Deere has also been aggressively locking down their products, aiming to monopolize service and prevent farmers from doing repairs themselves. It opposed a DMCA exemption for farmers on the grounds that if owners could fix their own equipment, they might use their newfound freedom to pirate Taylor Swift’s music on their tractors.

This is a massive change from the status quo. For decades, people have used aftermarket car parts and those parts have created competition in the industry. For decades, farmers have been self-reliant and able to fix their own gear without the manufacturer breathing down their neck and squeezing money out of them.

That GM and John Deere can abuse copyright law in this way is terrible. It’s clearly in the public’s interest to have aftermarket parts options for automobiles: It keeps manufacturers competitive on both price and quality. This law has the unintended consequence of giving manufacturers a monopoly on repairs of any product containing software and a digital lock.

Apple knows this. They understand the ethical implications of using a bad law as a cudgel, and they don’t care. Every successful suit that invokes 1201 sets a precedent for further abuse. The purpose of copyright is set out in the US constitution as simply “to promote the progress of science and useful arts.” Apple’s suit does the opposite — it seeks to limit who can make security tools to improve iOS. It’s beyond the pale to abuse copyright to preserve a monopoly position and deter security research.

It’s time to fix the DMCA

So where do we go from here? The EFF has sued the Copyright Office arguing that Section 1201 is an unconstitutional violation of the First Amendment. If they succeed, it’s possible that 1201 could go away entirely. But that suit has languished on the court’s desk for three years, and it’s unclear when it will be heard.

The more expeditious path would be for Congress to pass something like California Representative Zoe Lofgren’s Unlocking Technology Act and fix Section 1201 once and for all.

The future of ownership is at stake. If we can’t investigate the security of the software that runs on our devices or make software changes in order to fix them, then we don’t really own our stuff anymore.

It’s time to decriminalize toolmaking.