Foundation system

EFF in court: Security research is fair use

We live in a world increasingly ruled by technology. Too often, this technology includes security vulnerabilities that could allow malicious actors access to our most important and private information. That’s why it’s so important that security researchers can do their job without fear of infringing copyright on the software they’re testing. Thanks to the fair use doctrine, which creates a “safety valve” for searching, commenting, etc., they usually don’t have to worry.

Apple puts this principle at risk in its lawsuit against Corellium. Corellium has created a virtualization of Apple’s iOS operating system that allows developers and researchers to test iOS vulnerabilities without having to obtain permission from Apple or pay for the privilege of finding flaws in the system. . Apple sued and lost in district court on fair use grounds. Apple hopes for a different decision on appeal.

He shouldn’t have one. EFF, along with Public Knowledge and a number of security experts, filed an amicus brief with the court explaining one of the reasons: the public interest in greater security, more innovation and more competition in mobile software. We cannot protect ourselves from security vulnerabilities if independent testers are not authorized to find them.

Companies use legal threats, such as a threat of copyright infringement lawsuits, to silence researchers and prevent users from knowing that there is something wrong with their devices. Without meaningful protection against such claims, organizations like Corellium cannot develop research tools, researchers cannot perform independent testing, and the public loses the benefits of innovation and competition to strengthen security. .

When this threat is based on copyright, fair dealing is supposed to protect researchers. Because independent security researchers use copies of software to facilitate understanding, and not to exploit its copyrighted materials or provide a commercial substitute for the software, their activities fall under the doctrine of fair use. and do not infringe copyright.

EFF, Public Knowledge, and the security experts insisted, in our brief, that the lower court’s finding of fair use be preserved.