Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 1 of 38
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF FLORIDA
`
`CASE NO. 19-81160-CIV-SMITH
`
`APPLE INC.,
`Plaintiff,
`
`v.
`CORELLIUM, LLC,
`Defendant.
`_______________________/
`ORDER ON THE PARTIES’ MOTIONS FOR SUMMARY JUDGMENT
`
`Plaintiff, Apple Inc. (“Apple”) designs and manufactures mobile communication devices,
`
`
`
`personal computers, and media devices, and sells a variety of related software, services,
`
`accessories, and third-party digital content and applications. iOS is Apple’s mobile operating
`
`system (or “OS”) for certain devices like the iPhone. iOS is publicly available online for free
`
`download from Apple’s servers as part of a packaged file. Around 2016 or 2017, Apple removed
`
`encryption from the kernel, which is the core of the operating system that has complete control
`
`over all system resources.
`
`In 2017, Defendant, Corellium, LLC (“Corellium”) began developing a commercial
`
`product (“the Corellium Product”) that permits users to create tailored, virtual models of iPhones,
`
`using iOS files loaded by the user. (The Corellium Product also virtualizes Android, the mobile
`
`operating system used by Google, but the Android aspects of the Corellium Product are not issue
`
`in this case.) With its relatively limited functionality, among other things, the Corellium Product
`
`does not virtualize the Apple App Store, and users cannot make phone calls or use camera––
`
`features of interest to the average customer buying an iPhone off the shelf. According to testimony
`
`of developers of the Corellium Product, the product is intended to provide an environment in which
`
`technology security researchers can conduct research with features of interest to those researchers.
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 2 of 38
`
`Still, there is no evidence that the Corellium Product, like other technology, cannot be used for
`
`unintended purposes, or that Corellium can control how users utilize any Corellium Product
`
`installed on their premises.
`
`Starting in January 2018, Apple and Corellium began engaging in acquisition talks which,
`
`if successful, would have allowed Apple to acquire Corellium (including its people and the
`
`Corellium Product). During the acquisition process, there were several in-person meetings and
`
`calls between the companies. The Corellium Product was demonstrated (“demo’ed”) to Apple and
`
`there was technical due diligence. In the summer of 2018, the potential deal fell apart and Apple
`
`did not acquire Corellium.
`
`On August 15, 2019, Apple filed this lawsuit alleging that Corellium infringed Apple’s
`
`copyrights in iOS and circumvented its security measures in violation of the federal Digital
`
`Millennium Copyright Act (“DMCA”). Corellium denies that it has violated the DMCA or
`
`Apple’s copyrights. Corellium further argues that even if it used Apple’s copyrighted work, such
`
`use constitutes “fair use” and, therefore, is legally permissible. Apple filed a Motion for Partial
`
`Summary Judgment [DE 470] and Corellium filed a Motion for Summary Judgment [DE 464].
`
`For the reasons explained below, on the copyright claim, the Court finds that Corellium’s use of
`
`iOS constitutes fair use, and a genuine dispute of material facts precludes summary judgment on
`
`the DMCA claim. Thus, Corellium’s motion is granted in part and denied in part, and Apple’s
`
`motion is denied.1
`
`
`1 To the extent the parties agree on the facts and the facts as stated are supported by the evidence,
`the Court may cite to the parties’ Statements of Material Facts (“SOF”). Regarding declarations,
`under the law of this Circuit, “[w]hen a party has given clear answers to unambiguous questions
`which negate the existence of any genuine issue of material fact [for summary judgment], that
`party cannot thereafter create such an issue with an affidavit that merely contradicts, without
`explanation, previously given clear testimony. Such an affidavit would be a sham.” McCormick v.
`City of Fort Lauderdale, 333 F.3d 1234, 1240 (11th Cir. 2003) (internal citation omitted).
`2
`
`
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 3 of 38
`
`BACKGROUND
`
`A. iOS: APPLE’S OPERATING SYSTEM
`
`An operating system is a program that manages the resources of the computer, allocating
`
`those resources to other programs as needed. It manages the computer’s most basic functions,
`
`including the user’s interaction with the device. iOS is Apple’s operating system for its iPhone,
`
`iPod Touch, and until September 25, 2019, iPad. (Andrews Decl. [DE 470-4] ¶ 4.) The iPhone
`
`was introduced in 2007. It is one of the world’s first “smartphones” and remains one of the most
`
`popular consumer electronic devices in the world. (Andrews Decl. ¶ 3.) For the iPhone, among
`
`other things, the ability to make phone calls, send text messages, take photos, and download apps
`
`from Apple’s App Store are important features of iOS. (Def.’s SOF [DE 472] ¶ 3.)
`
`iOS does not include hardware or some components of the secure boot chain (discussed
`
`below), like Boot ROM, which are built directly into the physical device. (Def.’s SOF ¶ 4.)
`
`However, iOS encompasses default software applications, underlying graphics, images, and files
`
`that help create the iOS displays, and graphical user interface (“GUI”) elements installed on
`
`Apple’s mobile devices. (Andrews Decl. ¶ 6.) Generally, GUI is a visual way of interacting with
`
`a computer using items such as icons and menus.2 iOS also encompasses the source code and
`
`object code representing the processes managing the execution of applications and utilization of
`
`device resources.3 (Andrews Decl. ¶ 6.)
`
`
`Additionally, the Court does not consider evidence that has been stricken pursuant to the Court’s
`August 24, 2020 Order [DE 658] and the parties’ related Joint Stipulation [DE 722]. Lastly,
`citations to the record primarily reflect sealed versions of the document, not the publicly available
`copies.
`
` https://www.merriam-webster.com/dictionary/graphical%20user%20interface.
`
` Regarding source code and object code:
`
`3
`
` 2
`
` 3
`
`
`
`
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 4 of 38
`
`iOS includes open and partially open source code; it includes code that was not written by
`
`Apple. (Marineau-Mes Dep. [DE 472-4] 37:6-14.) This includes: (1) open source code that Apple
`
`uses under license (e.g., Secure Socket Layer); (2) components for which Apple is the primary
`
`owner (e.g., WebKit); and (3) aspects where Apple contributes some of the code (e.g., the kernel).
`
`(Andrews Dep. [DE 472-3] 91:22-93:13, 100:20-23; Marineau-Mes Dep. 37:6- 40:11 (other open
`
`source components of iOS are the compiler and Swift).) Likewise, iOS’ Darwin, which is part of
`
`the kernel, stems from research dating back thirty to forty years––long before Apple developed the
`
`iPhone. (Marineau-Mes Dep. 37:6-40:6.) For these open source components, Apple is key
`
`contributor to the code bases and, in many cases, invented the code and chose to make it available
`
`in open source. (Marineau-Mes Dep. 39:23-40:7.)
`
`
`
`
`
`
`Computers come down to one basic premise: They operate with a series of on and
`off switches, using two digits in the binary (base 2) number system—0 (for off) and
`1 (for on). All data and instructions input to or contained in computers therefore
`must be reduced to . . . 1 and 0 . . . . Some highly skilled human beings can reduce
`data and instructions to strings of 1’s and 0’s and thus program computers to
`perform complex tasks by inputting commands and data in that form. But it would
`be inconvenient, inefficient and, for most people, probably impossible to do so. In
`consequence, computer science has developed programming languages. These
`languages, like other written languages, employ symbols and syntax to convey
`meaning. The text of programs written in these languages is referred to as source
`code. And whether directly or through the medium of another program, the sets of
`instructions written in programming languages—the source code—ultimately are
`translated into machine “readable” strings of 1’s and 0’s, known in the computer
`world as object code, which typically are executable by the computer . . . . All code
`is human readable. As source code is closer to human language than is object code,
`it tends to be comprehended more easily by humans than object code.
`
`Universal City Studios, Inc. v. Reimerdes, 111 F. Supp. 2d 294, 306 (S.D.N.Y.), aff’d sub nom.
`Universal City Studios, Inc. v. Corley, 273 F.3d 429 (2d Cir. 2001) (internal citation omitted).
`
`
`
`
`4
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 5 of 38
`
`B. IPSW FILES
`
`Apple continuously releases new versions of iOS. It also releases at least some components
`
`of iOS in software files known as “IPSW” files. (Andrews Dep. 94:13-25; Krstic Dep. [DE 472-
`
`1] 126:13-127:21; Wang Dep. [DE 472-6] 59:24-61:10.) IPSW files are available online for free
`
`download from Apple’s servers, including via links provided on third-party sites like ipsw.me.
`
`(Def.’s SOF ¶ 6.) A user is not presented with or required to agree to the iOS Software License
`
`Agreement or End User License Agreement (“EULA”) before downloading an IPSW file. (Def.’s
`
`SOF ¶ 12; Andrews Dep. 95:13-15, 98:14-20.)
`
`IPSW files have iOS without some of the runtime elements such as the cryptographic
`
`authorization ticket, which authorizes a given version of iOS to run in a given piece of hardware.
`
`(Krstic Dep. 126:13-127:21.) Further, many parts of the IPSW files are unencrypted, including
`
`the kernel, which is the core of the operating system that has complete control over all system
`
`resources. (Def.’s SOF ¶ 8.) Thus, once downloaded, a person can read some of the file contents,
`
`and it is possible to access contents of the kernel, as well as extract other parts of the file. (Krstic
`
`Dep. 67:12-21, 129:21-130:4; Marineau-Mes Dep. 57:2-10.) The kernel can run on non-Apple
`
`devices, but protections put in place by Apple––which intends for the kernel to run on Apple
`
`devices––makes it difficult to do so. (Krstic Dep. 130:23-132:13, 141-143:3.) The IPSW files
`
`also contain image files such as wallpaper. (Def.’s SOF ¶ 7.)
`
`C. APPLE’S TECHNICAL CONTROL MEASURES
`
`Apple designs iOS and devices running iOS as an integrated hardware/software system.
`
`(Pl.’s SOF [DE 470-2] ¶ 10.) Apple does not provide the functionality to “clone” or copy the
`
`complete contents of an iPhone. (Id. ¶ 11.) Combining hardware, software, and service features,
`
`Apple has put security measures in place to protect its devices and customers’ experience. (Pl.’s
`
`
`
`5
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 6 of 38
`
`Resp. to Second Interr. No. 16 [DE 553-9].4) In its motion, Apple focuses on the following
`
`measures:
`
`Authorization Server: According to Apple, upon installing iOS on an Apple device (e.g.,
`
`iPhone), the device must first communicate with Apple’s “authorization server” for approval. The
`
`device sends information to Apple about the physical iPhone and the version of iOS the user seeks
`
`to install. The authorization server checks this information, and if the information presented
`
`checks out, returns a cryptographic signature (known as an “AP Ticket”) authorizing installation
`
`on the device. The signed AP Ticket is saved to the device and is required to be checked every
`
`time the device tries to run iOS. (Pl.’s SOF ¶¶ 14-15.) Corellium disagrees with this statement,
`
`asserting instead that “iOS in the public IPSW distribution . . . has no such requirements––this
`
`security function is hard-coded into physical iOS devices.” (Def.’s Resp. SOF [DE 513] ¶¶ 14-
`
`15.)
`
`Secure boot chain: Secure boot chain is a way Apple prevents unauthorized code from
`
`running on its systems. The process involves an interaction between iOS and software embedded
`
`in the physical device. (Wang Dep. 62:8-18, 212:4-22; Marineau-Mes Dep. 36:6-23.) It is “an
`
`extremely well-meaning and well-designed feature that is intended to safeguard the privacy and
`
`security of Apple iPhone users[.]” (Pl.’s SOF ¶ 18.) The boot chain is “secure” because each step
`
`must be verified before the next step can proceed. (Wang Dep. 212:4-22; Pl.’s SOF ¶ 17.)
`
`Buddy program: When iOS is freshly installed on an Apple device, a program called
`
`“Buddy” runs. The “Buddy” program helps the user set up iOS on the device. One portion of the
`
`“Buddy” program presents the EULA governing that version of iOS to the user on the iOS device.
`
`A user must accept the EULA before the user can continue to interact with any other part of iOS.
`
`
`4 The parties disagree on the nature, operation, and purpose of some of these measures.
`6
`
`
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 7 of 38
`
`If the user does not accept the EULA, the Buddy program prevents the user from further accessing
`
`iOS. (Andrews Decl. ¶ 17.)
`
`Trust Cache: The trust cache is a list of trusted applications that Apple has approved for
`
`execution on iOS. The trust cache prevents users from installing and operating unapproved
`
`applications on iOS. The trust cache prevents the installation of rogue software and ensures that
`
`only-Apple-verified applications can be run on iOS. (Pl.’s SOF ¶ 21.)
`
`Pointer Authentication Codes (or PAC): This hardware feature works with Apple software
`
`to protect iOS and makes it “difficult or impossible” for the kernel to run on non-Apple platform.
`
`(Krstic Dep. 132:25-133:17, 140:23-141:18, 142:19-143:3.) Apple began implementing custom
`
`PAC with the release of iOS 12.0 for the iPhone XR, XS, and XS Max in September 2018. (Pl.’s
`
`SOF ¶ 22.) PAC is a cryptographic signature Apple inserts and stores in various places in iOS
`
`code to ensure that the code is executed as intended, without modification or distortion. When the
`
`device processor receives certain instructions, it generates the cryptographic measurement for the
`
`next instruction it has been asked to execute. If the measurement does not match the stored PAC,
`
`the processor will halt execution. (Id.)
`
`D. THE CORELLIUM PRODUCT
`
`Corellium was founded in August 2017. (Gorton Dep. [DE 472-25] 20:8; Skowronek Dep.
`
`[DE 472-20] 46:21–47:2.) Development of a prototype of the Corellium Product began around
`
`summer 2017. (Gorton Dep. 33:5-21.) By January 2018, Corellium was able to demo the creation
`
`of a virtual device and was able to use the virtual device in basic ways. (Gorton Dep. 33:22-34:20).
`
`Corellium developed both a cloud (or online) version and an on-premises version (i.e., where the
`
`customer purchases and installs a server on their premises) of the Corellium Product. By the end
`
`of January 2018, a trial version (Version 1.1) of the cloud-based product was offered to a limited
`
`
`
`7
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 8 of 38
`
`number of users for beta testing (to detect bugs and any usability issues) and business development.
`
`(Gorton Dep. 52:23-53:9; Def.’s Fourth Am. Ans. to First Interr. No. 1 [DE 470-9].)
`
`The Corellium Product enables users to create and interact with virtual devices by loading
`
`firmware (that is, files for operating systems like iOS, Android, and Linux). (Def.’s SOF ¶ 30.)
`
`Virtualization is the ability to run software on hardware it is not ordinarily meant to run on. (Wang
`
`Dep. 55:10-21.) Among other reasons, virtualization is beneficial because it permits the user to
`
`run software on faster hardware and permits examination and debugging of the software to get a
`
`better understanding of how it works. (Wang Dep. 55:10-21.) According to Corellium’s founders,
`
`the Corellium Product was developed with the primary intent of facilitating security testing,
`
`research, and development by, inter alia, allowing researchers to examine aspects of iOS code.
`
`(Wade Dep. 179:17-20, 180:12-13; Wang Dep. 210:9-212:3; Gorton Dep. 50:20-51:5; Skowronek
`
`Dep. 71:18-23, 96:21-97:2.) Security research is an activity designed to find unintended and
`
`unknown weaknesses in a system, including through source code inspection and certain runtime
`
`debugging. (Krstic Dep. 123:12-124:3.) Among other things, security researchers are interested
`
`in whether software has vulnerabilities and how and if those vulnerabilities can be exploited and
`
`defended against. (Wang Dep. 249:17-22.) Security researchers include, for example, members
`
`of Apple’s Security Bug Bounty Program, a program that rewards researchers who help find
`
`vulnerabilities in Apple’s products. (Krstic Dep. 181:5-9.) Vulnerability is a technical term for a
`
`bug that has security impact; that is, if exploited, it can undermine the security of the user’s system.
`
`(Krstic Dep. 102:4-6.5) Security researchers can use their talent for good or for nefarious purposes.
`
`(Pl.’s SOF ¶ 61.)
`
`
`5 “In some context a bug could be different from a vulnerability . . . . An exploit uses a vulnerability
`to achieve a purpose,” such as a jailbreak. (Wang Dep. 51:9-14, 52:15-53:10.) Jailbreaking is a
`8
`
`
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 9 of 38
`
`Turning back to the Corellium Product, Corellium directly sells to customers and has, until
`
`recently, used a reseller for the on-premises version of the product.6 (Gorton Dep. 15:1-16:2,
`
`53:15-54:14, 125:17-19, 127:1-11.) For its direct sales, Corellium has a vetting process. (Gorton
`
`Dep. 52:14-18, 116:7-126:6; Dyer Dep. [DE 472-32] 32:2-36:15, 39:13-40:14, 46:14-57:13.)
`
`Generally, upon receiving an inquiry, the process begins with an initial evaluation. This initial
`
`analysis takes several factors into consideration, including whether the inquiry came from an
`
`enterprise account or from an individual account (e.g., a Gmail account). Corellium also considers
`
`the nature of the content of the inquiry and whether it comports with Corellium’s intended use for
`
`its product. For example, if the inquiry requests the ability to run iOS on an Android mobile
`
`device, Corellium discards it. Similarly, if there are red flags based on the identity of a putative
`
`customer (e.g., someone involved with unlawful activity) or based on the geographic origins of
`
`the request, Corellium does not engage.
`
`If Corellium finds, after the initial evaluation, that the request might be a qualified lead, it
`
`responds and starts a line of communication with the putative customer. Discussions at this stage
`
`may entail a telephone conversation, demo of the Corellium Product, providing a data sheet of
`
`product features and pricing or an order form with license terms, or an offer of a trial period in the
`
`cloud. In some cases, Corellium also continues to investigate the potential customer to determine,
`
`for instance, the nature of their business and their affiliations. Red flags during this investigation
`
`may result in a decision by Corellium not to continue to engage with the company.
`
`
`
`
`“mechanism to exploit security vulnerability or allow execution of code that didn’t come from [the
`developer].” Jailbreaking can be used for good. (Andrews Dep. 97:6-98:13.)
`
` Corellium contracted with two resellers but only one has engaged in any sales. (Gorton Dep.
`15:25-16:16.)
`
`
` 6
`
`
`
`9
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 10 of 38
`
`
`
`
`
`. (Gorton Dep.
`
`123:3-124:25, 163:8-164:7; Dyer Dep. 143:9-144:5, 150:15-153:11.) The vetting process is
`
`similar for the on-premises and cloud versions of the Corellium Product, except that for the cloud
`
`product, Corellium may sell to locations they are not otherwise comfortable shipping servers to.
`
`(Gorton Dep. 125:21-126:6.)
`
`In terms of Corellium’s control of the use of its product, customers are not required to
`
`report bugs or vulnerabilities in iOS to Apple or Corellium. (Gorton Dep. 128:7-130:16.)
`
`However, for the cloud product, if there are concerns regarding malicious activity, Corellium can
`
`log into an account, investigate, and terminate the account, if necessary. (Gorton Dep. 98:1-6,
`
`99:13-17, 107:10-20; Wade Dep. 204:4-15, 205:14-207:16, 208:24-15.) Corellium does not have
`
`the same control over the on-premises version of the Corellium Product; there is no way to even
`
`know where the product is after it has been shipped from Corellium, and customers are not required
`
`to keep the product in a particular location upon sale. Instead, Corellium asserts that it relies on
`
`the legal enforcement of licensing or end user agreements to ensure that its customers comply with
`
`any legal requirements.
`
`Corellium’s CEO and its Vice President of Sales and Business Development testified that
`
`the typical inquiry received pertains to application security testing, operating system security
`
`testing, training, and “miscellaneous.” “Miscellaneous” requests are not received often but might
`
`include things like continuous integration or the development of tools, such as forensics tools.
`
`(Gorton Dep. 118:4-24; see also Dyer Dep. 48:5-17, 83:9-105:15.) While Corellium may engage
`
`with iOS app developers, these developers are not target customers, and Corellium generally does
`
`
`
`10
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 11 of 38
`
`not advertise for application development, because the Corellium Product “is designed for security
`
`testing and research particularly,” and “[t]he price point makes it unattractive to app developers .
`
`. . .” (Gorton Dep. 118:14-24.)
`
`Once Corellium decides to sell the product, for either version of the Corellium Product,
`
`customers must pay an annual licensing fee and must purchase a server. Additionally, if the user
`
`chooses the Enterprise or Premium edition of the Corellium Product they must pay an upgrade fee.
`
`(Gorton Dep. 92:13-95:21; Dyer Dep. 66:1-24.) On-premises customers perform their own install
`
`and upgrades and manage their network. (Gorton Dep. 98:23-99:2; Wang Dep. 99:23-103:7,
`
`106:4-7.) Prior to April 2018, upon setting up the hardware and IP settings, an on-premises
`
`customer would not need to take additional steps to setup, as firmware (e.g., IPSW file) links were
`
`provided by ipsw.me. (Def.’s Fourth Am. Ans. to First Interr. No. 2.) However, for versions of
`
`the Corellium Product released between April 2018 and March 2019, an additional step of
`
`obtaining IPSW files must be performed and the files must be placed in
`
`
`
`. (Def.’s Fourth Am. Ans. to First Interr. No. 2.) Then, for versions of the
`
`Corellium Product released during or after March 2019, there are additional steps to get to the
`
`directory permitting download of the IPSW files required to set up iOS devices. (Def.’s Fourth
`
`Am. Ans. to First Interr. No. 2.) The setup for cloud-based customers is more straightforward;
`
`users log into their online account to get started.
`
`At the point users are ready to create a virtual iOS device, Corellium maintains an IPSW
`
`database which matches physical devices with available versions of iOS and the associated internet
`
`download addresses (URLs) for each IPSW file. (Pl.’s SOF ¶ 51.) From early 2019 until February
`
`2020, Corellium’s cloud interface included a “dropdown” menu that enabled its customers to select
`
`from a prepopulated list of iOS versions and iOS Devices. The customer would pick a version of
`
`
`
`11
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 12 of 38
`
`iOS and device from that menu (e.g., iPhone 11 Max running iOS 13), and the Corellium Product
`
`would automatically download the associated IPSW file from Apple’s servers. (Pl.’s SOF ¶ 52.)
`
`Corellium also instructs its customers on how to manually download IPSW files from Apple’s
`
`servers and then load or import those files into the Corellium Product to create iOS virtual devices.
`
`(Pl.’s SOF ¶ 53.) Thus, customers obtain IPSW files by manual download or by a Corellium
`
`program that automates downloading the IPSW files from Apple servers. On-premises customers
`
`have the option of saving IPSW files manually. (Def.’s SOF ¶ 55.) Each time a Cloud user wants
`
`an IPSW file, the user must download it from Apple’s servers; Corellium does not save the IPSW
`
`file on its system. (Wang Dep. 152:18-153:1.7)
`
`The Corellium Product dynamically unpacks IPSW files as they are downloading. (Def.’s
`
`SOF ¶ 53.) The files are “transiently stored” until they can be transferred to the right compute
`
`node and translated, and are there for a “very short amount of time.” (Wang Dep. 173:8-17;
`
`Skowronek Dep. 116:2-117:1, 119:13-120:22, 166:8-19.) Additionally, in creating virtual devices,
`
`the Corellium Product does not use iOS in the form in which it exists within the downloaded IPSW
`
`files. Rather, once a user loads the firmware, the Corellium Product “transforms” iOS by
`
`
`
`
`
`
`
`. (Def.’s SOF ¶ 66.9) Thus, following the transformation process, the software
`
`
`7 There is evidence that, at least once, Corellium provided IPSW files to its reseller for a demo
`unit. (Azimuth Security, LLC Dep. [DE 557-13] 175:176:4.)
`
` 8
`
`
`
`.
`
`
`
`
`
` 9
`
`
`
` Corellium uses the term “transform” to describe this process, while Apple appears to prefer the
`word “modify.” Regardless if it is a “transformation” or “modification,” there are some changes
`12
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 13 of 38
`
`involved in creating the virtual device derives from a combination of Corellium’s code and Apple’s
`
`iOS code. (Wang Dep. 158:13-159:16, 161:15-162:5, 195:17-23; Andrews Dep. 102:23-103:16.)
`
`Additionally, Corellium ordinarily avoids using encrypted parts of the IPSW files because it cannot
`
`decrypt them. (Wang Dep. 64:2-15, 65:4-12, 259:19-24.) However, if a user has an unencrypted
`
`version of otherwise encrypted portions of the firmware, the Corellium Product allows the user to
`
`load it and see those portions displayed in the Corellium Product. (Gorton Dep. 96:9-19.)
`
`E. ACQUISITION EFFORTS
`
`Between January 2018 and the summer of 2018, the parties engaged in discussions
`
`regarding Apple’s potential acquisition of Corellium. During this time, the parties met in-person
`
`and telephonically. Corellium explained to Apple the technology behind the Corellium Product
`
`and how it works, and discussed Corellium’s business and intention to commercialize the
`
`Corellium Product.10 In addition to several engineers, discussions involved Apple’s Senior Vice
`
`President of Software Engineering, the Vice President of OS Software Engineering, and the Head
`
`of Apple’s Security Engineering and Architecture. (See Federighi, Andrews, & Krstic Dep., supra
`
`n.10.) Corellium also provided Apple with a temporary account or administrative access to the
`
`Corellium Product. (Andrews Dep. 50:15-54:9, 60:15-20, 168:17-25.) While Apple’s legal
`
`department did not formally discuss copyright violations with Corellium, there is a dispute as to
`
`whether, and to what extent, Corellium was told by Apple employees that Corellium needed a
`
`
`made once the user loads the IPSW files. Hence, the Court uses the words “change,’ “modify,”
`and “transform” interchangeably.
`
`10 See, e.g., Gorton Dep. 177:22-178:8, 180:18-181:17; Andrews Dep. 48:23-49:25, 50:15-54:9,
`60:15-20, 102:13-22, 112:23-113:13, 133:2-134:4, 162:14-163:12, 168:17-25, 188:17-24; Krstic
`Dep. 72:12-23, 74:18-75:3, 143:20-144:6, 149:6-15; Wade Dep. 274:4-276:15; Smith Dep. [DE
`472-28] 64:13-65:25, 83:18-84:10, 134:4-135:3; Federighi Dep. [DE 472-10] 31:8-23, 73:5-13,
`142:8-23.
`
`
`
`13
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 14 of 38
`
`license to utilize iOS in connection with the Corellium Product. (Wade Dep. 276:4-15, 278:1-5;
`
`Federighi Dep. 42:9-44:8, 115:12-14, 128:2-9, 132:8-133:4.)
`
`
`
`If Apple had acquired the Corellium Product, the product would have been used internally
`
`for testing and validation (that is, for verifying any system weaknesses and functioning of devices).
`
`(Marineau-Mes Dep. 27:3-22, 121:17-19; Krstic Dep. 171:22-25; Smith Dep. 61:16-19.) Even
`
`with the Corellium Product, Apple would still need physical iPhones to conduct its testing. (Wade
`
`Dep. 210:20-21; Marineau-Mes Dep. 200:10-202:18.) Generally, the Corellium Product received
`
`positive feedback from Apple employees. (Andrews Dep. 159:13-16, 192:23-193:15; Krstic Dep.
`
`106:5-10.) But there were also concerns, including regarding its utility and long-term value to
`
`Apple. (Krstic Dep. 106:5-107:12, 110:9-22.)
`
`
`
`The parties ultimately could not agree on a price and, as a result, acquisition efforts were
`
`unfruitful. Roughly a year after talks fell apart, Apple filed this suit. (See Compl. [DE 1].)
`
`F. SECOND AMENDED COMPLAINT
`
`In the Second Amended Complaint [DE 589], Apple asserts claims against Corellium for
`
`Direct Federal Copyright Infringement (Computer Programs), 17 U.S.C. § 501, Direct Federal
`
`Copyright Infringement (Graphical User Interface Elements), 17 U.S.C. § 501, Contributory
`
`Federal Copyright Infringement, 17 U.S.C. § 501, and Unlawful Trafficking, 17 U.S.C. §§
`
`1201(a)(2), (b), 1203. Apple contends that Corellium infringed on the following products:
`
`
`
`14
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 15 of 38
`
`
`
`(Sec. Am. Compl., Ex. A.) Each of Apple’s copyright registrations “[e]xclude . . . [p]reviously
`
`published Apple material,” including prior versions of iOS. (Def.’s SOF ¶ 21.)
`
`SUMMARY JUDGMENT STANDARD
`
`Under Federal Rule of Civil Procedure 56, “summary judgment is proper if the pleadings,
`
`depositions, answers to interrogatories, and admissions on file, together with the affidavits, if any,
`
`show that there is no genuine issue as to any material fact and that the moving party is entitled to
`
`a judgment as a matter of law.” Celotex Corp. v. Catrett, 477 U.S. 317, 322 (1986). “[G]enuine
`
`disputes of facts are those in which the evidence is such that a reasonable jury could return a verdict
`
`for the non-movant.” Mann v. Taser Int’l, Inc., 588 F.3d 1291, 1303 (11th Cir. 2009) (internal
`
`marks and citation omitted). A fact is material if, under the applicable substantive law, it might
`
`affect the outcome of the case. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986).
`
`A party seeking summary judgment bears the initial responsibility of supporting its motion
`
`and identifying those portions of the record which it believes demonstrate the absence of a genuine
`
`issue of material fact. Celotex, 477 U.S. at 323. “[A]t the summary judgment stage the judge’s
`
`
`
`15
`
`

`

`Case 9:19-cv-81160-RS Document 784 Entered on FLSD Docket 12/29/2020 Page 16 of 38
`
`function is not himself to weigh the evidence and determine the truth of the matter but to determine
`
`whether there is a genuine issue for trial.” Anderson, 477 U.S. at 249. The Court “must view all
`
`the evidence and all factual inferences reasonably drawn from the evidence in the light most
`
`favorable to the nonmoving party and must resolve all reasonable doubts about the facts in favor
`
`of the non-movant.” Rioux v. City of Atlanta, Ga., 520 F.3d 1269, 1274 (11th Cir. 2008) (internal
`
`marks and citation omitted).
`
`DISCUSSION
`
`Apple’s claims fall in two buckets: copyright infringement and violation of section 1201
`
`of the DMCA. In its motion, Corellium argues it is entitled to summary judgment in its favor
`
`because (1) the Corellium Product contains no copyrighted Apple code, (2) the fair use doctrine
`
`makes any use of protectable elements of Apple’s work permissible, (3) Apple misused its
`
`copyright, (4) Apple should be estopped from asserting a copyright claim against Corellium, (5)
`
`Apple cannot show that Corellium infringed any of the 17 copyrights at issue in the Second
`
`Amended Complaint,11 and (6) the Corellium Product does not violate the DMCA. Apple also
`
`moves for partial summary judgment on the DMCA issue, arguing it is entitled to summary
`
`judgment in its favor because Corellium violated the antitrafficking provisions of the statute.
`
`Before turning to the DMCA, the Court will analyze the copyright claim. If the Court
`
`agrees that the fair use doctrine applies, Cor