A class action lawsuit has been filed in California against Apple for allegedly harvesting iPhone user data. The suit is based on research that showed how multiple iPhone apps send Apple analytics data, regardless of whether the iPhone Analytics privacy setting is turned on or off.
The researchers found that the Apple App Store sends the company exhaustive information about nearly everything a user does in the app. What’s more, the researchers found that the problem persists across most of Apple’s suite of built-in iPhone apps, not just the App Store.
Analytics
We’ve known for years that device analytics should be turned off, and iPhones and IPads have several privacy settings that are supposed to turn off tracking.
However, researchers at Mysk have recently shown that despite Apple introducing strict measures in iOS 14.5 to prevent fingerprinting, detailed usage data is still sent to Apple when a user is active in the App Store app.
In an interview with Gizmodo, the researchers explained how the App Store harvests information about every single action you perform, including what you tapped on, which apps you search for, which ads you saw, and how long you looked at a given app—and even how you found the ad. The app also sends details about you and your device, including ID numbers, what kind of phone you’re using, your screen resolution, your keyboard languages, and how you’re connected to the internet. In short, fingerprinting details.
Privacy settings
What’s most disturbing is that turning the available privacy settings on and off makes no difference. Apple hasn’t yet commented, and It’s entirely possible that Apple doesn’t use the information if you use the privacy settings, but that’s not how the company explains what the settings do in its privacy policy.
The lawsuit
While the initial research was done on the App Store app of a jailbroken iPhone running iOS 14.6, and the rest is an extrapolation backed by similar bursts of encrypted traffic, it provided enough reasons to file a class action lawsuit against Apple.
The lawsuit accuses Apple of violating the California Invasion of Privacy Act. California privacy laws prohibit unauthorized recordings of confidential communications. Plaintiff Elliot Libman feels that by using the privacy settings on his iPhone he explicitly denies that authorization. Additionally, he feels that Apple’s iPhone and iPad Analytics settings make an explicit promise. Apple says that it will “disable [the sharing of] Device Analytics altogether” if a consumer turns off, respectively, “Share iPhone Analytics” or “Share iPad Analytics.”
Some of his prime allegations read:
“Defendant [Apple] violates state law in connection with its illegal recording of consumers’ confidential activity on its consumer mobile applications (“apps”)—a huge and growing treasure trove of data that Apple amasses and uses for its own profit.”
“Through its pervasive and unlawful data tracking and collection business, Apple knows even the most intimate and potentially embarrassing aspects of the user’s app usage—regardless of whether the user accepts Apple’s illusory offer to keep such activities private.”
For a company that prides itself for taking user privacy seriously, these are serious findings and allegations. We will keep you posted on future developments in this case.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.