The heart of tech is coming to the heart of the Mediterranean. Join TNW in València this March 🇪🇸

This article was published on May 27, 2019

Apple’s privacy reputation at risk with new iTunes class-action lawsuit

Apple’s privacy reputation at risk with new iTunes class-action lawsuit
Ravie Lakshmanan

Apple has marketed itself as a company that puts customers’ privacy first, but a new class-action lawsuit claims to the contrary.

Leigh Wheaton, Jill Paul, and Trevor Paul — three iTunes users from Rhode Island and Michigan — have filed a federal lawsuit against the Cupertino-based tech giant alleging that the company unlawfully collects and sells their iTunes listening information to third parties without informed consent.

The claims, if true, are bound to puncture a hole in Apple’s pro-privacy stance, which it hopes will distance the company from its data-hungry peers like Amazon, Facebook, and Google.

Apple even took to the Consumer Electronics Show (CES) earlier this year to tout its privacy advantage with the ad slogan: “What happens on your iPhone stays on your iPhone.”

But according to the 51-page lawsuit that was filed on May 24 in California’s Northern Federal District, “None of the information pertaining to the music you purchase on your iPhone stays on your iPhone.”

The lawsuit also comes days after Apple outlined a new method for tracking online ads without invading users’ privacy.

Tracking iTunes customers

The plaintiffs allege that a third party can purchase a list of iTunes customers based on different demographic requirements, like a list of unmarried people who have a taste for a particular genre of music:

For example, any person or entity could rent a list with the names and addresses of all unmarried, college-educated women over the age of 70 with a household income of over $80,000 who purchased country music from Apple via its iTunes Store mobile application. Such a list is available for sale for approximately $136 per thousand customers listed.

The data Apple discloses supposedly includes the full names and home addresses of its customers, together with the genres and, in some cases, song titles customers have purchased via the iTunes Store and then stored in their devices.

The lawsuit further alleges that the third-party beneficiaries of this listening data match it to other sensitive personal information gathered about iTunes users from various sources, and then resell that information on the open market.

In addition, it says Apple provided listening data access via its MediaPlayer Framework APIs without receiving any permission from the users. It pointed to an issue raised by iOS developer David Benson in 2016 which allowed third-party app developers to access titles of all songs purchased by a user on iTunes. Apple took more than six months to fix the problem.

Collectively, over 100 plaintiffs are seeking an excess of $5 million in total damages. They are demanding a compensation of $250 for each Rhode Island iTunes customer whose information was disclosed, and $5,000 per user in Michigan, under the states’ respective privacy laws.

What the legalese says?

Apple’s privacy policy does state that it uses your iTunes listening information, downloads, and purchases to personalize the experience and deliver targeted ads on the App Store. It nowhere mentions disclosing your listening habits to third-parties.

From the iTunes Store & Privacy page:

We use information about your device, account, purchases, downloads, and browsing, including search terms, in Stores in order to ensure that ads in the Stores are relevant. We create groups of people, called segments, who share similar characteristics and we use these groups for delivering targeted ads.

And, from its privacy policy page:

We may collect information regarding customer activities on our website, iCloud services, our iTunes Store, App Store, Mac App Store, App Store for Apple TV and iBooks Stores and from our other products and services. This information is aggregated and used to help us provide more useful information to our customers and to understand which parts of our website, products, and services are of most interest. Aggregated data is considered non‑personal information for the purposes of this Privacy Policy.

With trust in Silicon Valley tech companies hitting an all-time low over the last few years, it’ll be interesting to see how this lawsuit plays out. Apple is yet to comment on the latest development.

Also tagged with