Apple facing class action lawsuit over alleged iTunes & Apple Music data sale

Posted:
in General Discussion edited May 25
Residents of Rhode Island and Michigan lead the suit, which maintains that Apple profits unjustly by releasing what users play in iTunes and on Apple Music to other companies, and also allowing third-party app developers direct access to what tracks are in users' iTunes library.




A class action suit has been filed against Apple in the US District Court, Northern District of California, on behalf of all Apple users, by three residents of Rhode Island and Michigan. Leigh Wheaton, Jill Paul and Trevor Paul, claim that Apple profits from releasing the extensive demographic data it has about its users, their full names, ages, and addresses, plus their history of music listening preferences.

The suit is pegged to Apple's recent Las Vegas billboard promoting privacy. "The statement on the billboard is plainly untrue, however," says the filing, "because... none of the information pertaining to the music you purchase on your iPhone stays on your iPhone."

Lawyers for the plaintiffs are seeking $250 for Wheaton and every user allegedly affected, plus $5,000 to the complainants. The suit does not establish how many people would be involved beyond "tens of thousands", but the filing says that the "aggregate amount in controversy exceeds $5,000,000."

To support the claim that Apple "sells, rents, transmits and/or otherwise discloses, to various third parties" this information, the suit includes details of such information being available to buy. Significantly, the data is not sold by Apple nor limited to it.

"For instance," says the suit, "the Personal Listening Information of 18,188,721 'iTunes and Pandora Music Purchasers,' residing across the United States (including in Michigan and Rhode Island), is offered for sale on the website of Carney Direct Marketing."

Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)
Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)


A second company, SRDS, is cited as offering the same information, which consists of highly detailed demographic data.

Separately, the case claims that Apple provides data to iOS developers. "For example, using the MPMediaQuery.songsQuery() function of the MediaPlayer Framework API," continues the suit, "developers are able to grant themselves access to metadata that identifies the titles of all of the songs that a particular user of their application has purchased on iTunes."

To support this, the plaintiffs detail how on January 13, 2016, iOS developer Ben Dodson filed a bug report to Apple saying that the current system could allow details of a user's entire music database to be revealed. Dodson wrote about his bug report on his blog at the time.

According to the lawsuit, this bug was not addressed by Apple until eight months later "on or about September 13, 2016," when iOS 10 was released. It further says that Apple then effectively just included a notice informing users that their data would be used this way.

Apple has not yet commented on the lawsuit.

Comments

  • Reply 1 of 16
    EsquireCatsEsquireCats Posts: 601member
    Going to need to see two things: (i) Proof that Apple provides 3rd parties with customer's personal information for delivering the music service (they don't) and the described bug doesn't convey intent (actually it infers the opposite hence "bug" not "feature"), and (ii) what kind of damage this has caused even if it were a bona fide activity. Furthermore the billboard is irrelevant to the case.

    These lay on the comical end of settlement-fishing activities.
    chasmAppleExposedStrangeDays
  • Reply 2 of 16
    ericthehalfbeeericthehalfbee Posts: 4,078member
    Curious how they’re able to make these claims:

    their full names, ages, and addresses, plus their history of music listening preferences.”

    There are no APIs available in iOS to get your real name, device ID, address, age, AppleID or any other personal information about you. There USED to be an API to get your music library.

    That’s quite the leap from seeing your tracks to getting explicit personally identifying information about you. I can’t wait to see how they’re going to prove Apple provides this information.
    EsquireCatschasmAppleExposedappledevStrangeDayswatto_cobra
  • Reply 3 of 16
    lkrupplkrupp Posts: 7,162member
    Wouldn't be surprised to find out this is a coordinated attack on Apple’s reputation for privacy and security by competitors. The way the world works now is you're guilty until you prove yourself innocent. An accusation alone is enough to ruin reputations and careers. It could be a fishing trip to find out how Apple works during the discovery process. Of course, it could be true too. That would be a big deal indeed.

    In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better jump on this hard and quick or the accusation will confirm guilt in the media.
    edited May 25 AppleExposedwatto_cobra
  • Reply 4 of 16
    looplessloopless Posts: 102member
    In the bigger picture, when you give an app access to, say, your address book, nothing stops that app from harvesting all that data and sending it - except the threat of being discovered and banned from the App Store. Apple tries to strike a balance , in what they give apps access to and users privacy.
    arthurbaappledevwatto_cobra
  • Reply 5 of 16
    titantigertitantiger Posts: 229member
    My guess is that some apps that users have allowed access to their iTunes libraries and have signed up for an account that includes full name and email has been cross referenced with publicly available information.  Unless they can prove Apple was giving this info away without the user consenting to it, this suit is dead in the water.

    I also agree that it likely could be a stunt by Android competitors to just throw FUD out there for a few headlines to undermine Apple's privacy advantage.  Doesn't matter whether it has merit or is ultimately successful.  The headlines are enough to do what they need.  Anything else is gravy.
    lkrupparthurbachasmStrangeDayswatto_cobra
  • Reply 6 of 16
    dysamoriadysamoria Posts: 2,211member
    lkrupp said:
    Wouldn't be surprised to find out this is a coordinated attack on Apple’s reputation for privacy and security by competitors. The way the world works now is you're guilty until you prove yourself innocent. An accusation alone is enough to ruin reputations and careers. It could be a fishing trip to find out how Apple works during the discovery process. Of course, it could be true too. That would be a big deal indeed.

    In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better jump on this hard and quick or the accusation will confirm guilt in the media.
    So, in your preferred world, a conspiracy against a favorite corporation, without evidence to demonstrate it as fact, is a more likely scenario than that corporation actually doing something you don’t believe (or care) that they actually do, and the unnamed shady conspirators are guilty until proven nonexistent, because “the way it is these days”...?
    boredumb
  • Reply 7 of 16
    This feels like a fishing lawsuit...

    I’ll note, my Amazon Music app can’t access my songs purchased through Apple.

    But, I once had an alarm clock app that could play Apple Music, which suggests some data is passed to 3rd parties...

    I’m not sure, what or any data, was passed back to the dev.  

    I certainly don’t think Apple profited...

    Unless... you consider the app was purchased through the App Store, which isn’t lawsuit worthy.
  • Reply 8 of 16
    arthurbaarthurba Posts: 106member
    My guess is that some apps that users have allowed access to their iTunes libraries and have signed up for an account that includes full name and email has been cross referenced with publicly available information.  
    Spot on. The marketing list available is ‘Apple AND Pandora users’ not ‘Apple or Pandora users’. Looks like Pandora have been harvesting data to make a buck. And if that’s the case, bye bye Pandora. 
    chasmappledevwatto_cobra
  • Reply 9 of 16
    titantigertitantiger Posts: 229member
    dysamoria said:
    lkrupp said:
    Wouldn't be surprised to find out this is a coordinated attack on Apple’s reputation for privacy and security by competitors. The way the world works now is you're guilty until you prove yourself innocent. An accusation alone is enough to ruin reputations and careers. It could be a fishing trip to find out how Apple works during the discovery process. Of course, it could be true too. That would be a big deal indeed.

    In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better itr jump on this hard and quick or the accusation will confirm guilt in the media.
    So, in your preferred world, a conspiracy against a favorite corporation, without evidence to demonstrate it as fact, is a more likely scenario than that corporation actually doing something you don’t believe (or care) that they actually do, and the unnamed shady conspirators are guilty until proven nonexistent, because “the way it is these days”...?
    Call me crazy, but yeah.  It's not that I don't think a corporation would sell information on the side and not really tell you about it, or like Google make claims that privacy matters but sell your stuff anyway.  But I don't believe Apple would brazenly advertise privacy as a core commitment and an advantage over their competitors while selling my info on the sly.  Plus, it doesn't really make sense for Apple.  It doesn't help their business model at all and in fact would kill their reputation.  They couldn't make enough money from it to put all that at risk.
    chasmappledevStrangeDayswatto_cobra
  • Reply 10 of 16
    chasmchasm Posts: 1,597member
    Even the lawsuit admits that zero of this information came directly from Apple, so ... how exactly did Apple profit from "selling" it when the lawsuit itself admits they didn't?

    I don't think this case is going to get very far, because if there are any guilty parties here (and there seem to be), they are not named Apple.
    watto_cobra
  • Reply 11 of 16
    LordeHawkLordeHawk Posts: 156member
    Ridiculous, Apple’s most recent Q2 Revenue was over 58 billion, privacy is worth more to Apple than the pennies our data would make.  Not logically possible, even if Apple is required to share listening data with content owners, it would be anonymous.  Not to mention each of Apple’s new services clearly feature privacy and data security.

    If the data is real, the most likely culprit would be a rogue app that steals this data to sell for profit.

    Here is the Apple Music API rule:
    Apps that access Apple Music user data, such as playlists and favorites, must clearly disclose this access in the purpose string. Any data collected may not be shared with third parties for any purpose other than supporting or improving the app experience. This data may not be used to identify users or devices, or to target advertising.
    AppleExposedappledevStrangeDayswatto_cobra
  • Reply 12 of 16
    AppleExposedAppleExposed Posts: 1,188unconfirmed, member
    lkrupp said:
    Wouldn't be surprised to find out this is a coordinated attack on Apple’s reputation for privacy and security by competitors. The way the world works now is you're guilty until you prove yourself innocent. An accusation alone is enough to ruin reputations and careers. It could be a fishing trip to find out how Apple works during the discovery process. Of course, it could be true too. That would be a big deal indeed.

    In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better jump on this hard and quick or the accusation will confirm guilt in the media.

    iKnockoff Knights already use rumors and fallacies as fact.
    StrangeDayswatto_cobra
  • Reply 13 of 16
    Garbage. Apple isn’t selling this data. When an app requires you to sign up to use it, they can match your email address with data that has already been collected for it. If you use Facebook or Google to create an account they really got you.  Look at the privacy settings in iOS. There is one for iTunes Media library. It says these apps have requested access to your media library.  For any apps that have requested and been granted access are possible culprits.  

    Totally illogical to think a company with 260B in annual sales would sell its users data for a few million. For app developers it could be a lot of money. And there are lots of apps that are just guises to collect their users data. Apple requires them to ask the user for it. But how many read fine ? and if they even did, it’s always vague and ambiguous. Last, if Apple were selling user data, how would that not get out ? Tim Cook and others would be tossed in prison for defrauding customers and investors. It would be a layup since Apple uses its stance on privacy to  benefit from more sales and higher stock price. 
    appledevStrangeDayswatto_cobra
  • Reply 14 of 16
    Just FYI: Written a TON of Apple software.

    The Media Library requires that the user give explicit permission for the app to access the user library.

    I’ve written apps that do exactly that. The code is open source, and I could show you exactly how it’s done.

    If the user refuses the request, the app can’t access the library.

    The app also needs to register with the operating system as requesting this permission.

    Read all about it: https://developer.apple.com/documentation/medialibrary

    If the user grants this permission, then the app can do what it likes with the data. However, expect it to be checked for things like exporting it by the App Reviewers. That said, it wouldn’t be too difficult for unscrupulous developers to find ways to get the data out of the sandbox.

    Someone mentioned that it could be that Pandora either sold its DB, or had it purloined. That sounds likely.

    These people are not-so-bright.

    edited May 26 StrangeDayswatto_cobra
  • Reply 15 of 16
    croprcropr Posts: 944member

    Call me crazy, but yeah.  It's not that I don't think a corporation would sell information on the side and not really tell you about it, or like Google make claims that privacy matters but sell your stuff anyway.  But I don't believe Apple would brazenly advertise privacy as a core commitment and an advantage over their competitors while selling my info on the sly.  Plus, it doesn't really make sense for Apple.  It doesn't help their business model at all and in fact would kill their reputation.  They couldn't make enough money from it to put all that at risk.
    Google does not sell your data.  Google sells an advertisement service where your data is being used, but your data is never exposed outside of Google.  I've done several ad campaigns with Google and I never got hold of the details of the persons who viewed or clicked the ad.  It would not make sense for Google to sell the data if their whole business is built around it.  Nobody sells its crown jewels.

    I do believe that Apple is not selling and exposing your personal details to anyone else. Also here, it would not make sense. But the marketing story Apple is sending out is slightly misleading.  Any app developer can collect an enormous amount of data, even without asking personal details.   You would be surprised if you would see how much personal data can be obtained just from tracking the IP address of your device.  You can pay a visit the site of e.g. Maxmind who sells IP address related information to companies.  If an app has a legitimate reason to ask for your e-mail address or your personal coordinates, then this opens up a whole lot of possibilities for the app developer without violating the app store guidelines
    edited May 26 appledev
  • Reply 16 of 16
    wormeywormey Posts: 1member
    This is the tip of the iceberg.  Wait till you find out how Apple's board of directors conspired with Clinton and Obama to spy on the Trump campaign.

    https://utbblogs.com/apple-public-private-position-privacy

Sign In or Register to comment.