Apple sued for storing iCloud data on third-party servers

Posted:
in General Discussion edited August 12
A class-action lawsuit lodged with a California court on Monday accuses Apple of false advertising, claiming the company banked on its name by telling consumers iCloud data is "stored by Apple" when, in fact, the information is in some cases siloed on servers run by Amazon, Google and Microsoft.

iCloud Datacenter


Filed with the U.S. District Court for the Northern District of California, the class-action complaint takes issue with Apple's iCloud data handling policies and, more specifically, its lack of transparency on where customer information is stored.

According to the suit, Apple breached customer trust and legally binding contracts by using its status and name to sell iCloud subscriptions to customers believing their data would be stored in a cloud that it owned and operated. Instead of first-party servers, the company farmed out bandwidth to Amazon Web Services, Google and Microsoft's Azure platform.

The conceit is that Apple "lacked the necessary infrastructure" to run iCloud and was therefore not in total control of iCloud data during the contract period. It therefore misrepresented the nature of the service to potential and existing subscribers.

"Touting itself as the provider of the iCloud service (when, in fact, Apple was merely reselling cloud storage space on cloud facilities of other entities) allowed Apple not only to obtain paid subscriptions of class members who subscribed to iCloud believing that their cloud storage was being provided by Apple, but also allowed Apple to charge a premium for its iCloud service because subscribers placed a value on having the 'Apple' brand as the provider of the storage service for their most sensitive data," the suit reads.

The suit maintains plaintiffs entrust Apple with important and personal information, and pay a premium to keep that data safe. Plaintiffs Andrea M. Williams of Florida and James Stewart of San Francisco, Calif., are named in the suit and claim they were not informed that iCloud would store data on non-Apple servers. If they had known about the strategy, the pair would either not have subscribed or would have not paid the "Apple premium" for access to the service.

Compounding the problem are competing, and in some cases less expensive, cloud storage solutions marketed by Apple's providers in Amazon Drive, Google Drive and Microsoft's OneDrive.

Plaintiffs allege Apple makes no mention of third-party servers in its marketing materials or its iCloud terms and conditions. Indeed, the preamble to iCloud's customer agreement suggests all data flows directly from user devices to Apple itself.

"When iCloud is enabled, your content will be automatically sent to and stored by Apple, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," the document reads.

Interestingly, Apple's Chinese iCloud agreement more accurately describes the situation, at least in that region. As per state law, the company stores Chinese cloud data on local servers, in this case run by Guizhou-Cloud Big Data, or GCBD.

"When iCloud is enabled, your content will be automatically sent to and stored by GCBD, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," Apple says.

Industry watchers have known about Apple's iCloud outsourcing since at least 2011, when the tech giant was rumored to tap AWS, Microsoft or both for the then-new cloud storage product. More recently, Apple in early 2018 confirmed iCloud relies in part on third-party services like Google Cloud Platform.

For its part, Apple goes to great lengths to ensure iCloud security surpasses industry norms. In an iOS Security document last updated in May (PDF link), the company details its security protocols, saying files from contacts, calendars, photos, documents and more are broken into chunks and encrypted using AES-128. A key generated from each chunk's contents is created and stored with corresponding metadata in a user's iCloud account.

"The encrypted chunks of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services -- such as Amazon Web Services or Google Cloud Platform -- but these partners don't have the keys to decrypt your data stored on their servers," Apple says.

Plaintiffs seek class status, injunctive relief enjoining Apple from continuing to falsely misrepresent iCloud storage policies, unspecified damages and legal fees.

«134

Comments

  • Reply 1 of 63
    The most frivolous lawsuit ever! Apple has no obligation to inform subscribers that they utilize 3rd party Cloud Service Providers. Furthermore, given how these applications are architected it’s impossible to determine whether or not a user’s data physically resides on a server located inside an Apple data center or a CSP datacenter. Companies, such as Apple, commonly utilize CSP’s to augment their own data enters and/or collocation facilities...
    andrewj5790bigtdsmagman1979StrangeDaysolswatto_cobra
  • Reply 2 of 63
    Rayz2016Rayz2016 Posts: 4,730member
    Wow. 

    This is beyond desperate. 

    Said It before and I’ll say it again. If you lose a lawsuit you should be forced to pay the other party’s legal costs. 
    andrewj5790JWSCdanhentropysDAalsethbigtdsbloggerblogkuraimagman1979gilly33
  • Reply 3 of 63
    big kcbig kc Posts: 121member
    So, exactly how were the plaintiffs damaged? What a joke. If someone files a BS lawsuit like this, upon losing, they should be fully responsible for the defendant's legal fees. That would stop this garbage in its tracks.
    andrewj5790bloggerblogmagman1979StrangeDaysgilly33olswatto_cobrabadmonk
  • Reply 4 of 63
    mattinozmattinoz Posts: 1,124member
    How many of the class don't use Amazon, Microsoft or Google infrastructure in another product?
    Paid or ad-supported or is the beef they are comparing Ad-supported with a Paid service and not realising what they are really giving up.
    edited August 13 andrewj5790watto_cobra
  • Reply 5 of 63
    ...and I would have the opposite response to those so far - go figure... Is everyone merely one coding error, hack or in the worst case one EULA away from who knows what down the line...? Is any centralized cloud computing service a flawed security concept by design ?

    I find myself continually turning off macOS preferences that have somehow been set to send information to external sources, like Siri searches for apps I recall I have turned off in prior 'upgrades', including Siri of course...

    edited August 13 iCavemuthuk_vanalingamGeorgeBMacgatorguy
  • Reply 6 of 63
    Frivolous lawsuit. 
    The lawyer suing Apple should lose his or her license. 

    magman1979watto_cobra
  • Reply 7 of 63
    The lawsuit is 100% appropriate.

    Apple has given the public the impression they store data in their own datacenters, and as Apple provides these services around the planet and customers in different countries should be informed where their data actually is stored so they can make informed decisions if they want to use the service or not.  It probably also has lead customers to believe they got an increased level of privacy (as spouted by Apple marketing), when in reality they got closer to Amazon Web Services, Google and Microsoft base level. If I knew my iCloud data was stored on Google servers, I would have ended the iCloud subscription immediately. 

    But of course for ex-Compaq Tim Cook, he don't see the difference.


    edited August 13 iCaveCloudTalkinmuthuk_vanalingamGeorgeBMacairnerdbobroomobirdelijahgdysamoria
  • Reply 8 of 63
    One might as well argue, and be more concerned with, data in transit being ALWAYS passed through  in transit, other   unnamed  number of vendors. 
    Consider your own local loop to your phone company, the long-haul carriers which can be multiple companies. And we must remember that peer to peer, client server web data bases often have functionality distributed over multiple servers for such things as the keys were talking about above, account verification, actual end file storage, etc. 
    End-users should always expect that their data of all kinds is spread over a number of servers, a number of vendors, a number of transport carriers, and a number of applications within the services of those vendors
    FileMakerFellerwatto_cobra
  • Reply 9 of 63
    Rayz2016 said:
    Wow. 

    This is beyond desperate. 

    Said It before and I’ll say it again. If you lose a lawsuit you should be forced to pay the other party’s legal costs. 
    I thought that was typical if you lose. Ask Samsung. Ask those families who tried to sue the movie theater in Aurora, Co, when they were blaming the theater for their family members murders. The judge warned them not to proceed because of this and they ended up with the loss of a family member and a huge legal bill when the judge sided with the theater. 

    watto_cobra
  • Reply 10 of 63
    ElCapitan said:
    The lawsuit is 100% appropriate.

    Apple has given the public the impression they store data in their own datacenters, and as Apple provides these services around the planet and customers in different countries should be informed where their data actually is stored so they can make informed decisions if they want to use the service or not.  It probably also has lead customers to believe they got an increased level of privacy (as spouted by Apple marketing), when in reality they got closer to Amazon Web Services, Google and Microsoft base level. If I knew my iCloud data was stored on Google servers, I would have ended the iCloud subscription immediately. 

    But of course for ex-Compaq Tim Cook, he don't see the difference.


    I think you are confusing your interpretation of what Apple said. They never said they owned the servers that house iCloud data, plus they don’t go into detail with the public on what data  is stored on those specific servers. Plus the fact that they use encryption which so far no one has been able to defeat makes it hard to present a case in which the plaintiffs or you were harmed.

    mattinozdanhRayz2016n2itivguyuraharakuraiStrangeDayswatto_cobra
  • Reply 11 of 63
    I think (IANAL) that Apple could be on the hook for 'false advertising' but it is really splitting hairs. If Apple are guilty then almost every other advertiser out there and their Ad Agencies will get a rude wakeup call. How many adverts do you see where you know that the claim is dubious. Oh, and flashing a disclaimer on the screen for 1mS is not enough to get you off the hook.

    Other than that, I fail to see how those bringing the lawsuit have been financially damaged.
    muthuk_vanalingamFileMakerFellerwatto_cobra
  • Reply 12 of 63
    ElCapitan said:
    The lawsuit is 100% appropriate.

    Apple has given the public the impression they store data in their own datacenters, and as Apple provides these services around the planet and customers in different countries should be informed where their data actually is stored so they can make informed decisions if they want to use the service or not.  It probably also has lead customers to believe they got an increased level of privacy (as spouted by Apple marketing), when in reality they got closer to Amazon Web Services, Google and Microsoft base level. If I knew my iCloud data was stored on Google servers, I would have ended the iCloud subscription immediately. 

    But of course for ex-Compaq Tim Cook, he don't see the difference.


    I think you are confusing your interpretation of what Apple said. They never said they owned the servers that house iCloud data, plus they don’t go into detail with the public on what data  is stored on those specific servers. Plus the fact that they use encryption which so far no one has been able to defeat makes it hard to present a case in which the plaintiffs or you were harmed.

    I am not confusing anything. Apple has made multiple announcements of how they are building large data centers for iCloud and other services, and have even given tours of them for journalists. 

    It has been generally assumed that Apple mainly have been hosting iCloud on Microsoft Azure architecture, but the servers running it were fully deployed to Apple owned facilities and locations. 

    Data hosted in other cloud services will necessarily also end up in their backup systems where they never should have been. They can possibly also be decrypted there because Apple can decrypt iCloud hosted data and have done so in multiple cases for law enforcement. When the data end up in a third party backup system it can also be restored to a different location and potentially be compromised. 

    This is also about Apple's integrity and trustworthiness. They pretend to have a holier-than-thou stance on privacy, yet completely fail to inform the customers that their data might migrate outside Apple facilities. NOT good!
    edited August 13 iCaveGeorgeBMacbobrooelijahgdysamoria
  • Reply 13 of 63
    mac_dogmac_dog Posts: 700member
    ElCapitan said:
    The lawsuit is 100% appropriate.

    Apple has given the public the impression they store data in their own datacenters, and as Apple provides these services around the planet and customers in different countries should be informed where their data actually is stored so they can make informed decisions if they want to use the service or not.  It probably also has lead customers to believe they got an increased level of privacy (as spouted by Apple marketing), when in reality they got closer to Amazon Web Services, Google and Microsoft base level. If I knew my iCloud data was stored on Google servers, I would have ended the iCloud subscription immediately. 

    But of course for ex-Compaq Tim Cook, he don't see the difference.


    So...now one can sue for impressions?
    Rayz2016JWSCmagman1979
  • Reply 14 of 63
    Being that Apple had disclosed this info long ago, the lawsuit is meritless.

    That said, it's about time Apple builds out its own infrastructure and perhaps even offers it as a service to others as an additional revenue source.

    I am not at all comfortable with my data on Google, Amazon, or MS servers. But there is nothing I can do about it. So in a way, I am thankful for this lawsuit. Hope it wakes up some thinking at Apple. 

    It's no good using the most secure devices when the company you trust is letting the less secure and less scrupulous out there hold your data for you. Yikes.
    ElCapitaniCavemagman1979watto_cobra
  • Reply 15 of 63
    wizard69wizard69 Posts: 12,860member
    karmadave said:
    The most frivolous lawsuit ever! Apple has no obligation to inform subscribers that they utilize 3rd party Cloud Service Providers. Furthermore, given how these applications are architected it’s impossible to determine whether or not a user’s data physically resides on a server located inside an Apple data center or a CSP datacenter. Companies, such as Apple, commonly utilize CSP’s to augment their own data enters and/or collocation facilities...
    Not really.   If you tell somebody that you are doing something for them you may have an obligation to inform.  
    iCaveGeorgeBMacelijahgdysamoriaFileMakerFeller
  • Reply 16 of 63
    wizard69wizard69 Posts: 12,860member
    big kc said:
    So, exactly how were the plaintiffs damaged? What a joke. If someone files a BS lawsuit like this, upon losing, they should be fully responsible for the defendant's legal fees. That would stop this garbage in its tracks.
    Damages are fairly explicit they have their data stored with vendors they don’t trust or approve. 

    it is sort of like hiring a contractor to do major remodeling on your home.  If you had expected him to the work and then find out he is sub contracting it out you are not going to be happy.  If he informs you at the time of contract negotiations then you understand what is going on. 

    It is a question of ethics really and frankly Apple has been really going down hill recently when it comes to ethical behavior.  
    ElCapitaniCaveelijahgdysamoria
  • Reply 17 of 63
    mattinozmattinoz Posts: 1,124member
    I think (IANAL) that Apple could be on the hook for 'false advertising' but it is really splitting hairs. If Apple are guilty then almost every other advertiser out there and their Ad Agencies will get a rude wakeup call. How many adverts do you see where you know that the claim is dubious. Oh, and flashing a disclaimer on the screen for 1mS is not enough to get you off the hook.

    Other than that, I fail to see how those bringing the lawsuit have been financially damaged.
    iCloud is sold as something that securely syncs between your devices and store data securely in transit. I mean where does Apple say they store the data on their own hardware on the sales page?

    The pitch is safe convenience as a service. Indeed the pitch is don't worry about the detials we deal with that, it's built into your devices. 

    PickUrPoisonuraharaStrangeDaysFileMakerFellerwatto_cobra
  • Reply 18 of 63
    Amusingly the iCloud terms make numerous references to partners providing the services. So the core claim is already invalid. Additionally the suit fundamentally misunderstands both encryption and how the internet works - since a near-random array of servers will at one stage or another hold the data during transit.

    I think the USA would benefit from more frequently enforcing some of the available consequences to launching frivolous litigation, and increasing the penalties associated with such behaviours. Remember it’s not just a waste of the defendant’s money, it’s a waste of tax payer’s money too.
    jdb8167cornchipasdasdFileMakerFellerwatto_cobra
  • Reply 19 of 63
    jdwjdw Posts: 775member
    I hate suing of any kind, regardless of who was damaged or how.  Perhaps I would think differently about that if the Western world wasn't so litigious as it is now, but I can't help how I feel.  Suing at the rate we do is just insane.

    With that said, I'm afraid this lawsuit does have some teeth in that even I myself had been under the strong impression that all iCloud data was stored exclusively on Apple owned and operated servers.  If we are honest with ourselves, we must admit Apple has been at least a tad disingenuous about servers and storage.  That doesn't mean I support the lawsuit.  It just means Apple should have either been more open with us or stored everything exclusively on Apple owned and operated servers, like we all thought they were doing in the first place.  I think this matter is at least as serious as the aging battery, power throttling issue that hit the global news a year ago.  Sometimes it doesn't seem that being transparent is a good thing, but when news like this hits the fan, then the realization strikes.  Apple could have handled this better, just like they could have handled info about power throttling better.  

    It doesn't matter if Apple never made it 100% clear they don't store data on 100% Apple-owned and operated servers and that we the public should have assumed Apple stored data outside Apple.  Legal jargon that few if any people read doesn't matter either insofar as few people read it, and such information isn't even spoken about in the tech media, whose job it is to sleuth out those details for us.  Public perception and "the general understanding" matters most.  I had the perception, like most of you, that Apple stored our iCloud data on Apple servers.  It doesn't matter if my believing that was in error.  That was the perception that Apple allowed the general public to believe. Surely Apple knew the general consensus, and if they didn't, Apple surely does now.  Again, I don't support the lawsuit by saying that.  I just wish it had been made more clear by Apple how iCloud data was stored.  That's all.
    iCavemuthuk_vanalingamgatorguy
  • Reply 20 of 63
    I’m thinking people are confused about how encryption works.  

    Microsoft and Google have a bunch of something, it’s something that takes up space, but it’s something that they can’t read, view, etc.  If they were to restore it from backup...something would be restored, but it would still be unreadable to them.

    It’s been KNOWN Apple has been saving data on 3rd party servers.  I’m sure it says so in the terms and conditions...

    If you use any “software as a service” or online backup software it’s almost guaranteed your data is on the Amazon Cloud.  That doesn’t mean Amazon can read your data...it’s encrypted in transport and encrypted in storage.  As long as you’re using a reputable company... (and they didn’t oops)

    You either trust Apple (etc) with your data or you don’t.

    I’m sure Apple is complying with whatever government regulations that are applicable to data storage.  This is part of the reason Apple is using 3rd parties.  In Europe user data has to be stored in Europe.  Building out server farms for data storage is prohibitively expensive.  Saving the data on Amazon’s (or Microsoft’s) servers in Europe (etc) is the obvious solution.

    This is all kinds of obvious when you think about it.  This lawsuit is about someone not doing their homework, or not caring and thinking Apple will settle.  Apple won’t because they have no case...
    edited August 13 dewmejdb8167uraharaStrangeDayswatto_cobra
Sign In or Register to comment.