Apple facing class action lawsuit over alleged iTunes & Apple Music data sale
Residents of Rhode Island and Michigan lead the suit, which maintains that Apple profits unjustly by releasing what users play in iTunes and on Apple Music to other companies, and also allowing third-party app developers direct access to what tracks are in users' iTunes library.
A class action suit has been filed against Apple in the US District Court, Northern District of California, on behalf of all Apple users, by three residents of Rhode Island and Michigan. Leigh Wheaton, Jill Paul and Trevor Paul, claim that Apple profits from releasing the extensive demographic data it has about its users, their full names, ages, and addresses, plus their history of music listening preferences.
The suit is pegged to Apple's recent Las Vegas billboard promoting privacy. "The statement on the billboard is plainly untrue, however," says the filing, "because... none of the information pertaining to the music you purchase on your iPhone stays on your iPhone."
Lawyers for the plaintiffs are seeking $250 for Wheaton and every user allegedly affected, plus $5,000 to the complainants. The suit does not establish how many people would be involved beyond "tens of thousands", but the filing says that the "aggregate amount in controversy exceeds $5,000,000."
To support the claim that Apple "sells, rents, transmits and/or otherwise discloses, to various third parties" this information, the suit includes details of such information being available to buy. Significantly, the data is not sold by Apple nor limited to it.
"For instance," says the suit, "the Personal Listening Information of 18,188,721 'iTunes and Pandora Music Purchasers,' residing across the United States (including in Michigan and Rhode Island), is offered for sale on the website of Carney Direct Marketing."
Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)
A second company, SRDS, is cited as offering the same information, which consists of highly detailed demographic data.
Separately, the case claims that Apple provides data to iOS developers. "For example, using the MPMediaQuery.songsQuery() function of the MediaPlayer Framework API," continues the suit, "developers are able to grant themselves access to metadata that identifies the titles of all of the songs that a particular user of their application has purchased on iTunes."
To support this, the plaintiffs detail how on January 13, 2016, iOS developer Ben Dodson filed a bug report to Apple saying that the current system could allow details of a user's entire music database to be revealed. Dodson wrote about his bug report on his blog at the time.
According to the lawsuit, this bug was not addressed by Apple until eight months later "on or about September 13, 2016," when iOS 10 was released. It further says that Apple then effectively just included a notice informing users that their data would be used this way.
Apple has not yet commented on the lawsuit.
A class action suit has been filed against Apple in the US District Court, Northern District of California, on behalf of all Apple users, by three residents of Rhode Island and Michigan. Leigh Wheaton, Jill Paul and Trevor Paul, claim that Apple profits from releasing the extensive demographic data it has about its users, their full names, ages, and addresses, plus their history of music listening preferences.
The suit is pegged to Apple's recent Las Vegas billboard promoting privacy. "The statement on the billboard is plainly untrue, however," says the filing, "because... none of the information pertaining to the music you purchase on your iPhone stays on your iPhone."
Lawyers for the plaintiffs are seeking $250 for Wheaton and every user allegedly affected, plus $5,000 to the complainants. The suit does not establish how many people would be involved beyond "tens of thousands", but the filing says that the "aggregate amount in controversy exceeds $5,000,000."
To support the claim that Apple "sells, rents, transmits and/or otherwise discloses, to various third parties" this information, the suit includes details of such information being available to buy. Significantly, the data is not sold by Apple nor limited to it.
"For instance," says the suit, "the Personal Listening Information of 18,188,721 'iTunes and Pandora Music Purchasers,' residing across the United States (including in Michigan and Rhode Island), is offered for sale on the website of Carney Direct Marketing."
Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)
A second company, SRDS, is cited as offering the same information, which consists of highly detailed demographic data.
Separately, the case claims that Apple provides data to iOS developers. "For example, using the MPMediaQuery.songsQuery() function of the MediaPlayer Framework API," continues the suit, "developers are able to grant themselves access to metadata that identifies the titles of all of the songs that a particular user of their application has purchased on iTunes."
To support this, the plaintiffs detail how on January 13, 2016, iOS developer Ben Dodson filed a bug report to Apple saying that the current system could allow details of a user's entire music database to be revealed. Dodson wrote about his bug report on his blog at the time.
According to the lawsuit, this bug was not addressed by Apple until eight months later "on or about September 13, 2016," when iOS 10 was released. It further says that Apple then effectively just included a notice informing users that their data would be used this way.
Apple has not yet commented on the lawsuit.
Apple Versus Wheaton, Paul, Et Al by Mike Wuerthele on Scribd
Comments
These lay on the comical end of settlement-fishing activities.
”their full names, ages, and addresses, plus their history of music listening preferences.”
There are no APIs available in iOS to get your real name, device ID, address, age, AppleID or any other personal information about you. There USED to be an API to get your music library.
That’s quite the leap from seeing your tracks to getting explicit personally identifying information about you. I can’t wait to see how they’re going to prove Apple provides this information.
In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better jump on this hard and quick or the accusation will confirm guilt in the media.
I also agree that it likely could be a stunt by Android competitors to just throw FUD out there for a few headlines to undermine Apple's privacy advantage. Doesn't matter whether it has merit or is ultimately successful. The headlines are enough to do what they need. Anything else is gravy.
I’ll note, my Amazon Music app can’t access my songs purchased through Apple.
But, I once had an alarm clock app that could play Apple Music, which suggests some data is passed to 3rd parties...
I’m not sure, what or any data, was passed back to the dev.
I certainly don’t think Apple profited...
Unless... you consider the app was purchased through the App Store, which isn’t lawsuit worthy.
I don't think this case is going to get very far, because if there are any guilty parties here (and there seem to be), they are not named Apple.
If the data is real, the most likely culprit would be a rogue app that steals this data to sell for profit.
Here is the Apple Music API rule:
Apps that access Apple Music user data, such as playlists and favorites, must clearly disclose this access in the purpose string. Any data collected may not be shared with third parties for any purpose other than supporting or improving the app experience. This data may not be used to identify users or devices, or to target advertising.
iKnockoff Knights already use rumors and fallacies as fact.
Totally illogical to think a company with 260B in annual sales would sell its users data for a few million. For app developers it could be a lot of money. And there are lots of apps that are just guises to collect their users data. Apple requires them to ask the user for it. But how many read fine ? and if they even did, it’s always vague and ambiguous. Last, if Apple were selling user data, how would that not get out ? Tim Cook and others would be tossed in prison for defrauding customers and investors. It would be a layup since Apple uses its stance on privacy to benefit from more sales and higher stock price.
The Media Library requires that the user give explicit permission for the app to access the user library.
I’ve written apps that do exactly that. The code is open source, and I could show you exactly how it’s done.
If the user refuses the request, the app can’t access the library.
The app also needs to register with the operating system as requesting this permission.
Read all about it: https://developer.apple.com/documentation/medialibrary
If the user grants this permission, then the app can do what it likes with the data. However, expect it to be checked for things like exporting it by the App Reviewers. That said, it wouldn’t be too difficult for unscrupulous developers to find ways to get the data out of the sandbox.
Someone mentioned that it could be that Pandora either sold its DB, or had it purloined. That sounds likely.
These people are not-so-bright.
https://utbblogs.com/apple-public-private-position-privacy