Apple sued for storing iCloud data on third-party servers
A class-action lawsuit lodged with a California court on Monday accuses Apple of false advertising, claiming the company banked on its name by telling consumers iCloud data is "stored by Apple" when, in fact, the information is in some cases siloed on servers run by Amazon, Google and Microsoft.
Filed with the U.S. District Court for the Northern District of California, the class-action complaint takes issue with Apple's iCloud data handling policies and, more specifically, its lack of transparency on where customer information is stored.
According to the suit, Apple breached customer trust and legally binding contracts by using its status and name to sell iCloud subscriptions to customers believing their data would be stored in a cloud that it owned and operated. Instead of first-party servers, the company farmed out bandwidth to Amazon Web Services, Google and Microsoft's Azure platform.
The conceit is that Apple "lacked the necessary infrastructure" to run iCloud and was therefore not in total control of iCloud data during the contract period. It therefore misrepresented the nature of the service to potential and existing subscribers.
"Touting itself as the provider of the iCloud service (when, in fact, Apple was merely reselling cloud storage space on cloud facilities of other entities) allowed Apple not only to obtain paid subscriptions of class members who subscribed to iCloud believing that their cloud storage was being provided by Apple, but also allowed Apple to charge a premium for its iCloud service because subscribers placed a value on having the 'Apple' brand as the provider of the storage service for their most sensitive data," the suit reads.
The suit maintains plaintiffs entrust Apple with important and personal information, and pay a premium to keep that data safe. Plaintiffs Andrea M. Williams of Florida and James Stewart of San Francisco, Calif., are named in the suit and claim they were not informed that iCloud would store data on non-Apple servers. If they had known about the strategy, the pair would either not have subscribed or would have not paid the "Apple premium" for access to the service.
Compounding the problem are competing, and in some cases less expensive, cloud storage solutions marketed by Apple's providers in Amazon Drive, Google Drive and Microsoft's OneDrive.
Plaintiffs allege Apple makes no mention of third-party servers in its marketing materials or its iCloud terms and conditions. Indeed, the preamble to iCloud's customer agreement suggests all data flows directly from user devices to Apple itself.
"When iCloud is enabled, your content will be automatically sent to and stored by Apple, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," the document reads.
Interestingly, Apple's Chinese iCloud agreement more accurately describes the situation, at least in that region. As per state law, the company stores Chinese cloud data on local servers, in this case run by Guizhou-Cloud Big Data, or GCBD.
"When iCloud is enabled, your content will be automatically sent to and stored by GCBD, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," Apple says.
Industry watchers have known about Apple's iCloud outsourcing since at least 2011, when the tech giant was rumored to tap AWS, Microsoft or both for the then-new cloud storage product. More recently, Apple in early 2018 confirmed iCloud relies in part on third-party services like Google Cloud Platform.
For its part, Apple goes to great lengths to ensure iCloud security surpasses industry norms. In an iOS Security document last updated in May (PDF link), the company details its security protocols, saying files from contacts, calendars, photos, documents and more are broken into chunks and encrypted using AES-128. A key generated from each chunk's contents is created and stored with corresponding metadata in a user's iCloud account.
"The encrypted chunks of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services -- such as Amazon Web Services or Google Cloud Platform -- but these partners don't have the keys to decrypt your data stored on their servers," Apple says.
Plaintiffs seek class status, injunctive relief enjoining Apple from continuing to falsely misrepresent iCloud storage policies, unspecified damages and legal fees.
Filed with the U.S. District Court for the Northern District of California, the class-action complaint takes issue with Apple's iCloud data handling policies and, more specifically, its lack of transparency on where customer information is stored.
According to the suit, Apple breached customer trust and legally binding contracts by using its status and name to sell iCloud subscriptions to customers believing their data would be stored in a cloud that it owned and operated. Instead of first-party servers, the company farmed out bandwidth to Amazon Web Services, Google and Microsoft's Azure platform.
The conceit is that Apple "lacked the necessary infrastructure" to run iCloud and was therefore not in total control of iCloud data during the contract period. It therefore misrepresented the nature of the service to potential and existing subscribers.
"Touting itself as the provider of the iCloud service (when, in fact, Apple was merely reselling cloud storage space on cloud facilities of other entities) allowed Apple not only to obtain paid subscriptions of class members who subscribed to iCloud believing that their cloud storage was being provided by Apple, but also allowed Apple to charge a premium for its iCloud service because subscribers placed a value on having the 'Apple' brand as the provider of the storage service for their most sensitive data," the suit reads.
The suit maintains plaintiffs entrust Apple with important and personal information, and pay a premium to keep that data safe. Plaintiffs Andrea M. Williams of Florida and James Stewart of San Francisco, Calif., are named in the suit and claim they were not informed that iCloud would store data on non-Apple servers. If they had known about the strategy, the pair would either not have subscribed or would have not paid the "Apple premium" for access to the service.
Compounding the problem are competing, and in some cases less expensive, cloud storage solutions marketed by Apple's providers in Amazon Drive, Google Drive and Microsoft's OneDrive.
Plaintiffs allege Apple makes no mention of third-party servers in its marketing materials or its iCloud terms and conditions. Indeed, the preamble to iCloud's customer agreement suggests all data flows directly from user devices to Apple itself.
"When iCloud is enabled, your content will be automatically sent to and stored by Apple, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," the document reads.
Interestingly, Apple's Chinese iCloud agreement more accurately describes the situation, at least in that region. As per state law, the company stores Chinese cloud data on local servers, in this case run by Guizhou-Cloud Big Data, or GCBD.
"When iCloud is enabled, your content will be automatically sent to and stored by GCBD, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," Apple says.
Industry watchers have known about Apple's iCloud outsourcing since at least 2011, when the tech giant was rumored to tap AWS, Microsoft or both for the then-new cloud storage product. More recently, Apple in early 2018 confirmed iCloud relies in part on third-party services like Google Cloud Platform.
For its part, Apple goes to great lengths to ensure iCloud security surpasses industry norms. In an iOS Security document last updated in May (PDF link), the company details its security protocols, saying files from contacts, calendars, photos, documents and more are broken into chunks and encrypted using AES-128. A key generated from each chunk's contents is created and stored with corresponding metadata in a user's iCloud account.
"The encrypted chunks of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services -- such as Amazon Web Services or Google Cloud Platform -- but these partners don't have the keys to decrypt your data stored on their servers," Apple says.
Plaintiffs seek class status, injunctive relief enjoining Apple from continuing to falsely misrepresent iCloud storage policies, unspecified damages and legal fees.
iCloud Server Class Action by Mikey Campbell on Scribd
Comments
This is beyond desperate.
Said It before and I’ll say it again. If you lose a lawsuit you should be forced to pay the other party’s legal costs.
I find myself continually turning off macOS preferences that have somehow been set to send information to external sources, like Siri searches for apps I recall I have turned off in prior 'upgrades', including Siri of course...
The lawyer suing Apple should lose his or her license.
Apple has given the public the impression they store data in their own datacenters, and as Apple provides these services around the planet and customers in different countries should be informed where their data actually is stored so they can make informed decisions if they want to use the service or not. It probably also has lead customers to believe they got an increased level of privacy (as spouted by Apple marketing), when in reality they got closer to Amazon Web Services, Google and Microsoft base level. If I knew my iCloud data was stored on Google servers, I would have ended the iCloud subscription immediately.
But of course for ex-Compaq Tim Cook, he don't see the difference.
Consider your own local loop to your phone company, the long-haul carriers which can be multiple companies. And we must remember that peer to peer, client server web data bases often have functionality distributed over multiple servers for such things as the keys were talking about above, account verification, actual end file storage, etc.
End-users should always expect that their data of all kinds is spread over a number of servers, a number of vendors, a number of transport carriers, and a number of applications within the services of those vendors
It has been generally assumed that Apple mainly have been hosting iCloud on Microsoft Azure architecture, but the servers running it were fully deployed to Apple owned facilities and locations.
Data hosted in other cloud services will necessarily also end up in their backup systems where they never should have been. They can possibly also be decrypted there because Apple can decrypt iCloud hosted data and have done so in multiple cases for law enforcement. When the data end up in a third party backup system it can also be restored to a different location and potentially be compromised.
This is also about Apple's integrity and trustworthiness. They pretend to have a holier-than-thou stance on privacy, yet completely fail to inform the customers that their data might migrate outside Apple facilities. NOT good!
That said, it's about time Apple builds out its own infrastructure and perhaps even offers it as a service to others as an additional revenue source.
I am not at all comfortable with my data on Google, Amazon, or MS servers. But there is nothing I can do about it. So in a way, I am thankful for this lawsuit. Hope it wakes up some thinking at Apple.
It's no good using the most secure devices when the company you trust is letting the less secure and less scrupulous out there hold your data for you. Yikes.
it is sort of like hiring a contractor to do major remodeling on your home. If you had expected him to the work and then find out he is sub contracting it out you are not going to be happy. If he informs you at the time of contract negotiations then you understand what is going on.
It is a question of ethics really and frankly Apple has been really going down hill recently when it comes to ethical behavior.
I think the USA would benefit from more frequently enforcing some of the available consequences to launching frivolous litigation, and increasing the penalties associated with such behaviours. Remember it’s not just a waste of the defendant’s money, it’s a waste of tax payer’s money too.
With that said, I'm afraid this lawsuit does have some teeth in that even I myself had been under the strong impression that all iCloud data was stored exclusively on Apple owned and operated servers. If we are honest with ourselves, we must admit Apple has been at least a tad disingenuous about servers and storage. That doesn't mean I support the lawsuit. It just means Apple should have either been more open with us or stored everything exclusively on Apple owned and operated servers, like we all thought they were doing in the first place. I think this matter is at least as serious as the aging battery, power throttling issue that hit the global news a year ago. Sometimes it doesn't seem that being transparent is a good thing, but when news like this hits the fan, then the realization strikes. Apple could have handled this better, just like they could have handled info about power throttling better.
It doesn't matter if Apple never made it 100% clear they don't store data on 100% Apple-owned and operated servers and that we the public should have assumed Apple stored data outside Apple. Legal jargon that few if any people read doesn't matter either insofar as few people read it, and such information isn't even spoken about in the tech media, whose job it is to sleuth out those details for us. Public perception and "the general understanding" matters most. I had the perception, like most of you, that Apple stored our iCloud data on Apple servers. It doesn't matter if my believing that was in error. That was the perception that Apple allowed the general public to believe. Surely Apple knew the general consensus, and if they didn't, Apple surely does now. Again, I don't support the lawsuit by saying that. I just wish it had been made more clear by Apple how iCloud data was stored. That's all.
Microsoft and Google have a bunch of something, it’s something that takes up space, but it’s something that they can’t read, view, etc. If they were to restore it from backup...something would be restored, but it would still be unreadable to them.
It’s been KNOWN Apple has been saving data on 3rd party servers. I’m sure it says so in the terms and conditions...
If you use any “software as a service” or online backup software it’s almost guaranteed your data is on the Amazon Cloud. That doesn’t mean Amazon can read your data...it’s encrypted in transport and encrypted in storage. As long as you’re using a reputable company... (and they didn’t oops)
You either trust Apple (etc) with your data or you don’t.
I’m sure Apple is complying with whatever government regulations that are applicable to data storage. This is part of the reason Apple is using 3rd parties. In Europe user data has to be stored in Europe. Building out server farms for data storage is prohibitively expensive. Saving the data on Amazon’s (or Microsoft’s) servers in Europe (etc) is the obvious solution.
This is all kinds of obvious when you think about it. This lawsuit is about someone not doing their homework, or not caring and thinking Apple will settle. Apple won’t because they have no case...