Apple sued for $5M for not recovering data after iPhone theft
A Minnesota man is suing Apple for failing to do enough after having his iPhone stolen, demanding access to 2 terabytes of data and at least $5 million in damages.
Advanced Data Protection is very secure, just don't lose your Recovery Key
The loss of a smartphone can be devastating to a person, especially when it's the center of their digital existence. However, while there are ways to recover data, such as that stored on iCloud, sometimes the remedies that are available are not enough.
In a filing at the U.S. District Court for the Northern District of California in January, surfaced by the Washington Post in April, Michael Mathews of Minnesota is suing Apple for access to his data and compensation.
After his iPhone was stolen by pickpockets in Scottsdale, Arizona, Mathews claims he lost access to his photos, music, tax returns, and work-related research. As a consequence, his tech consulting firm apparently had to shut down.
In the suit, Mathews wants access to approximately 2 terabytes of data that forms his "entire digital life, including that of his family," and at least $5 million in damages.
Unrecoverable Recovery Key
Mathews' problems all focus around the Recovery Key, a feature of Advanced Data Protection which is used to reset the password and recover the account. It is a 28-digit key that Apple recommends users store safely for future use.
However, in this case, it's apparently being used by the thief. If the thief can gain access to the iPhone, such as by discovering the passcode to unlock it, they can then change the password to the Apple ID to make it harder to recover.
In some cases, a thief could also enable ADP and create the Recovery Key. It's also possible for a thief to change an already existing Recovery Key, if they know the passcode and can use it.
The upshot for Mathews is that the account is no longer recoverable in such cases.
Without ADP, it is possible to recover accounts, in part because of the way Apple deals with encrypted data stored on its servers. Apple itself has a copy of encryption keys between the user's device and iCloud, and they can be recovered easily, just not under ADP.
While under ADP the Recovery Key is needed, the suit insists that Apple is still capable of doing something about the situation. Mathews' lawyer K. Jon Breyer says it is "indefensible" for Apple to hold onto the data "they don't own."
That suit has now entered a discovery phase, which can take between six and eight moths to complete.
Apple didn't comment about the case specifically, but told the report it sympathizes with victims of crime. The statement adds "We take all attacks on our users very seriously, no matter who rare."
Read on AppleInsider
Comments
Personally, I waited a long time before enabling ADP because of the very clear warnings Apple gives before enabling it.
We'd hate to do that so we'll go ahead and delete that encrypted file off our servers by deleting your iCloud account. Happy?
This guy's best hope is that the thief was tech savvy enough to get the decrypted files and will offer a ransom to get them back. But in all likelihood the phone's been wiped and sold or broken up for parts.
Some light-fingered larry could nick it and take you and your life away. Money? Gone. Business? Gone.
I don't do email or banking on my phone. That degree of separation is to my mind essential.
And how does enabling ADP help a thief? Especially if the account holder can just use one of their account recovery features to gain control of the account back.
I do wonder why Apple doesn't have the ADP toggle behind its Stolen Device Protection feature. Perhaps an oversight.
I have my phone backed up to my Mac. I have my Mac (including my local iCloud Drive folder) backed up to an external drive and an online service. It's not that difficult.
And I don't even run a "tech consulting firm" lol.
Enjoy the learning from your experience. No extra charge, sir. Glad you're happy
Allegedly, it seems it was the thief who set the recovery key for the ADP.
This was my question - especially if it's possible to enable or disable ADP without a password if you have physical control of an unlocked device. Because, holy crap, that would be bad. Not just from thieves, but there are other cases where people share their passcode with friends or family (wisely or not) who might get upset with them, and now they can completely hijack their Apple ID? Surely that isn't the case?