AppleInsider may earn an affiliate commission on purchases made through links on our site.
Following a report into Apple’s harvesting of App Store data, a lawsuit has emerged alleging the company willfully violates users’ privacy and monetizes user data without permission.
Plaintiff Elliot Libman has filed what he hopes will become a class action lawsuit against Apple. The lawsuit alleges that since Apple has some knowledge of what a user is browsing on the App Store, it violates a privacy right that the user has.
The lawsuit alleges research published in November found that Apple “records, tracks, collects, and monetizes analytics data — including browsing history and activity information — regardless of safeguards or “privacy settings” that consumers agree to protect their privacy”.
Specifically, the suit cites the “Allow apps to request tracking” and “Share analytics” settings as the main issues they have with Apple.
“Apple’s practices invade consumer privacy; intentionally mislead consumers; give Apple and its employees the power to learn intimate details about individuals’ lives, interests, and app usage; and make Apple a potential “one-stop-shop” target for any government, private actor or criminal who wishes to infringe on the privacy, security or freedom of individuals.Through its pervasive and illegal tracking activity and data collection, Apple knows even the most intimate and potentially embarrassing aspects of the user’s use of the application, whether the user the user accepts Apple’s illusory offer to keep these activities private .”
Lawyers we spoke with Friday night believe the affiant has a tough hill to climb to win the case. It is unclear whether the plaintiff or the attorneys who filed the lawsuit understand the distinction between server-side data collection and the operation of parameters at the heart of the lawsuit.
It is also likely that this data cited in the lawsuit is collected on the server side. For example, the Netflix video streamer’s viewing history is stored server-side and tied to an account, and collected on the server, where the no-request-tracking setting does not apply.
In the case of server-side data, the “Allow apps to request tracking” and “Share analytics” settings are irrelevant. The part about “Share analytics” is probably not relevant on its own, as app browsing history is user behavior and not related to device analytics which is used to determine the status of a device and its internet service when a problem develops.
And there is precedent that “app developers” and an App Store hosting company, in this case Apple, are not one and the same, although the App Store is an app.
Mysk’s research that inspired the combination says that in iOS 14.6 “detailed usage data is sent to Apple” from the App Store, Apple Music, Apple TV and Books. The actions sent less identifiable information than the other apps, the researchers say.
The data sent would be associated with an identifier that could identify a user. The behavior is said to persist in iOS 16, but researchers could not examine what data was sent as it was all sent encrypted.
The researchers told Gizmodo that similar data was not sent by Health and Wallet with a combination of privacy settings. All data is sent to different servers from the iCloud table.
The lawsuit says consumers’ personal information has monetary value. The study cited in the lawsuit is based on data sales, some collected through hacks and data theft. Apple says it doesn’t sell user data, and there’s no evidence it does.
Apple is also explicit about how it uses data in its advertising platforms. The company has publicly stated that its advertising platform does not connect user or device data with data collected from third parties for targeted advertising. They also say that they do not share the user’s device or device identification with data collection companies.
The lawsuit alleges that Apple “invaded an area of privacy protected by the Fourth Amendment” and “violated dozens of state criminal wiretapping and invasion of privacy laws.” The Fourth Amendment doesn’t seem to apply here.
It’s not clear why data collection by a company you do business with that has agreed to data collection under a product’s terms of service, in this case both the App Store and the iPhone itself is a violation of wiretapping laws, especially if Apple anonymizes or aggregates data collected by the App Store.
It goes on to cite “highly offensive” behavior regarding “intentional intrusion” into internet communications and “covert monitoring of private app browsing”. In order for Apple or any app store to provide data over the internet to a customer regarding app store browsing and purchasing, the company must, at some level, know what is browsed and what has been purchased by a given user.
Much of this depends on the trust of the users of the technology or the Internet company. Apple’s technology, for example, has prevented the reporter’s ISP or wireless carrier from knowing what they are browsing.
Identifiable user data is required not only for the Internet to function, but also for paid services such as the App Store, Books, and Music to authenticate and function, and support must be provided for such services . It is clear that the registrant does not trust Apple in this regard, based on the “highly offensive” color of Apple’s behavior in the filing.
As always, the suit seeks “restitution and all other forms of just monetary relief” and an injunction if the court deems it appropriate. A jury trial is required.
It is not known when or if the case will be heard.
Libman v. Apple, Inc is case number 5:2022cv07069 in the U.S. District Court for the Northern District of California. Fisher & Fisher of northeastern Pennsylvania filed the lawsuit.