back to article Apple's privacy schtick is just an act, say folks suing the iGiant: iTunes 'purchase histories sold' to data slurpers

Apple has been hit with a class-action complaint in the US accusing the iGiant of playing fast and loose with the privacy of its customers. The lawsuit [PDF], filed this month in a northern California federal district court, claims the Cupertino music giant gathers data from iTunes – including people's music purchase history …

  1. Tim99 Silver badge
    Big Brother

    This could be interesting

    Sold what data? To whom? For how much? What commercial advantage does someone have if they know Tim99 listens to the Rolling Stones and Emma Kirkby?

    What evidence is there? Is it an excuse for a fishing operation? Or a muddying of the waters by a covert TLA, or a false-flag smear operation by a competitor who’s entire business relays on slurping data? Enquiring minds want to know...

    1. Anonymous Coward
      Anonymous Coward

      Re: This could be interesting

      I can’t comment on the accuracy of the claim. Given Facebook’s difficulties in hiding the truth I expect we’ll know soon enough.

      On the usefulness, if a set of data wasn’t useful, there wouldn’t be a market to buy it. It would be for a marketing wonk to explain the detail but this is how Google and Facebook make their money and so the claim is that Apple are pretending to be different but aren’t.

      It’s a damaging claim if true, especially given Apple’s public stance on privacy and that, by definition, people who choose Apple products have a higher than average disposable income and so form a more lucrative dataset.

      1. BebopWeBop Silver badge
        Holmes

        Re: This could be interesting

        I agree that it will be very damaging - but probably so whether this is true or not. Setting up the rumours an interested vulture in taking it on through some no settlement no payoff, possibly through money from dubious sources would be an extremely effective way of muddying the waters and beginning the public corrosion of one of Apple's USPs - plenty of suspects, government and private.

        If someone from Apple has been running such a scheme hidden away from the eye of much of management then there will be hell to pay.

      2. Doctor Syntax Silver badge

        Re: This could be interesting

        "if a set of data wasn’t believed to be useful, there wouldn’t be a market to buy it"

        FTFY

        Remember what I keep telling you, the only thing the advertising industry sells is advertising and this sort of thing is one of their products. It doesn't actually have to be useful, they only have to get clients to believe it is, probably by telling them that all their competitors are already buying it.

    2. Anonymous Coward
      Anonymous Coward

      Re: This could be interesting

      Off the top of my head, the advantage would be to gauge the efficacy of marketing campaigns to different demographics.

      There is totally a market for this.

    3. Lee D Silver badge

      Re: This could be interesting

      It's in the article.

      There's literally an API where you can buy that data. That's the point. As a developer you can just pay Apple, query the API and get thousands of names.

      Whether anyone *does*, only Apple knows, but that's not the point. It's like literally having a "download any of our customer's data" button on their website, with search fields and a Buy Now button.

      And, I would presume, that to initiate the lawsuit and make those claims, this guy - or his lawyer - pressed such a button, paid the fee, and got back real data.

      Game over.

      1. gnasher729 Silver badge

        Re: This could be interesting

        So could you show us where on Apples website that download button is? I’ve never seen it. And Apple doesn’t know my age, income, education so I’d be curious where that comes from.

        1. Lee D Silver badge

          Re: This could be interesting

          I can't.

          The guy writing the court summary can if you read the PDF:

          "These factual allegations are corroborated by publicly-available evidence.

          For instance, as shown in the screenshot below, the Personal Listening Information of

          18,188,721 “iTunes and Pandora Music Purchasers,” residing across the United States

          (including in Michigan and Rhode Island), is offered for sale on the website of Carney

          Direct Marketing (“CDM”) – one of many traffickers of this type of Personal Listening

          Information – at a base price of “$80/M [per thousand records]” (8 cents each): "

          "SRDS, another list brokerage company, offers for sale the same or a

          similar list as the one sold by CDM, at the same price, and additionally offers a finder’s

          fee to brokers who are able to find purchasers of this Personal Listening Information

          (offering “20% commission to brokers” and “15% commission to agencies”), as shown

          in the screenshot below of a publicly-accessible webpage on SRDS’s website:"

          And it doesn't matter if Apple *weren't given* your age, income, education, etc. - they correlate it from all kinds of other sources and link it against your iTunes account once they've identified you. Think "buy the same kind of data from Facebook, Google advertising, etc. and then correlate the IPs":

          "First, Apple discloses its customers’ Personal Listening Information,

          identifying the names and addresses of its customers and the particular genres of music

          they have purchased from its iTunes Store, to data aggregators, data miners, data

          brokers, data appenders, and other third parties, who then supplement that information

          with additional sensitive personal information about each of Apple customers,

          including their age, gender, purchasing habits, education, household income, and

          (when applicable) the number, age, and gender of the subscriber’s children. "

    4. LDS Silver badge

      "What commercial advantage does someone have if they know"

      The usual ones. Build a profile of someone, and try to sell him/her more stuff. There's a lot you can infer from musical tastes - not only to sell more music. For example what music you listen will also give away what you like to wear, etc.

      And of course you can also correlate with data from other sources.

      "Sold what data? To whom? For how much?"

      That's what Apple would like to avoid to make public, I guess...

      1. Tim99 Silver badge

        Re: "What commercial advantage does someone have if they know"

        "...if they know Tim99 listens to the Rolling Stones and Emma Kirkby"

        So in my case, that would be zip-fly blue jeans and a doublet?

        1. TimMaher Silver badge
          Coat

          Re: "What commercial advantage does someone have if they know"

          Sticky fingers then?

          I’ll get my coat. It gives me shelter.

  2. aaaa

    Pandora not Apple.

    The suit (see the PDF linked to in the article) is about “iTunes and Pandora Music Purchasers” list offered for sale by CDM.

    That is iTunes AND Pandora.

    Any app on iOS that wants to access your music library can use this API (which requires user consent BTW):

    Read all about it: https://developer.apple.com/documentation/medialibrary

    If the user grants this permission, then the app can do what it likes with the data.

    Seems likely the Pandora app is collecting info and then Pandora are selling it.

    There is nothing in the suit to demonstrate Apple are selling these lists. There is a LOT in the suit to suggest Pandora are selling the list.

    The whole thing is very little to do with Apple, unless you think Apple should add more restrictions to iOS app developer contracts.

    But I wouldn't be at all surprised to find Pandora banned from the Apple App store soon.

    1. TRT Silver badge

      Re: Pandora not Apple.

      Pandora is also available on other platforms. Do they abuse those also?

      1. BebopWeBop Silver badge

        Re: Pandora not Apple.

        Well given that Pandora needs access to your music in order to make recommendations, it would not surprise me if they were making a little money flogging the data.

    2. Anonymous Coward
      Anonymous Coward

      Re: Pandora not Apple.

      You seem very keen to make excuses for apple, given similar Google stories aren't exempt from the indirect defence.

      The fact remains, apples privacy policy allows them to collect and sell your user data, it's written there in black and white. Just because you are too lazy to read it's and prefer to believe what someone on the internet says apples privacy is about, as it better fits what you want it to be, that says more about you.

      The fact is, there is virtually nothing to distinguish Google, apple, Facebook Microsoft in their privacy statements, it's just easier to assume Google are the bad guys, as that is their primary business, but it doesn't preclude the others cashing in on your data, they are all at it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Pandora not Apple.

        "The fact remains, apples privacy policy allows them to collect and sell your user data, it's written there in black and white"

        Erm I smell an Apple Basher here.

        Have you even actually read Apple's privacy policy ? Read it properly ?

        Because what you're saying is utter bull.

        (a) The word "sell" doesn't appear anywhere

        (b) You have to read agreements IN THEIR ENTIRETY. You cannot just simply go taking phrases like " Apple and its affiliates may share this personal information with each other " out of context, which is what I suspect you are doing.

        (c) You have to consider the corporate context. If you are a large multinational company then "sharing with affiliates" can have hundreds of perfectly harmless meanings, such as sharing your name and address with the delivery company so that they can deliver your order to you !

        (d) As you have already been told and as the Apple Privacy Policy tells you .... you have to differentiate between Apple themsleves and the App Store Apps. Apple iOS provides you with granular control to enable you to control exactly what can and what cannot be shared with what apps (which is more than can be said for Android).

        1. Anonymous Coward
          Anonymous Coward

          Re: Pandora not Apple.

          "what cannot be shared with what apps (which is more than can be said for Android)"

          What controls are these? I mean Android also has granular controls for most of the access to individual resources such as gps, sms, contacts etc but does apple allow you to specify exactly which contacts are shared or which individual data lines are passed across?

        2. Anonymous Coward
          Anonymous Coward

          Re: Pandora not Apple.

          Sharing with affiliates will always mean legitimate purposes, but legitimate for whom? It's like the GDPR catchall that companies seem to wrongly think that processing data for the legitimate purposes of the organisation means that if the organisation wants to do it to help their business then they can (see the El Reg privacy policy for an example of this.

          However Apple do say in their privacy policy that they will use your data for their own marketing and advertising but they will not pass your data for their own marketing purposes. However they don't say they will not pass that data onto third parties for other purposes which they then go on to use for marketing purposes and you can question whether this is policed sufficiently (I'm not saying it isn't).

          This isn't any different from Google in respects of their privacy policy, uses are about the same and Google doesn't pass or sell data on to third parties for their marketing purposes they sell access to generic user profiles based around broad demographics or interests, the same as Apple. It's more noticeable because Google's advertising program is much bigger than Apple's but it works in a similar way.

        3. Anonymous Coward
          Anonymous Coward

          "Erm I smell an Apple Basher here."

          Smelling fanboy here...

          "(a) The word "sell" doesn't appear anywhere"

          No lawyer writing those would use the word "sell" - they will use "transfer" or whatever looks less bad. Moreover, they don't sell the data, the "give access to some of them for a fee"....

          "You have to read agreements IN THEIR ENTIRETY."

          https://www.apple.com/legal/privacy/en-ww/

          That's what they hope you won't. I.e.

          "Collection and Use of Non-Personal Information

          "We also collect data in a form that does not, on its own, permit direct association with any specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose." (bold mine)

          Just, they have a very broad view of what is Non Personal Informations, i.e.

          "occupation, language, zip code, area code, unique device identifier, referrer URL, location,[ ..] including search queries" (bold mine)

          Advertisers doesn't really need to know your name or phone number or email - they need to know how to target you with ads. That unique ID is all they need. And of course the other data can be used to correlate and create profiles.

          " You have to consider the corporate context."

          Exactly. Whatever will bring more money will be done. Anyway, "affiliate" doesn't mean what you think. UPS is not an affiliate of Apple, for example....

          "you have to differentiate between Apple themsleves and the App Store Apps"

          The case here is what Apple does with the data it collects from iTunes....

          1. katgod

            Re: "Erm I smell an Apple Basher here."

            I find this conversation interesting and wonder how many of the people making comments enable GPS on their phone. There is no where to hide if you own a computer device at this point it is only a question of how hard is it for someone to get your information. If you are really concerned that you don't have complete privacy don't use a credit card, don't own any sort of electronic device and go live in the woods, and with a little luck you maybe forgotten, make sure your cooking fires are well hidden also.

            I agree that more privacy would be great but if Apple isn't the least of your problems it is near the bottom of the list.

        4. Anonymous Coward
          Anonymous Coward

          Re: Pandora not Apple.

          "sharing with affiliates" can have hundreds of perfectly harmless meaning

          it also opens the door for them to do whatever they want, which given Apple's greed, and Apple owners blind faith, they will surely be making the most of.

          "iOS provides you with granular control to enable you to control exactly what can and what cannot be shared with what apps (which is more than can be said for Android)."

          Android also has granular control for permissions. if you compare them, Android's are actually better, in particular, location fine/coarse and independent reading and writing storage.

          1. doublelayer Silver badge

            Re: Pandora not Apple.

            "Android also has granular control for permissions. if you compare them, Android's are actually better, in particular, location fine/coarse and independent reading and writing storage."

            I'm very unhappy to here this news about Apple, but I don't think I can call Android's attempt at security controls good. For one thing, these controls only started having an effect in relatively recent builds of the operating system, as they were previously just a warning at install time. Furthermore, it is relatively difficult to deny access to specific information. Applications can request certain permissions, like "read phone state" and some others, that give lots of access to many things. IOS's policy of not letting apps interact with the file systems of other apps let alone the OS may be limiting in some cases, but prevents one of the more annoying kinds of malware frequently seen on Android. In addition, we have the difficulty in disabling things for built-in applications on Android, whereas IOS includes a full list of apps (both user-installed and stock) and system services for which access can be controlled. Finally, the permissions available to android apps often allow them to take actions normally associated with subverting the user's intent; for example, the permission to use bluetooth also allows an app on android to turn it back on if the user has disabled it, whereas the master bluetooth switch on IOS preempts an application that has been granted bluetooth rights.

            1. Anonymous Coward
              Anonymous Coward

              Re: Pandora not Apple.

              "For one thing, these controls only started having an effect in relatively recent builds of the operating system, as they were previously just a warning at install time."

              Hmm, since Android version 6 - quite some time.

              " IOS's policy of not letting apps interact with the file systems of other apps let alone the OS may be limiting in some cases, but prevents one of the more annoying kinds of malware frequently seen on Android. "

              In Android each app has private file areas by default. In fact as an Android developer you will have to go through quite a few hoops to allow access to your data to other apps if you want to share it. In Android there is far more control allowing developers to sandbox their data, share it or make it available for other apps, but like I said the default is always private to the app.

              " In addition, we have the difficulty in disabling things for built-in applications on Android"

              No you don't unless the manufacturer has specifically changed the OS to stop that. On my Huawei I have full access to the permissions for all Google and Huawei apps preinstalled on my device.

              ", the permission to use bluetooth also allows an app on android to turn it back on if the user has disabled it"

              This can be good or bad. I've never had an app turn on Bluetooth for it's own purposes where it wasn't expected or it didn't ask first - you can always remove Bluetooth permission for a misbehaving app. However this feature allows you to use apps like tasker to set bluetooth when you get home for instance orallow widgets to turn on bluetooth as a quick setting. It also allows a bluetooth tracker app to turn on bluetooth if you open it and start scanning, without it forcing you back to settings to do it. But like I said it seems like it is useful for most people if you give it permission to do it.

              1. doublelayer Silver badge

                Re: Pandora not Apple.

                Me: "For one thing, these controls only started having an effect in relatively recent builds of the operating system, as they were previously just a warning at install time."

                Reply: "Hmm, since Android version 6 - quite some time."

                Good point. My android devices had a marked lag between the one that never got off version 4.4 and the one I eventually got running version 7 (it's still on version 7). I overestimated the delay in getting that in. I withdraw that objection.

                Me: " IOS's policy of not letting apps interact with the file systems of other apps let alone the OS may be limiting in some cases, but prevents one of the more annoying kinds of malware frequently seen on Android. "

                Reply: "In Android each app has private file areas by default. [...]"

                That's all true, but an application that asks for access to storage can edit any data that is in a public location, including writing malicious files there. Other applications sometimes put data there as well even when they haven't been requested to do so, meaning that a user must be aware of what kind of thing can be read when an app asks for and gets access to read and write storage. There is no mechanism for allowing it to read and write a specific area of storage only, which would be nice. This isn't intrinsically problematic, but it increases complexity for nontechnical users. This is a major point; while most of us here have a good level of security on our devices and are aware of risks to it, difficulty to less technical users weakens their security footprint and can cause extra downsides for us.

                Me: " In addition, we have the difficulty in disabling things for built-in applications on Android"

                Reply: "No you don't unless the manufacturer has specifically changed the OS to stop that."

                Maybe Huawei is great at this, or there is something different in the last Android build that I have not seen yet. However, I have never seen an Android device that was particularly granular about what components could access what data. Frequently, the closest I could get was disabling location and microphone for Google Play Services in its entirety (that wasn't always an option, either). Articles posted here and in other places have informed us that these settings weren't always seen as binding by certain companies, especially Google but some manufacturer-installed facebooks as well. The phones that come with someone else's apps installed often went to great extents to prevent me from doing anything to them (not just removing, but permissions too). That's why I don't buy any device with third-party apps installed, but I've worked with others' devices that are so infected.

                Me: ", the permission to use bluetooth also allows an app on android to turn it back on if the user has disabled it"

                Reply: "This can be good or bad."

                You raise some good points, but I think this is an inadvisable choice. I like the idea of having a set of master switches that allow me to be entirely certain that certain facilities are disabled. My reasons may be privacy or security related, concern about power consumption, or the like, but this is useful. I'd be entirely happy if there were two permissions for each of these: "Use bluetooth inside the app" and "alter the state of the bluetooth settings". Similarly, I'd really like Google to hack apart the various permissions in some of the large permission grants like "read phone state" to increase user control and knowledge.

        5. imaginarynumber

          Re: Pandora not Apple.

          "Have you even actually read Apple's privacy policy ? Read it properly ?"

          Erm, Apple do data sniff and use that data to flog targeted adverts from third parties via the news app, the stocks app and the App Store.

          And it's no that long ago that Apple used to brag to advertisers about the fact that they knew more about Apple customers than anyone else. Their iAD platform used to allow punters to be targeted by gender/age/location/income/MUSIC PLAYED/apps owned and how and when those apps are used.

          From

          https://asciiwwdc.com/2014/sessions/510

          "So if you were to promote a health and fitness app, wouldn't it be great if you could choose the audience who like to download health and fitness apps, or who like to download fitness and workout music."

          Apple may be less intrusive than the likes of Google but the whole "what takes place on your iphone" is marketing bollocks.

      2. werdsmith Silver badge

        Re: Pandora not Apple.

        you are too lazy to read it's and prefer to believe what someone on the internet says apples privacy is about

        ---

        It's not someone on the internet. Is been the main point of Apple advertising that I've seen so far this year. "What happens on your iPhone stays on your iPhone" slogan etc.

        They are using privacy as a USP because they know it's a weak point of Android. So now this advantage is destroyed if they have allowed a 3rd party to get away with selling it because they have been loose with their control of their relationships.

        If the lawyers manage to pin this on Apple then I expect Apple can pursue the 3rd party.

        1. Anonymous Coward
          Anonymous Coward

          Re: Pandora not Apple.

          "It's not someone on the internet. Is been the main point of Apple advertising that I've seen so far this year. "What happens on your iPhone stays on your iPhone" slogan etc."

          must be true then.... Hearing it from Apple is less trustworthy than some bloke on the internet...

          1. werdsmith Silver badge

            Re: Pandora not Apple.

            Nobody is saying that advertising is trustworthy, some people can’t wait to jump in with a dig at Apple over anything.

            The point is that Apple are making the claim not some fat twat down the pub, and. It is being undermined by their handling of their App Store clients.

    3. Anonymous Coward
      Anonymous Coward

      Re: Pandora not Apple.

      >But I wouldn't be at all surprised to find Pandora banned from the Apple App store soon

      Rather fitting that it's called Pandora, don't open their box.

  3. BebopWeBop Silver badge
    Holmes

    There was an amusing story on Trackers leaking like a firehose from iPhones in the WaPo this morning - https://www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking

    1. Tim99 Silver badge
      Big Brother

      I’m very particular what apps I load on my phone. If I can’t do what I want on a browser that has an adblocker, VPN, etc., I need a very good reason to load an App that may slurp whatever the author thinks that they can get away with.

      1. ForgotSoMuch
        Facepalm

        snap. Unfortunately most people are not aware/don't think it is problem/don't care

      2. imaginarynumber

        But where do you download those apps from? I assume the App Store. Apple have a full history of what you download. Not that long ago they used that data to sell targeted advertising slots.

        If I sideload an app on to to a Windows or Android device, AFAIK, the only possible data slurping will be on a per app basis and not on an OS app provision basis.

    2. Anonymous Coward
      Anonymous Coward

      You'd have to leave the apps running in the background for them to do this, so you could prevent it by closing apps when you are done with them. It isn't like the old days of PCs where an app might take 30 seconds to load and initialize, so there's little to be gained by leaving them running when you aren't using them.

  4. Nematode

    "Which requires user consent, btw" Yebbut, it'll be buried in a huge EULA or similar. It's time consent moved to a specific-agree-to-item basis, assumed non-consent unless punter knows exactly what is being slurped and why. "Do you consent to us selling your address? Y/N" Hell yes, of course, why wouldn't I?

    1. Joe Gurman

      No

      Clearly you don't use Apple kit. No matter which <something>OS (watch, mac, i, tv) the user has to approve any such disclosure of personal information in a dialog box. Caveat bozo.

      1. Doctor Syntax Silver badge

        Re: No

        Caveat bozo. Deserves an upvote in itself.

      2. doublelayer Silver badge

        Re: No

        "Clearly you don't use Apple kit. No matter which <something>OS (watch, mac, i, tv) the user has to approve any such disclosure of personal information in a dialog box."

        I'm afraid that's not correct. I've just posted a defense of Apple's privacy protections, but they don't work as you describe. An application must request access to specific types of information, but there is little protection should it choose to disclose the information it is granted. A navigation app that operates entirely offline and a navigation app that also sends a full and complete log to the developer would have the same request, requesting location access. Apple does not require any simplicity in disclosures made by applications. It does nicely allow you to deny access to this data if you already mistrust the app, but the integrity and privacy of the data granted to the app is not guaranteed by Apple in any way.

        1. Stuart Castle Silver badge

          Re: No

          I think this is the problem with any on device controls. I am an Apple fanboi, and I like the stance Apple is taking on privacy. They are staking their reputation on enforcing privacy, something which no one else seems to be. However, on device controls, no matter what device they are on, and how good they are, can only go so far. They can stop the data getting off your device, but once it is sitting on servers operated by someone else, they can do what they want with it, and the device controls will not stop them. Of course, various laws, such as the GDPR may well apply, but the user may well need to take the app developer to court to get any action.

  5. Anonymous Coward
    Anonymous Coward

    Ooooooo non-fan-boi here rethinking some purchases............

  6. anthonyhegedus Silver badge

    People who buy any music at all these days are the sort of people who buy things rather than want to rent them as-a-service. I pay for Apple Music - a tenner a month - so why on earth would I want to buy music? I prefer to rent a service for most things if I can.

  7. sinsi

    So you can punch in a few parameters and get a list of names and addresses? Stalkers must be drooling into their keyboards.

  8. Anonymous Coward
    Anonymous Coward

    Wow yes lucky apple users!

    Congrats, class members! You'll get a $1.37 apple store voucher in 2028 (expires in 6 months, minimum purchase $100, additional terms and conditions apply) once the lawyers have agreed a settlement from Apple, and walked away with the $100 million in fees payoff :P

  9. Stuart Castle Silver badge

    I think as a society, we need to change. Any company incurs costs providing a service. That applies whether the company is a little app developer with a few users or a massive company, like Google.

    If companies are unlikely to earn enough directly from the users (through purchases, rentals or subscriptions), they will either cut the product/service or gather data on the users and sell it.

    I would happily pay a bit more for a service (such as Spotify) or Product if I could absolutely guarantee that my info will not be sold or given to outside companies for any reason other than processes needed for the service or product to be provided (I don't count marketing in that). For instance, someone like Spotify may well use an outside company to maintain their users database. They will also need to store at least what I play for royalty payments.

    Companies like Google and Facebook would have to charge for their services. I would also like every company to be totally open and honest about how, when and why they use your data.

    Sadly, that will never happen.

    1. imaginarynumber

      There was a time when if you didn't pay for a product, you were the product. Now you can spend a grand on a new phone and still be the product.

      Apple are no different to MS or Google. All of them want to extract as much money from you as possible.

      Pay for the product, become the product. Repeat and rinse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021