back to article Apple sued for promising privacy, failing at it

Apple has again been sued for promising privacy and allegedly failing to provide it. The complaint [PDF], filed in Northern California District Court on behalf of plaintiff Julie Cima, claims Apple captures iPhone customer data despite device settings declaring a preference that information should not be shared. "Apple …

  1. FIA Silver badge

    When does the onus come on to the user to stop using something if they want privacy?

    I don't like my personal data being shared, but I do accept that my data is being used by companies that I have a relationship with.

    I fully expect Amazon track me across their site, and I don't really mind that, those kind of metrics are useful to companies to better optimise their products. (eg, I worked for a company that tripled it's sales in the early days of the web by simply re-arranging it's order page, but we did need user analytics to work this out).

    The problem for me is when companies share it with 3rd parties that I don't have a relationship with, or use their dual nature of their product to track me when not using their product explicitly. (Advertising trackers for people like Google and Amazon come to mind here, I don't want amazon knowing that I look at a particular website simply because they sell advertising to that website).

    i.e., I don't mind Apple tracking what pages I look at on the App Store app, but if they're tracking me looking at pages on the Amazon app, or vice versa, that would be a problem.

    If I didn't want Apple (or Amazon, or Google) to know what I did with their services however, I simply wouldn't use them.

    (or maybe it's just the older I get I realise my secret plans for world domination are less likely to come to fruition and there's less reason to hide them from the world anymore).

    1. Anonymous Coward
      Anonymous Coward

      Whatever you think, companies have to abide to the law. If there is a law that forbids them to gather data without permissions, or use them in a way beyond the permission obtained, they can't break them.

      It tracking is OK for you, it's not for many other people who wish their data to be used **only** for the purpose they gave them to a company.

      Moreover no company tracks you for the sake of it. Tracking is used to drive you to buy more of something - and the matter if it is 1st party or third party matters little. Services built on gathered data will be sold to others to target you in exchange of money.

      "I simply wouldn't use them."

      When they got a monopoly on many services it's not so simple to do without them. I can no longer access my bank if I have not a phone for 2FA - they no longer issue separate tokens. So when you have a dominant position in one market, and people are basically forced to use your products, you have to undergo even bigger scrutiny and laws can be enacted to avoid the position is exploited against users.

      1. Ace2 Silver badge

        From the article, this silly lawsuit seems to be focused on the Apple app store. All of the Apple privacy settings etc. are talking about limiting the tracking of what you do on your phone - who did you call? How many times did you walk into a Walmart? What’s your favorite search term? Apple has no right to any of that.

        Wheres as the OP points out, of course Amazon tracks what you do on The app store is just another website underneath.

        And no I do NOT want any more GDPR popups every time I click a button on

        1. Anonymous Coward
          Anonymous Coward

          "of course Amazon tracks what you do on"

          Amazon too has to do that within what is legal - even if it lacks an ethics. Amazon has no right to track my activity on Amazon site without informed consent, when that falls into the categories not allowed by the law. Nor can a supermarket. The fact I'm on your premises doesn't mean you can break my rights. Moreover, a phone is the user's devices, not an Apple one. As far as I know Apple still **sells* them, doesn't lend them. So who is the first party here, Apple or the owner of the device?

          "And no I do NOT want any more GDPR popups every time"

          You're right. Tacking should be banned by default and users should enable them themselves entering their account and enabling "yes, I want to be tracked". And site should respect the "Do not track" flag, and asking nothing else. Or be fined heavily.

          1. cyberdemon Silver badge

            Re: "of course Amazon tracks what you do on"

            Yes absolutely - if sites respected the Do Not Track flag from the browser, they wouldn't need any of those annoying popups.

        2. Chet Mannly

          "of course Amazon tracks what you do on"

          Absolutely no problem with that. But if Amazon advertised "come shop with us we don't track you" (the equivalent of what Apple are doing) then I have a big problem with that.

      2. Helcat Bronze badge

        "Whatever you think, companies have to abide to the law. If there is a law that forbids them to gather data without permissions, or use them in a way beyond the permission obtained, they can't break them."

        I'm going to disagree, but it's semantic: Companies have to comply with the law or risk prosecution. That does not mean they don't take chances and hope no one notices their breaking laws. Hence: They can break the law. It's just... illegal to do so.

        So the truth is they will break the law if the benefits of doing so are greater than the penalties if caught. To some, they gamble on not being caught at all, and if they are caught, to deflect and distract and otherwise weasel their way out of trouble. This includes trying to make the prosecution too expensive to pursue to force the prosecutors to either drop charges or accept a token apology. This is the same principle criminals use, and those who think their lawbreaking doesn't really matter (drivers speeding on the roads, for example, or driving dangerously. Reminds me - need to see if the police will accept my dashcam footage of two examples of insanity behind the wheel...)

        So for these laws to really have 'teeth' and dissuade companies from breaking them, these laws need to be backed by more than a slap on the wrist: They need gaol time for the exec, and very heavy penalties, plus compensation to those affected. Basically, the risk of bankruptcy. Then workers will be more inclined to challenge dodgy activity and policy if they don't want to be unemployed and, potentially, unemployable.

        It's not going to happen, particularly in relation to multinational corporations and social media groups, but... it would be nice if one of them got dragged through the courts and made a hard example of. Complete with prison time for the exec. I'm sure people have nominations as to which should be first.

    2. doublelayer Silver badge

      I agree that first-party data usage is less problematic than third-party data sharing, but that doesn't mean I agree with your acceptance. There's a reason that GDPR and similar legislation requires informed consent (and would actually matter if enforced). Just because I engage in a business relationship with you doesn't mean I know all the stuff you're planning to do with my data, and burying that information somewhere or waiting for someone to discover it later doesn't count as me agreeing to have it done.

      There are a lot of cases where a company has a reason to collect a ton of information. I have, for example, engaged in a product testing situation where I was handed a prerelease device to attempt to use and all my reactions to the features and interactions with the device recorded for future analysis. This was supposed to help them improve confusing parts of the interface and judge what a specific user thought of the features they were going to make available. This was fine, because they told me that's what they were going to do. A company could equally well collect the data from users of the device after it's been sold, using the collected data to improve the next version, but it would be entirely unacceptable to collect anything like that without specifically informing the user of everything that was going to happen and getting consent for every part of it. Even if you don't share the information, you don't have the right to surveil everything I do for your own use.

      If you want to collect ten types of information, then you need to ask ten times and you need to tell me what each type is and what you're using it for. In countries with satisfactory regulations, you should also be forbidden from denying me the service because I don't consent to the collection. If you want to share that information with others, then you have to ask ten more times for that part as well.

    3. Chet Mannly

      The issue is that Apple promise at every turn not to do so if you switch the collection/sharing off, not whether you are comfortable with it.

    4. Elongated Muskrat

      There is a clear line between data that is required for the functionality the user is expecting, and data that is collected for functionality "behind-the-scenes" that is of no direct benefit to the user.

      For example, collecting name and address for a postage label is expected, and acceptable behaviour, collecting information about how long a particular user looked at an advert, and associating it with that user is of benefit only to the person thrusting their advertising in your face, be it Apple, or some other third party. Gathering advertising metrics that are used for statistical purposes and don't (and cannot) associate the "view" with a specific person are "acceptable", in that advertising is ever acceptable, but there is a clear difference.

      GDPR has quite a lot to say about what is allowable when collecting data that has an element of personal identification to it, and just because Apple is a US company, doesn't make them (or anyone else) exempt from following the rules of other countries they operate within.

      The onus lies on them to gain consent, which must be opt-in, not simply assume consent for activities which benefit them, and require the subject to opt out.

      So, to answer your question, "When does the onus come on to the user to stop using something if they want privacy?" When the user decides they no longer wish to be opted in (which they will have explicitly chosen to do), then the onus is on them to opt out. At which point, the company must delete the data they have collected, and be able to demonstrate that they have done so. It is illegal to make the use of any service contingent on the collection of such data, if it is not essential to the purposes of that service, by the way.

  2. Version 1.0 Silver badge

    This is "normal" everywhere.

    Companies capturing customer data despite device settings is too often an internal "feature" because advertising is the major source of income for virtually all enterprises in the modern data world now. We see a lot of stories about these events in El Reg, but I wonder how many times this is just under the table? We think that our data is "ours" ... certainly it is, but when we are just device/app/OS/website users then we are just income for so many advertising environments.

    Basically Advertising has evolved, originally it was just a sign in the street and a small picture/proposal in a newspaper that were designed to make us happy to read - think of this change like being given a young kitty at home ... but the "kitten" has now grown bigger, four feet tall with a large mane and teeth six inches long ... so now we're lunch.

    1. el_oscuro

      Re: This is "normal" everywhere.

      Duck Duck Go doesn't have all of this spyware crap, and they seem make money with their ads. When you use their search engine, they have your IP (which provides your city location) and your search term. That is all they need to serve relevant ads.

      1. Korev Silver badge

        Re: This is "normal" everywhere.

        Do they also get referral fee from Bing?

    2. Elongated Muskrat

      Re: This is "normal" everywhere.

      I don't know why you got so many downvotes. You have described pretty accurately how all those advertisers operate. Many of them have an annoying pop-up where you have to "reject all" (the tiny greyed out text next to the massive green "Accept" button which is deceptive enough in itself), but I'm sure plenty don't do this and just vacuum up all that juicy tracking data.

      This is, of course, not right, or acceptable, but the internet is full of predators.

      You can protect yourself to a degree by using various browser plug-ins, a Pi-Hole and all that gubbins. The bad guys are wily, though.

  3. GraXXoR

    I don’t have much of an issue with a company that doesn’t promise privacy to any extent whatsoever, using metrics in a legal fashion, within the context as laid out by common law.

    What I don’t like is a company that is actively selling privacy as a feature and positive sales point of the said brand doing the same.

    1. Elongated Muskrat

      I don’t have much of an issue with a company that doesn’t promise privacy to any extent whatsoever, using metrics in a legal fashion, within the context as laid out by common law.

      I have an issue with it, if they don't get my consent first. And so does EU (and UK, for now) law.

  4. JassMan

    Advertising can not always be called "marketing fluff".

    Setting aside the possibility of legal deficiencies that can get such claims tossed, the iPhone maker may choose to defend itself by arguing that ingesting data through its first-party relationship with its customers is not sharing information with a third party." would only be true if it had not advertised "What happens on your iPhone, stays on your iPhone," and "Your iPhone knows a lot about you. But we don't."

    Lawyers are going to make a lot of money out of this case. Apple are going to find it difficult to explain that they are not lying through their teeth.

    Prediction: Apple will eventually lose but promise to do better next time without actually changing anything. They will be forced to pay a massive handout but it will be swallowed up in legal costs and the plaintiffs will see less than 10cents each.

    1. badflorist Silver badge

      Re: Advertising can not always be called "marketing fluff".

      What's not so obvious is wether or not apple will still be considered "better than the others".

    2. A. Coatsworth Silver badge

      Re: Advertising can not always be called "marketing fluff".

      Updated prediction: Apple will not "lose". They will settle off-court, admitting to no wrongdoing. Afterwards they will pay the equivalent of 3 to 6 seconds of profit and mutter something about lessons learned, without doing a damned thing.

    3. Chet Mannly

      Re: Advertising can not always be called "marketing fluff".

      "Apple will eventually lose but promise to do better next time"

      Apple will just treat this as a marketing issue, change their advertising, and happily go on scooping up all the data they want.

      1. Elongated Muskrat

        Re: Advertising can not always be called "marketing fluff".

        In the UK, they will promise not to run that advert again, in that form; an advert that they will have not run for six months by the time the ASA attempts to slap their wrist. It truly takes a lot to fall foul of the UK's advertising regulator and actually get sanctioned in any meaningful way.

  5. karlkarl Silver badge

    Great, when can I expect my cheque in the post?

    Oh no... not because I was ever an Apple consumer but merely as compensation for having to constantly listen to the same old crap every month like a form of mental torture.

    I think my compensation pay should come from not only Apple, but the twits who buy defective products *and* later complain about them. They are equally at fault (perhaps more so!).


    (If you would like to engage and are an Apple consumer, please click the down button. If you are not a twit, please press the up button).

    1. Anonymous Coward
      Anonymous Coward

      I'm not sure how you can choose a product to buy, when the manufacturer has flat out lied about it's operation, and the only alternative is known to be worse anyway.

      I just bought a Belkin brand "USB-C - USB-C Boost charging cable"

      It has only two wires, no charge signalling wire. It is not even a usb-pd charge only cable.

      It can only slow charge.

      The manufacturer simply provided zero information about the product beyond it's name, so I had no way to know before buying it. Buying some usb-c sockets, and using a microscope and multimeter to find out why it doesn't work.

      Luckily I can threaten the seller with wasting their staff's time in the small claims court, so I will get a refund.

      1. Neil Barnes Silver badge

        And that's the whole point of branding a product: so that with a brand you trust, you can trust that the product does what it says on the label; no more, no less. Doesn't matter whether it's a cable, a can of sardines, a pair of jeans, or a mobile phone.

        What happens when the brand fails to deliver is that trust is lost in the brand. The cable doesn't work per the packaging? The sardines are herring? The jeans have one leg longer than the other? The phone spies on your activity despite claiming not to? Refund and never trust that brand again.

        Except that people don't... they'll do better next time, they cry. It was there in the small print which I failed to read. They were just misunderstood. Perhaps they'll get it right next time... I'll buy another. Perhaps because people are more invested in the brand than the product? I don't understand people...

        1. Anonymous Coward
          Anonymous Coward

          Phone makers make a lot of efforts to ensore that it's vastly more difficult to change phone brand than jeans brand.

      2. Crypto Monad Silver badge

        Did you buy via Amazon's marketplace from a third-party supplier? Then I would suspect it's a *fake* Belkin cable. The complete lack of technical information is a good clue that this is the case.

        Belkin's own website does tell you the spec:

        But that would only apply if you'd bought the genuine article.

  6. T. F. M. Reader Silver badge

    The Register trademark

    I had to double-check whether the "registered trademark" ® symbol at the end of the article referred to the whole piece or just to the last sentence: "Apple did not immediately respond to a request for comment."

    1. Elongated Muskrat

      Re: The Register trademark

      Given Apple's reputed responsiveness towards journos from El Reg (or lack thereof), I think it's probably the latter, and deliberately so.

  7. Scott Broukell

    Fear not citizens, all our personal information is kept very private online. So private in fact, that it is harvested, stored, analysed and monetised by private companies with private share holders from all over the world. Further, that personal information is so valuable that some folks even make a living stealing it and/or trading in it!

    As a consumer your expectations regarding privacy will for ever clash with the privacy aspirations of any company/entity, online or otherwise. Those privacy settings, they are very much aspirations on the part of said company/entity. "We at GlobalCorpInc aspire to the theatre of privacy so much so that you schmucks will lap it all up" etc.

  8. iron Silver badge

    > the iPhone maker may choose to defend itself by arguing that ingesting data through its first-party relationship with its customers is not sharing information with a third party.

    They may but...

    > how users find apps; the amount of time spent looking at apps in its App Store; App Store searches; and App Store ads displayed and clicked on

    They share most of that data with app developers like myself. It is hard to claim you're not sharing data when you're sharing it with millions of app devs.

    1. Elongated Muskrat

      They will also have to claim that that data collection is proportionate and necessary to the operation of the app store, especially the aspect where it associates it with an identifiable individual.

  9. Anonymous Coward
    Anonymous Coward

    Yeah, but nah

    How many of these privacy warriors also use social media, et al?

    I’m all for privacy, good realistic privacy, that’s why I don’t touch “the socials”.

    - Anton Anon (known only to El Reg)

    1. Elongated Muskrat

      Re: Yeah, but nah

      If I post something on Facebook, or Twitter, I do so in the full expectation that what I am posting is public. This is not comparable in any way with silent tracking of activity and its collection and collation without the user's knowledge or consent.

  10. Anonymous Coward
    Anonymous Coward

    Find My Data (pun intended!)

    Link: mention of "Find My". Interesting, since Apple make a point of saying that your own Apple device can be OFF, and "Find My" will still work using OTHER PEOPLE'S devices and Bluetooth.

    Does this man that OTHER PEOPLE'S devices are collecting data about "Find My" requests?

    I think we should be told!!

    1. jollyboyspecial Silver badge

      Re: Find My Data (pun intended!)

      Well that's how "find my" works. Your missing device connects through other people's devices.

      So yes other people's devices are collecting data about your device and sharing it with Apple. But if you use that service then you authorize Apple to collect that data.

      Here's a question though. Does the find my service still work through other people's devices if they have opted out of all of Apple's data collection and sharing services. And if it does what data does Apple collect about their devices and movements?

      If the service just logs that the missing device was "seen" by a i-device at this location and this time, then fair enough. But if Apple record any data at all about that third party's device then they are breaking their own rules. Of course there's no need to log that data in order to track the missing device, but I wouldn't assume for a minute that means that they don't log that data. Too many tech companies in the past have been caught logging stuff they don't need to log, not necessarily through malice or even avarice but often through the employment of crap coders.

  11. jollyboyspecial Silver badge

    "the iPhone maker may choose to defend itself by arguing that ingesting data through its first-party relationship with its customers is not sharing information with a third party"

    OK so it's not necessarilly sharing (although I'd like to see them provide evidence that they don't share the data of people who have opted out) but even if they don't share this data what about this statement...

    "Your iPhone knows a lot about you. But we don't."

    It's about time the law was changed so that advertising becomes part of the contract between you and your customer. If making a false statement in your advertising constituted a breach of contract with your customers I think it would change things quite significantly

    1. Elongated Muskrat

      The marketing department would have to repurpose their cocaine budget to pay for compensation claims.

      After a couple of multimillion dollar claims, there'd be barely anything left for the weekend.

  12. BPontius

    Privacy is a unicorn, pure fantasy, myth!!! Pretty much every app on her phone is also collecting data even though she has opted-out or turned it off. Such a waste of money and time, Apple will continue to collect data. Apple has nearly $50 billion in cash reserves, fighting and settling this lawsuit won't even be felt. Apple probably has more in petty cash than what this will cost them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like