Earlier this week, Apple Computer was served with another class action lawsuit alleging violations of mobile device owners' privacy. I read the complaint (PDF, 2.7 MBytes) which caught my attention for several reasons.
Nine consumers have filed this latest class-action lawsuit against Apple Computer and several other companies for the unauthorized access, use, and transmission of the mobile device owners' sensitive personal data to app developers and third-party companies. The mobile devices in question include iPhone, iPad, and iPod Touch devices. Besides Apple Computer, the complaint included several several popular brands: the New York Times, WebMD, Yelp, Quattro Wireless, NPR, and Groupon. Many smart phone users have used Groupon for its geo-based coupons. I use several of these apps on my Windows® operating system smart phone.
The complaint alleges that several app developers (Groupon, IAC, NPR, The New York Times, Pandora Media, WebMD, Yelp, Flurry Inc.) and their affiliates (Pinch Media, Medialets, Flurry Inc.):
"... gained individually, and in concert with defendant Apple, unauthorized access to, transmittal of, and use of data, which included but was not limited to the plaintiffs' and class members' UDID, obtained from the plaintiffs' and class members' mobile devices, bypassing the technical and code-based barriers intended to limit access, in addition to bypassing the plaintiffs' and class members' privacy and security settings."
UDID is the "Unique Device Identifier," a 40-digit code embedded in all mobile devices. It identifies your mobile device and when matched with your cellular phone number (or iTunes account), allows companies to identify your mobile device as uniquely you. The complaint alleges that the companies knew about this fraudulent activity and based their business model on unauthorized access and use of this personal information.
For several consumers in the class-action, they began to suspect that something was wrong when their mobile devices:
"... tended to operate more slowly and sometimes froze when loading web pages."
Consumers use a wide variety of apps. Some of the apps the consumers in the class-action downloaded from the iTunes store: Currency, WallpapersHD, Flixster, Netflix, Pandora, Shazam, Google, New York Times, Google Earth, Find iPhone, WiFi Finder, Monopoly, Sudoku2, Tetris, Scrabble, UNO, Angry Birds, Skype, Epicurious, Bank of America, eBay, GasBuddy, and Amazon.com. Obviously, only some apps compromise consumers' privacy. The point: I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy, you become wary of downloading more apps that might do more damage.
How many apps compromise consumers' privacy? MediaPost reported:
"... researchers at the Technical University of Vienna reported that more than half of the 1,400 iPhone apps they studied collected users' device IDs... An earlier study by Bucknell University assistant director of information security and networking Eric Smith found that 68% of the most popular iPhone apps transmitted the devices' unique numbers to outside servers..."
Besides privacy abuses, another impartant issue for consumers is "data plan theft." Some people may call the defendant companies' apps "bandwidth hogs," put I prefer the term "data plan theft." Why? When apps secretly store, use, and transmit mobile device owners' sensitive personal information, the transmission consumes a portion of mobile device owners' monthly data plan limits. That is theft when the transmissions aren't authorized.
There is a direct impact and cost if you pay a monthly fee for your data plan and your data plan has a (low) limit. The cost seems easy to calculate, when you consider that most consumers check for news several times daily. The Groupon users I know, use that mobile site several times per week.
I guess that you could call the offending apps, "money sucking apps."
As a smart phone user, "data plan theft" is important to me because I pay my mobile service provider $25 monthly for about 2 gigabytes of data downloads. (I get unlimited texts so that doesn't factor into the download amount.) Mobile device owners who frequently use the above offending apps would probably incur a greater cost theft than less-frequent users.
Given the "data plan theft" issue, I can imagine the consumers in the class-action probably felt "mugged" by their mobile device apps. When a few apps allegedly compromise your privacy and consumer your data plan usage without authorization, you become wary of downloading more apps that might do more damage. All apps stores need to recognize this threat and take appropriate corrective action.
Otherwise, you could call the app stores, "data breach stores."
The complaint included an attorney's name I have seen before: Joseph Malley of Dallas. Malley, often referred to as a "Privacy Crusader," was involved with class-action suits against Adzilla, NebuAd, Quantcast ("zombie cookies"), Ringleader, and Facebook. In 2010, Facebook settled the suit for $9.5 million. For consumers who have privacy concerns, you want an attorney that is experienced with online privacy issues and technologies. Malley is the guy you want on your side.
Several related blog posts consumers may find helpful: