Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple facing class action lawsuit over alleged iTunes & Apple Music data sale

Last updated

Residents of Rhode Island and Michigan lead the suit, which maintains that Apple profits unjustly by releasing what users play in iTunes and on Apple Music to other companies, and also allowing third-party app developers direct access to what tracks are in users' iTunes library.

A class action suit has been filed against Apple in the US District Court, Northern District of California, on behalf of all Apple users, by three residents of Rhode Island and Michigan. Leigh Wheaton, Jill Paul and Trevor Paul, claim that Apple profits from releasing the extensive demographic data it has about its users, their full names, ages, and addresses, plus their history of music listening preferences.

The suit is pegged to Apple's recent Las Vegas billboard promoting privacy. "The statement on the billboard is plainly untrue, however," says the filing, "because... none of the information pertaining to the music you purchase on your iPhone stays on your iPhone."

Lawyers for the plaintiffs are seeking $250 for Wheaton and every user allegedly affected, plus $5,000 to the complainants. The suit does not establish how many people would be involved beyond "tens of thousands", but the filing says that the "aggregate amount in controversy exceeds $5,000,000."

To support the claim that Apple "sells, rents, transmits and/or otherwise discloses, to various third parties" this information, the suit includes details of such information being available to buy. Significantly, the data is not sold by Apple nor limited to it.

"For instance," says the suit, "the Personal Listening Information of 18,188,721 'iTunes and Pandora Music Purchasers,' residing across the United States (including in Michigan and Rhode Island), is offered for sale on the website of Carney Direct Marketing."

Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing) Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)

A second company, SRDS, is cited as offering the same information, which consists of highly detailed demographic data.

Separately, the case claims that Apple provides data to iOS developers. "For example, using the MPMediaQuery.songsQuery() function of the MediaPlayer Framework API," continues the suit, "developers are able to grant themselves access to metadata that identifies the titles of all of the songs that a particular user of their application has purchased on iTunes."

To support this, the plaintiffs detail how on January 13, 2016, iOS developer Ben Dodson filed a bug report to Apple saying that the current system could allow details of a user's entire music database to be revealed. Dodson wrote about his bug report on his blog at the time.

According to the lawsuit, this bug was not addressed by Apple until eight months later "on or about September 13, 2016," when iOS 10 was released. It further says that Apple then effectively just included a notice informing users that their data would be used this way.

Apple has not yet commented on the lawsuit.



16 Comments

EsquireCats 8 Years · 1268 comments

Going to need to see two things: (i) Proof that Apple provides 3rd parties with customer's personal information for delivering the music service (they don't) and the described bug doesn't convey intent (actually it infers the opposite hence "bug" not "feature"), and (ii) what kind of damage this has caused even if it were a bona fide activity. Furthermore the billboard is irrelevant to the case.

These lay on the comical end of settlement-fishing activities.

ericthehalfbee 13 Years · 4489 comments

Curious how they’re able to make these claims:

their full names, ages, and addresses, plus their history of music listening preferences.”

There are no APIs available in iOS to get your real name, device ID, address, age, AppleID or any other personal information about you. There USED to be an API to get your music library.

That’s quite the leap from seeing your tracks to getting explicit personally identifying information about you. I can’t wait to see how they’re going to prove Apple provides this information.

lkrupp 19 Years · 10521 comments

Wouldn't be surprised to find out this is a coordinated attack on Apple’s reputation for privacy and security by competitors. The way the world works now is you're guilty until you prove yourself innocent. An accusation alone is enough to ruin reputations and careers. It could be a fishing trip to find out how Apple works during the discovery process. Of course, it could be true too. That would be a big deal indeed.

In some minds here Apple is already guilty and I’m sure we’ll be hearing from those people any minute now. Apple had better jump on this hard and quick or the accusation will confirm guilt in the media.

loopless 16 Years · 343 comments

In the bigger picture, when you give an app access to, say, your address book, nothing stops that app from harvesting all that data and sending it - except the threat of being discovered and banned from the App Store. Apple tries to strike a balance , in what they give apps access to and users privacy.

titantiger 14 Years · 297 comments

My guess is that some apps that users have allowed access to their iTunes libraries and have signed up for an account that includes full name and email has been cross referenced with publicly available information.  Unless they can prove Apple was giving this info away without the user consenting to it, this suit is dead in the water.

I also agree that it likely could be a stunt by Android competitors to just throw FUD out there for a few headlines to undermine Apple's privacy advantage.  Doesn't matter whether it has merit or is ultimately successful.  The headlines are enough to do what they need.  Anything else is gravy.