Apple sued for storing iCloud data on third-party servers
A class-action lawsuit lodged with a California court on Monday accuses Apple of false advertising, claiming the company banked on its name by telling consumers iCloud data is "stored by Apple" when, in fact, the information is in some cases siloed on servers run by Amazon, Google and Microsoft.
Filed with the U.S. District Court for the Northern District of California, the class-action complaint takes issue with Apple's iCloud data handling policies and, more specifically, its lack of transparency on where customer information is stored.
According to the suit, Apple breached customer trust and legally binding contracts by using its status and name to sell iCloud subscriptions to customers believing their data would be stored in a cloud that it owned and operated. Instead of first-party servers, the company farmed out bandwidth to Amazon Web Services, Google and Microsoft's Azure platform.
The conceit is that Apple "lacked the necessary infrastructure" to run iCloud and was therefore not in total control of iCloud data during the contract period. It therefore misrepresented the nature of the service to potential and existing subscribers.
"Touting itself as the provider of the iCloud service (when, in fact, Apple was merely reselling cloud storage space on cloud facilities of other entities) allowed Apple not only to obtain paid subscriptions of class members who subscribed to iCloud believing that their cloud storage was being provided by Apple, but also allowed Apple to charge a premium for its iCloud service because subscribers placed a value on having the 'Apple' brand as the provider of the storage service for their most sensitive data," the suit reads.
The suit maintains plaintiffs entrust Apple with important and personal information, and pay a premium to keep that data safe. Plaintiffs Andrea M. Williams of Florida and James Stewart of San Francisco, Calif., are named in the suit and claim they were not informed that iCloud would store data on non-Apple servers. If they had known about the strategy, the pair would either not have subscribed or would have not paid the "Apple premium" for access to the service.
Compounding the problem are competing, and in some cases less expensive, cloud storage solutions marketed by Apple's providers in Amazon Drive, Google Drive and Microsoft's OneDrive.
Plaintiffs allege Apple makes no mention of third-party servers in its marketing materials or its iCloud terms and conditions. Indeed, the preamble to iCloud's customer agreement suggests all data flows directly from user devices to Apple itself.
"When iCloud is enabled, your content will be automatically sent to and stored by Apple, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," the document reads.
Interestingly, Apple's Chinese iCloud agreement more accurately describes the situation, at least in that region. As per state law, the company stores Chinese cloud data on local servers, in this case run by Guizhou-Cloud Big Data, or GCBD.
"When iCloud is enabled, your content will be automatically sent to and stored by GCBD, so you can later access that content or have content wirelessly pushed to your other iCloud-enabled devices or computers," Apple says.
Industry watchers have known about Apple's iCloud outsourcing since at least 2011, when the tech giant was rumored to tap AWS, Microsoft or both for the then-new cloud storage product. More recently, Apple in early 2018 confirmed iCloud relies in part on third-party services like Google Cloud Platform.
For its part, Apple goes to great lengths to ensure iCloud security surpasses industry norms. In an iOS Security document last updated in May (PDF link), the company details its security protocols, saying files from contacts, calendars, photos, documents and more are broken into chunks and encrypted using AES-128. A key generated from each chunk's contents is created and stored with corresponding metadata in a user's iCloud account.
"The encrypted chunks of the file are stored, without any user-identifying information or the keys, using both Apple and third-party storage services — such as Amazon Web Services or Google Cloud Platform — but these partners don't have the keys to decrypt your data stored on their servers," Apple says.
Plaintiffs seek class status, injunctive relief enjoining Apple from continuing to falsely misrepresent iCloud storage policies, unspecified damages and legal fees.