Within the space of a few days, both Google and Apple have suffered huge legal challenges. The two tech titans were accused of various privacy violations.
State laws in the U.S. are a bit of a mess: There’s no single overarching set of regulations such as the GDPR, which Europeans “enjoy.” State AGs are on the warpath: DevOps teams need to tread a precarious path to remain within everyone’s laws.
Google lost a long standing privacy case, with more in the works. And now Apple faces a big ol’ privacy class action. In this week’s Secure Software Blogwatch, we navigate the minefield.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: For Sharky.
The state of disunion
What’s the craic? Cecilia Kang reports — “Google Agrees to $392 Million Privacy Settlement”:
“Google prioritized profit over the privacy of people”
Google agreed to a record $391.5 million privacy settlement with a 40-state coalition … for charges that it misled users into thinking they had turned off location tracking in their account settings even as the company continued collecting that information. … The attorneys general said that the agreement was the biggest internet privacy settlement by U.S. states. It capped a four-year investigation into the internet search giant’s practices.
States have taken an increasingly central role in reining in the power and business models of Silicon Valley corporations, amid a vacuum of action from federal lawmakers. … In lieu of federal law, states including California, Colorado and Virginia have enacted their own privacy rules, creating a patchwork of regulations.
“For years, Google prioritized profit over the privacy of people who use Google products and services,” said … the Oregon attorney general. … “Consistent with improvements we’ve made in recent years, we have settled this investigation which was based on outdated product policies that we changed years ago,” said [Google].
So Google will stop breaking the law now? Jessica Lyons Hardcastle’s got news for you — “States win case for privacy”:
“Used this data to rake in advertising dollars”
Google … does not admit to any wrongdoing or violating any laws. … This is the second privacy lawsuit Google has settled with US states in as many months. In October, Google agreed to pay $85 million to settle a similar lawsuit in which [Arizona] also alleged deceptive tracking practices.
Google faces more of these fines: … In January, attorneys general of Indiana, Texas, Washington state, and Washington DC filed lawsuits … alleging that the search giant uses deceptive user interface designs known as "dark patterns" to obtain customer location data without adequate consent. … In other words, disabling "location history" didn't actually fully do that.
It then used this data to rake in advertising dollars, according to the states.
Still, at least Apple respects your privacy, right? Christopher “call me Chris” Brown isn’t so sure about that — “Apple Hit With Class Action Over Tracking”:
Apple Inc. records users’ private activity on mobile applications without their consent and despite its privacy assurances … a new proposed federal class action alleged. [It says] Apple has assured users that they are in control of what information they share … but that those assurances are “utterly false. … Privacy is one of the main issues that Apple uses to set its products apart from competitors. … But Apple’s privacy guarantees are completely illusory.”
The tech giant continues to collect, track, and monetize their data even after consumers have chosen to disable sharing, it said. [For example] Apple’s “App Store” app … records every action users take, what they tapped on, which apps they searched for, what ads they saw, and how long they looked at a given app, the lawsuit alleged. [And] consistent ID numbers [allow] Apple to track user activity across its services, it said.
The case is Libman v. Apple, N.D. Cal., No. 5:22-cv-07069. … Causes of Action: unjust enrichment, invasion of privacy, violations of … the California Invasion of Privacy Act … (CIPA).
One rule for Apple, another for 3rd party app devs? Sarah Perez crunches the numbers — “Data collection practices in first-party apps”:
“There is no justification”
In the wake of a recent report by independent researchers who found Apple was continuing to track consumers in its mobile apps, even when they had explicitly configured their iPhone privacy settings to turn tracking off … plaintiff Elliot Libman is suing on behalf of himself and other impacted consumers.
App developers and independent researchers Tommy Mysk and Talal Haj Bakry discovered that Apple was still collecting data … across a number of first-party apps … including the App Store, Apple Music, Apple TV, Books and Stocks … even when users had turned off [a] setting that promises to “disable the sharing of Device Analytics altogether.”
In addition, users are left to believe that Apple would stop collecting their data if they turn off other settings, like “Allow Apps to Request to Track” or “Share Analytics.” Despite configuring these privacy controls, the lawsuit states that Apple “continues to record consumers’ app usage, app browsing communications, and personal information in its proprietary Apple apps. … There is no justification for Apple’s secret, misleading, and unauthorized recording and collection of consumers’ private communications and app activity.”
I will sit right down. Waiting for the gift of sound+vision:
It's fair to say at this point, that if they have the technical capability of doing it, they are doing it. [Google] scan all your photos and categorize what's in them with some kind of AI. Similar scanning happens to anything you say that gets picked up on the hot mic that is your phone.
That stuff freaks people out more than the location tracking, so they keep quieter about it. In 10 years there will be a whistleblower or a document leak to fill in the details, and we might see another lawsuit like this with some insignificant fines.
Apple is very much on this bandwagon, too. They showed their proclivity for this kind of thing a few months ago when they announced they'd start scanning your photos for child porn. A miscalculation on their part, they had to go back on the announcement. But … they needed a way to get people used to the idea that it's OK … to do stuff like that.
They all do it? chaos2992 is primed with a whataboutism:
I’ll point at this case the next time an Apple user claims they use them because “Google steals and sells all my info.” They all do, some are just a lot more honest about it.
Still, Facebook is the worst, right? justapassenger disagrees:
Controversial statement: With the amount of scrutiny, hate and FTC oversight over companies like Facebook I have more trust in their privacy than Apple. Apple weaponized privacy to be able to enter their competitors market, all while very openly lying it’s all about the user.
And what’s with Google’s “we did nothing wrong” shtick? Pascal Monett paints a picture of punishment:
It's paying almost $400 million. Why should it … if it didn't do anything wrong?
Google admits no wrongdoing? Fine. Take the CEO, put him in the middle of town square and flog him until he admits wrongdoing.
Meanwhile, PungentSauce has given up the fight:
Apple already has my medical and financial info, they know my workouts and my whereabouts, they see all my texts and emails, they know what I like on XVideos. Am I really going to pretend to be concerned about them knowing what I look at on the App Store?
You have been reading Secure Software Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Josh McConnell
See our Evolution of Application Security special report to learn how app sec is evolving to tackle supply chain security. Plus: Explore how ReversingLabs Software Supply Chain Security — and its new secrets capabilities — can help your team modernize its approach.
- Learn more: SCA tools and how app sec is evolving to tackle supply chain security
- Track key trends, what's ahead: The State of Supply Chain Security 2022-23
- Find out why the NVD needs to evolve to include software supply chain threats
- Understand what an SBOM is and why it matters
- Get a free SBOM and supply chain risk report
- Learn about ReversingLabs protection for CI/CD, containers and software releases