Top 5 Stories


Apple faces second lawsuit over UDID disclosure to third parties

02 February 2011

Apple is being sued again over alleged disclosure of its mobile devices’ unique device identifiers (UDIDs) to third parties without users’ consent.

According to a lawsuit filed Jan. 27 in California Northern District Court in San Jose, plaintiff Anthony Chiu is accusing Apple of knowingly transmitting UDID data to third parties without the users’ consent, in violation of privacy laws. The plaintiff wants the suit expanded to a class-action lawsuit including all Apple customers in the US who have downloaded and used apps on mobile devices since July 10, 2008.

The UDID is often accompanied by information that provides the identity and location of the person using the iPhone. That information includes the user’s real name or user ID, as well as the time-stamped IP address and GPS coordinates.

“Apple’s privacy policy is opaque and confusing, but one thing is clear: it does not inform mobile device users that by providing application developers with their UDID, Apple enables them to put a name to highly personal and in many cases, embarrassing information, derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous”, the lawsuit charged.

The lawsuit cited a Wall Street Journal article, which examined 101 smartphone apps and found that 56 transmitted the phone’s UDID to other companies without user awareness or consent, 47 apps transmitted the phone’s location, and five sent age, gender, and other personal data to the companies.

Also cited in the lawsuit was a survey by Eric Smith of Bucknell University covered by Infosecurity. According to the survey, 68% of iPhone applications transmitted UDIDs to servers owned by the vendor or an advertising partner each time the application was launched. Furthermore, 18% of the applications encrypted their communications so that the researcher was unable to determine what type of data was being shared.

The lawsuit by Chiu follows close on the heels of a similar lawsuit filed Dec. 23 in the same court by Jonathan Lalo charging Apple with the same privacy violations regarding transmissions of UDIDs to third parties. That suit is also seeking class-action status.

This article is featured in:
Application Security  •  Compliance and Policy  •  Data Loss  •  Identity and Access Management  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×