Apple faces second lawsuit over UDID disclosure to third parties

According to a lawsuit filed Jan. 27 in California Northern District Court in San Jose, plaintiff Anthony Chiu is accusing Apple of knowingly transmitting UDID data to third parties without the users’ consent, in violation of privacy laws. The plaintiff wants the suit expanded to a class-action lawsuit including all Apple customers in the US who have downloaded and used apps on mobile devices since July 10, 2008.

The UDID is often accompanied by information that provides the identity and location of the person using the iPhone. That information includes the user’s real name or user ID, as well as the time-stamped IP address and GPS coordinates.

“Apple’s privacy policy is opaque and confusing, but one thing is clear: it does not inform mobile device users that by providing application developers with their UDID, Apple enables them to put a name to highly personal and in many cases, embarrassing information, derived from app downloading activity and usage, and Internet browsing history, that would otherwise be anonymous”, the lawsuit charged.

The lawsuit cited a Wall Street Journal article, which examined 101 smartphone apps and found that 56 transmitted the phone’s UDID to other companies without user awareness or consent, 47 apps transmitted the phone’s location, and five sent age, gender, and other personal data to the companies.

Also cited in the lawsuit was a survey by Eric Smith of Bucknell University covered by Infosecurity. According to the survey, 68% of iPhone applications transmitted UDIDs to servers owned by the vendor or an advertising partner each time the application was launched. Furthermore, 18% of the applications encrypted their communications so that the researcher was unable to determine what type of data was being shared.

The lawsuit by Chiu follows close on the heels of a similar lawsuit filed Dec. 23 in the same court by Jonathan Lalo charging Apple with the same privacy violations regarding transmissions of UDIDs to third parties. That suit is also seeking class-action status.

What’s hot on Infosecurity Magazine?