Imagine if a stranger was able to access your private iMessage conversations and FaceTime calls because of a security flaw; Tigran Ohanian and Regge Lopez sued Apple and T-Mobile in a class action on Monday, alleging such a flaw allowed previous SIM card holders to access another iPhone user’s iMessages and FaceTime calls because the SIM card was still associated with another Apple ID account. Ohanian and Lopez accused Apple of deceptive conduct for its data privacy and security practices of iMessage and FaceTime. Meanwhile, the plaintiffs alleged that T-Mobile engaged in deceptive conduct regarding SIM card recycling.
The plaintiffs claimed that in its marketing, “Apple represented to consumers…that the iPhone was designed to protect the privacy of users’ data and confidential personal information, and that the iMessage and Face[T]ime features unique to the iPhone were highly secure methods of communication.” However, the plaintiffs said “Apple deceived consumers by failing to disclose a significant security flaw in the Apple iOS software – the operating system for the iPhone – known only to Apple that allowed iMessage correspondence sent by iPhone users and FaceTime calls made by iPhone users to be improperly directed to and accessed by third parties.”
Furthermore, T-Mobile marketed SIM cards without disclosing that they would recycle older SIM cards “without requiring prior users to manually disassociate their Apple IDs from the phone numbers associated with the recycled SIM cards.” Instead, this allegedly allowed the previous SIM card holder to access and receive iMessages and FaceTime calls meant for the new SIM card holder. Consequently, the plaintiffs said that this conduct has caused consumers to unknowingly become the victims of data security breaches when their iMessages and FaceTime calls were “improperly accessed by third parties” without users’ knowledge and consent.
The plaintiffs added that while the September 2018 release of iOS 12 “purportedly resolved these data security issues for iPhone users that actually installed the software,” Apple “never informed iPhone users, consumers, or the general public of the fact that the known security flaw in the iOS software led to innumerable unintended disclosures of iPhone users’ iMessage correspondence and FaceTime calls to third parties for nearly seven years prior to that.”
According to the plaintiffs, Apple has emphasized the importance of users’ privacy and security to the company, but they claimed their actions show otherwise. iMessage is Apple’s “own encrypted instant messaging service,” and FaceTime allows “iPhone users to communicate with contacts who also had iPhones through a specialized and proprietary videotelephone feature.”
Plaintiff Ohanian received a SIM card from T-Mobile while he was in New York, which he used for one year, it automatically linked to his Apple ID. Plaintiff Lopez switched wireless carriers accounts and obtained a new T-Mobile account, Lopez also purchased a new SIM card, which provided him with a new phone number. The new SIM card was automatically associated with this Apple ID. “Unbeknownst to Lopez, the Affected Number was the same number that T-Mobile had previously provided to Ohanian with the Ohanian SIM Card. Even though the Ohanian SIM Card was deactivated and not even still inserted into Ohanian’s iPhone, Ohanian began receiving extensive amounts of unwanted communications on his iPhone 6s via iMessage and FaceTime, which appeared to be addressed to an unknown new owner of the Affected Number.” Ohanian stated that these messages were from complete strangers. He “received more than 100 iMessages and FaceTime calls which included, inter alia, private photographs (including those of young children) and communications that clearly were directed not to Ohanian, but instead were directed to the unknown new owner of the Affected Number that Ohanian previously had utilized in connection with the Ohanian SIM Card.”
The plaintiffs accused Apple of violating NY GBL §§ 349 and 350 because of its alleged data privacy and security feature misrepresentations and conduct, and for false advertising for its security practices. The plaintiffs also claimed that T-Mobile violated the same laws due to the recycling of SIM cards.
The plaintiffs have sought class certification; an award for damages, including statutory and punitive damages; an award for costs and fees; disgorgement of profits; an award for restitution; and other relief as determined by the court.
The plaintiffs are represented by Oved & Oved LLP.