A new federal class action lawsuit (see below) charges that a host of well-known social media, app, and mobile device companies stole “literally billions of contacts” from users’ personal address books by illegally ‘harvesting’ personal data on the sly, without their knowledge or consent.
The 152-page complaint seeks monetary damages under both federal and Texas state law that could be enormous, injunctive relief, equitable relief “to mandate fixes to these mobile devices and apps” to stop alleged privacy violations, as well as attorneys fees and expenses.
Citing a recent New York Times article, Mobile Apps Take Data Without Permission, the lawsuit slams Apple, Inc. and many iOS app developers for alleged privacy violations.
The lawsuit charges that:
Apple’s AppStore has made available for download (and has downloaded to consumers’ wireless mobile devices) in excess of 100 discrete Apps containing code that functions to access, copy and upload to remote systems at least a portion of a user’s wireless mobile device’s address book data without the user’s express prior effective consent.
The class action alleges that Facebook, Twitter, LinkedIn, Rovio (maker of Angry Birds), Foursquare, Electronic Arts, and other defendants deployed “stealth address book data harvesting functionalities” in their mobile applications, and that Apple approved and released these apps in its AppStore.
Android and Amazon.com users should not rest easy, however. The lawsuit’s plaintiffs target the following mobile devices: 1) the Apple iPhone, 2) Apple hand-held devices (the iPad or iTouch) running on iOS, or 3) Android-based phones using Google’s Android platform.
This chart from Page 46 of the complaint shows the reported date that the defendants apps were first made available in Apple’s Appstore, the Android Marketplace, and Amazon.com’s Appstore for Android:
Another chart on Page 49 of the complaint shows that the majority of apps that plaintiffs target are iOS-based; the only Android apps currently targeted by the plaintiffs are for Twitter, Facebook, and LinkedIn.
In an interesting twist, the lawsuit charges that Path CEO and co-founder Dave Morin (the complaint mistakenly calls him ‘Doug’) conceded liability in a February 8, 2012 blog post. Titled “We are sorry,” Morin conceded that the company “made a mistake” by accessing, transmitting, and uploading users’ address book contacts.
The damages sought in the class action could be huge, given the potential number of people using mobile apps listed in the complaint. The plaintiffs seek damages for:
- Common law negligence, gross negligence, and negligence per se;
- Invasion of privacy, as well as the seclusion and public disclosure of private facts;
- Texas Theft Liability Act violations, seeking the fair market value of plaintiffs’ “discrete contact data points”, and up to $1,000 for each separate incidence of alleged theft of address book data from each user;
- Common law misappropriation;
- Civil liability for computer fraud under 18 U.S.C. § 1030(g)
- RICO violations under 18 U.S.C. §§ 1961 – 1964, including claims for Treble damages;
- Violations of the Electronic Communication Privacy Act (ECPA) under 18 U.S.C. §§ 2511 & 2520 for interception of electronic communication. Plaintiffs seek the greater of either a) any profits realized from address book data usage, or b) damages of either $10,000 per plaintiff, or $100 a day for each violation, whichever is larger;
- Civil Liability under the Texas Wiretap Act for “no less than the greater of: (i) his or her actual damages; or (ii) statutory liquidated damages of the greater of $1,000 apiece or $100 a day for each day of violation.;
- Aiding and abetting;
- Unjust enrichment;
- The creation of a constructive trust over all money and benefits wrongfully obtained by the app makers and other defendants; and
- Punitive damages.
Read the mobile privacy class-action lawsuit below, and follow the case docket: