Архив рубрики: Lawsuit

Auto Added by WPeMatico

T-Mobile will pay out $350M to customers in data breach settlement

If you were one of the nearly 77 million people affected by last year’s T-Mobile breach, you may have a few bucks coming your way. The company has just announced the terms of a settlement in a consolidated class action lawsuit, and it isn’t cheap: $350 million to be split up by customers (and lawyers), plus $150 million “for data security and related technology.” Let this be a lesson to all companies: If you stay ready, you don’t have to spend $150 million to get ready!
The breach apparently occurred sometime early last year, after which collections of T-Mobile customer data were put up for sale on various criminal forums. Estimates of how many people were affected varied, with T-Mobile claiming less than a million had accounts and PINs fully exposed (still not great), and somewhere between 40 and 100 million users total with some data taken.
The settlement, described in an SEC filing and court filing (PDF) first spotted by Geekwire, doesn’t appear to have separate terms for people affected differently by the hack — but that might have been handled separately for all we know. For now, the class defined by the settlement document is “the approximately 76.6 million U.S. residents identified by T-Mobile whose information was compromised in the Data Breach,” with a little extra legalese for Californians, where class actions are handled slightly differently.
As is common in these giant lawsuits, lawyers take a huge bite and then the company must alert the class members they’re owed money, so you can expect a postcard if you were a T-Mobile customer in August of 2021 (in the interest of full disclosure, I was). Then the money gets split up, depending on how many people respond and how much the lawyers take. The final settlement terms could be approved as early as December.
Chances are you won’t even be able to cover a single monthly mobile bill with what you get, but these days a $9 check might be the difference between “dinner” and “no dinner” for quite a few people, so let’s not mock these small sums — except that it’s kind of insulting to have five serious breaches in as many years and all customers get is enough to order off the value menu.
The company, which merged with Sprint just before the breach, said in its SEC filing that it will be dedicating $150 million to improving its security, so maybe it’s taking things seriously now. Guess we’ll find out soon.

To guard against data loss and misuse, the cybersecurity conversation must evolve

T-Mobile will pay out $350M to customers in data breach settlement

Google will reimburse developers $90 million to settle a lawsuit over Play Store earnings

Google said Thursday it will pay $90 million to settle a lawsuit with U.S. developers that accused Google of abusing its power of app distribution and charging an unfair fee of 30% for app purchases and in-app purchases made through the Play Store.
The company noted that U.S. developers who made less than $2 million each year between 2016 and 2021 through Google Play Store earnings will be eligible for compensation.
“A vast majority of US developers who earned revenue through Google Play will be eligible to receive money from this fund if they choose. If the Court approves the settlement, developers that qualify will be notified and allowed to receive a distribution from the fund,” the search giant noted in a blog post.
Hagens Berman Sobol Shapiro LLP, the legal firm that represented the plaintiffs, said that developers were entitled to a minimum compensation of $250 — with some settlements going above $200,000. The firm noted that more than 48,000 U.S. developers are eligible for payment by Google.
The plaintiffs originally filed the case against Google in 2020 in California alleging that the company gained a monopoly in the Android app distribution space “through a series of anticompetitive contracts, strategic abuses of its dominance in other Android software applications, deficits in consumer knowledge and information, and the cultivation and exploitation of device users’ fear of malware.” The case document also harped upon the fact that Google had a default 30% Play Store tax for developers on the sale of apps or in-app purchases.
To handle the criticism on the 30% Play Store tax, in 2021, Google slashed its cut to 15% on the first $1 million earned by a developer each year. Later, it reduced Play Store fees to 15% for subscription-based apps and as low as 10% for media apps in select categories like e-books or music distribution. According to an estimate by damages expert, Dr. Michael Williams, this fee reduction could save developers more than $109 million in service fees until 2025.
The Mountain View-based company said that apart from the $90 million payment fund, it is revising its Developer Distribution Agreement document to make it clear that developers can contact users through out-of-app means like promotional emails — similar to a change Apple made last year — if they have obtained that information in the app. The firm said it’ll introduce a new section in the Play Store named “Indie Apps Corner” to highlight apps made by small startups and independent developers, too. What’s more, the firm will publish annual Google Play transparency reports with details like app removals and account terminations.
Currently, Google and Apple force developers to use their own payment systems for in-app purchases on apps distributed through their own app stores. However, that might change due to many lawsuits and legislation against these companies in different geographies. Last year, Google agreed to let developers in South Korea use third-party payment options — after the country passed a new law over digital payment systems while reducing its service fees by 4%.
Over the last few months, Google has made different agreements with Spotify and Match Group over using alternative payment systems for their apps. When announcing a deal with the former, the search giant said that “we will be exploring user choice billing in other select countries.”

Google will reimburse developers $90 million to settle a lawsuit over Play Store earnings

Apple hit with another European class action over throttled iPhones

A third class action lawsuit has been filed in Europe against Apple seeking compensation — for what Italy’s Altroconsumo consumer protection agency dubs “planned obsolescence” of a number of iPhone 6 models.
The action relates to performance throttling Apple applied several years ago to affected iPhones when the health of the device’s battery had deteriorated — doing so without clearly informing users. It later apologized.

Apple apologizes for not telling customers iPhones with older batteries would slow over time

The class action suit in Italy is seeking €60 million in compensation — based on at least €60 in average compensation per iPhone owner. Affected devices named in the suit are the iPhone 6, 6s, 6 Plus and 6s Plus, per a press release put out by the umbrella consumer organization Euroconsumers, which counts Altroconsumo as a member.
The suit is the third to be filed in the region over the issue — following suits filed in Belgium and Spain last month.
A fourth — in Portugal — is slated to be filed shortly.
The tech giant settled similar charges in the U.S. last year — where it was accused of intentionally slowing down the performance of older iPhones to encourage customers to buy newer models or fresh batteries — shelling out $500 million, or around $25 per phone, to settle that case (while denying any wrongdoing).
“When consumers buy Apple iPhones, they expect sustainable quality products. Unfortunately, that is not what happened with the iPhone 6 series. Not only were consumers defrauded, and did they have to face frustration and financial harm, from an environmental point of view it is also utterly irresponsible,” said Els Bruggeman, Euroconsumers’ head of policy and enforcement, in a statement.
“This new lawsuit is the latest front in our fight against planned obsolescence in Europe. Our ask is simple: American consumers received compensation, European consumers want to be treated with the same fairness and respect.”
Euroconsumers has produced a video (embedded below) to drum up wider support for the class actions in which it satirizes Apple’s “genius” in coming up with clever ways to accelerate its products’ end of life…

Apple has been contacted for comment on the European class actions.
Almost a year ago the company was fined €25 million by France’s competition watchdog over an iOS update that capped performance of aging devices. It was also made to display a statement regarding the action on its website for a month.

Apple fined $27 million in France for throttling old iPhones without telling users

Apple hit with another European class action over throttled iPhones

Charge, please: Apple will pay $113M to settle 34-state ‘batterygate’ lawsuit

Apple has agreed to pay $113 million to 34 states and the District of Columbia to settle allegations that it broke consumer protection laws when it systematically downplayed widespread iPhone battery problems in 2016. This is in addition to the half billion the company already paid to consumers over the issue earlier this year and numerous other fines around the world.
The issue, as we’ve reported over the years, was that a new version of iOS was causing older (but not that old) iPhones to shut down unexpectedly, and that an update “fixing” this issue surreptitiously throttled the performance of those devices.
Conspiracy-minded people, which we now know are quite numerous, suspected this was a deliberate degradation of performance in order to spur the purchase of a new phone. This was not the case, but Arizona Attorney General Mark Brnovich, who led the multistate investigation, showed that Apple was quite aware of the scale of the issue and the shortcomings of its solution.

Brnovich and his fellow AGs alleged that Apple violated various consumer protection laws, such as Arizona’s Consumer Fraud Act, by “misrepresenting and concealing information” regarding the iPhone battery problems and the irreversible negative consequences of the update it issued to fix them.

Apple agrees to settlement of up to $500 million from lawsuit alleging it throttled older phones

Apple agreed to a $113 million settlement that admits no wrongdoing, to be split among the states however they choose. This is not a fine, like the €25 million one from French authorities; if Apple had been liable for statutory penalties those might have reached much, much higher than the amount agreed to today. Arizona’s CFA provides for up to $10,000 per willful violation, and even a fraction of that would have added up very quickly given the amount of people affected.
In addition to the cash settlement, Apple must “provide truthful information to consumers about iPhone battery health, performance and power management” in various ways. The company already made changes to this effect years ago, but in settlements like this such requirements are included so they can’t just turn around and do it again, though some companies, like Facebook, do it anyway.

9 reasons the Facebook FTC settlement is a joke

Charge, please: Apple will pay $113M to settle 34-state ‘batterygate’ lawsuit

Apple’s IDFA gets targeted in strategic EU privacy complaints

A unique device identifier that Apple assigns to each iPhone for third parties to track users for ad targeting — aka the IDFA (Identifier for Advertisers) — is itself now the target of two new complaints filed by European privacy campaign not-for-profit, noyb.
The complaints, lodged with German and Spanish data protection authorities, contend that Apple’s setting of the IDFA breaches regional privacy laws on digital tracking because iOS users are not asked for their consent for the initial storage of the identifier.
Noyb is also objecting to others’ being able to access the IDFA without prior consent — with one of its complainants writing that they were never asked for consent for third-party access yet found several apps had shared their IDFA with Facebook (per their off-Facebook activity page).

We’ve reached out to the data protection agencies in question for comment. Update: Spain’s AEPD confirmed it has received noyb’s complaint and said it will investigate — making no further comment at this stage.
While Apple isn’t the typical target for digital privacy campaigners, given it makes most of its money selling hardware and software instead of profiling users for ad targeting, as adtech giants like Facebook and Google do, its marketing rhetoric around taking special care over user privacy can look awkward when set against the existence of an Identifier for Advertisers baked into its hardware.
In the European Union there’s a specific legal dimension to this awkwardness — as existing laws require explicit consent from users to (non-essential) tracking. Noyb’s complaints cite Article 5(3) of the EU’s ePrivacy Directive, which mandates that users must be asked for consent to the storage of ad-tracking technologies such as cookies. (And noyb argues the IDFA is just like a tracking cookie but for iPhones.)
Europe’s top court further strengthened the requirement last year when it made it clear that consent for non-essential tracking must be obtained prior to storing or accessing the trackers. The CJEU also ruled that such consent cannot be implied or assumed — such as by the use of pre-checked “consent” boxes.

Europe’s top court says active consent is needed for tracking cookies

In a press release about the complaints, noyb’s Stefano Rossetti, a privacy lawyer, writes: “EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”
Apple has long controlled how third parties serving apps on its iOS platform can use the IDFA, wielding the stick of ejection from its App Store to drive their compliance with its rules.
Recently, though, it has gone further — telling advertisers this summer they will soon have to offer users an opt-out from ad tracking in a move billed as increasing privacy controls for iOS users — although Apple delayed implementation of the policy until early next year after facing anger from advertisers over the plan. But the idea is there will be a toggle in iOS 14 that users need to flip on before a third-party app gets to access the IDFA to track iPhone users’ in-app activity for ad targeting.
However, noyb’s complaint focuses on Apple’s setting of the IDFA in the first place — arguing that since the pseudonymised identifier constitutes private (personal) data under EU law they need to get permission before creating and storing it on their device.
“The IDFA is like a ‘digital license plate’. Every action of the user can be linked to the ‘license plate’ and used to build a rich profile about the user. Such profile can later be used to target personalised advertisements, in-app purchases, promotions etc. When compared to traditional internet tracking IDs, the IDFA is simply a ‘tracking ID in a mobile phone’ instead of a tracking ID in a browser cookie,” noyb writes in one complaint, noting that Apple’s privacy policy does not specify the legal basis it uses to “place and process” the IDFA.
Noyb also argues that Apple’s planned changes to how the IDFA gets accessed — trailed as incoming in early 2021 — don’t go far enough.
“These changes seem to restrict the use of the IDFA for third parties (but not for Apple itself),” it writes. “Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company.”
We reached out to Apple for comment on noyb’s complaints but at the time of writing an Apple spokesman said it did not have an on-the-record statement. The spokesman did tell us that Apple itself does not use unique customer identifiers for advertising. Update: The company has now sent us this statement:
The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint. Apple does not access or use the IDFA on a user’s device for any purpose. Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers. Our practices comply with European law and support and advance the aims of the GDPR and the ePrivacy Directive, which is to give people full control over their data.
In a separate but related recent development, last month publishers and advertisers in France filed an antitrust complaint against the iPhone maker over its plan to require opt-in consent for accessing the IDFA — with the coalition contending the move amounts to an abuse of market power.
Apple responded to the antitrust complaint in a statement that said: “With iOS 14, we’re giving users the choice whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers.”
“We believe privacy is a fundamental human right and support the European Union’s leadership in protecting privacy with strong laws such as the GDPR (General Data Protection Regulation),” Apple added then.
That antitrust complaint may explain why noyb has decided to file its own strategic complaints against Apple’s IDFA. Simply put, if no tracker ID can be created — because an iOS user refuses to give consent — there’s less surface area for advertisers to try to litigate against privacy by claiming tracking is a competitive right.
“We believe that Apple violated the law before, now and after these changes,” said Rossetti in another statement. “With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default.”
Another interesting component of the noyb complaints is they’re being filed under the ePrivacy Directive, rather than under Europe’s (newer) General Data Protection Regulation. This means noyb is able to target them to specific EU data protection agencies, rather than having complaints funnelled back to Ireland’s DPC — under the GDPR’s one-stop-shop mechanism for handling cross-border cases.
Its hope is this route will result in swifter regulatory action. “These cases are based on the ‘old’ cookie law and do not trigger the cooperation mechanism of the GDPR. In other words, we are trying to avoid endless procedures like the ones we are facing in Ireland,” added Rossetti.

Lack of big tech GDPR decisions looms large in EU watchdog’s annual report

Apple’s IDFA gets targeted in strategic EU privacy complaints