Potential security problems with the iPhone offer yet another example of the potential legal issues that can arise for businesses when new technology hits the streets. Neither marketing hype nor exciting innovations will protect a company that has not also devoted resources to considering the legal implications of a new product.
Apple sold over 700,000 iPhones the first 3 days of release, for as much as $600 each. It is one of the priciest and most anticipated high tech phones to ever hit the market. Unfortunately, it appears Apple spent more time on their trademark advertising campaigns and media hype than on investigating the loopholes in the phone’s security system. A Baltimore expert security team just unveiled the iPhone’s hacking sweet-spot.
According to the Independent Security Evaluators , a security attacker can gain access to the iPhone through a website controlled by the hacker, or through a wireless access point. The 7 person part-time team of investigators managed to hack the phone in just 2 weeks. They discovered that attackers can create a network with the same name and encryption method as the one the phone already uses. Thereafter the attacker can substitute a webpage with exploit code to gain access to the phone. Another means of breaching the phone’s security system is by using a link planted on an unedited or unmoderated online forum, or a link sent by SMS or e-mail. When the iPhone user opens a “malicious” webpage, the attacker’s code can be run on the phone and allow the attacker to read the iPhone’s SMS address book, SMS log, call history, and voice-mail information. This information is then also sent to the attacker. One hacked, the attacker can also access the iPhone and manipulate it to send the hacker the phone’s passwords, send text messages to sign up for additional services, and record audio to relay to the attacker. The Independent Security evaluators introduced a patch for the susceptible spot to Apple, and will reveal further information about the exploit at a conference in Las Vegas on August 2, 2007. This patch is not yet available to consumers.
It is unknown whether any lawsuits concerning the breach have been filed to date , however, the causes of action will be broad and no-doubt, creative. Causes of action could range from the vanilla actions like fraudulent inducement, negligence, breach of warranty for services, Texas Wiretap Act, or product defect to more creative causes of action such as contributory invasion of privacy or public disclosure of private facts. Unlike the data breach incidents involving TJMaxx, DSW, Disney, or Check N’ Go, most of the personal data in the iPhone (such as address books and SMS messages) is not uploaded and stored by Apple. Instead, the data is uploaded voluntarily by the consumer, just like it was a personal home computer. Apple’s potential liability on other data breaches, such as the attacker accessing and manipulating the consumer’s billing, are more questionable. Because such little information is known about the security breach, and each state’s Privacy and Security Laws differ, it is unknown whether this breach would be in violation of the any state Data Security Acts. Without federal mandates on security breach and notification, the state courts are left to their own interpretation of the state’s laws in light of the issues presented.
Fretful potential plaintiffs will probably look to AT&T, the exclusive service provider for the iPhone, for liability as well. As mentioned in a July 24, 2007 blog entry entitled Arbitration Clause Barring Class Actions is Unconscionable and Unenforceable, AT&T is currently caught in the middle of disputes arising from its arbitration clause forbidding class actions. Washington’s Supreme Court recently threw out the arbitration clause in its entirety; however, the states nationwide are struggling with waiver of class action language in arbitration clauses. Long story short, this will be an interesting and potentially messy case to track.