
Lawsuit accuses Apple of selling iTunes data - walterbell
https://9to5mac.com/2019/05/25/apple-itunes-lawsuit/
======
threeseed
Claim: [https://www.scribd.com/document/411427794/Apple-Versus-
Wheat...](https://www.scribd.com/document/411427794/Apple-Versus-Wheaton-Paul-
Et-Al)

API:
[https://developer.apple.com/documentation/applemusicapi](https://developer.apple.com/documentation/applemusicapi)

And it's not that Apple is selling the data. It's that Apple is allowing the
data to be made available to developers who are then selling the data.

~~~
x0x0
The specific claim, page 3 of the pdf

> _Apple sells, rents, transmits, and /or otherwise discloses, to various
> third parties, information reflecting the music that its customers purchase
> from the iTunes Store application that comes pre-installed on their iPhones.
> The data Apple discloses includes the full names and home addresses of its
> customers, together with the genres and, in some cases, the specific titles
> of the digitally-recorded music that its customers have purchased via the
> iTunes Store and then stored in their devices' Apple Music libraries
> (collectively "Personal Listening Information")._

It goes on to say that after Apple discloses, 3rd parties append personal info
-- gender, age, HHI, etc -- and resell.

Later, they basically show the dataset available for $80/M, or $1.5m/full.

As for the api, it seems to want a requestUserToken
[https://developer.apple.com/documentation/storekit/skcloudse...](https://developer.apple.com/documentation/storekit/skcloudservicecontroller/2909079-requestusertoken)
which seems to be only available to code running on iOS or tvOS.

Unless I'm being dumb, my guess is some advertising middlewares started
grabbing these user tokens, scraping data, and reselling. It doesn't seem
obvious how you would get a token to get a specific user's data without
running on that user's ios or tvos device.

Also, one of the vendors, CDW, says their population is 18,188,721 (presumably
unique users?). There _has_ to be way more ios users who've purchased songs
than 18m.

~~~
scarface74
I don’t get it either. If that’s the API in question, the user has to give the
iOS app permission to access the user’s playlist and it still doesn’t give
demographic data.

Also, the story is devoid of any technical information about like most NYT’s
articles discussing an Apple controversy.

------
saagarjha
> For example, any person or entity could rent a list with the names and
> addresses of all unmarried, college-educated women over the age of 70 with a
> household income of over $80,000 who purchased country music from Apple via
> its iTunes Store mobile application,” the customers said. “Such a list is
> available for sale for approximately $136 per thousand customers listed.

Where do you purchase this list from?

~~~
tacosx
It's an open secret that many of the "anonymized" datasets that the large tech
giants pass around are very easy to de-anonymize. I don't know much about how
Apple works, but people who work with Google Ad products and analytics
regularly violate the anonymity agreement because it's so financially
lucrative to do so and just never tell anyone.

We need to stop mining people for profit while putting minimal or zero privacy
protections in place.

~~~
pfranz
If that was the case I imagine you could ding Apple on false claims. They
pretty prominently claim "Differential Privacy" both in their keynotes and on
their website. Their claims are also that data is anonymized before they
process it. Other companies have been a lot more vague and hand-wavy about
"anonymized" in my experience and you're absolutely right that a lot of
anonymized datasets can be de-anonymized by correlation.

[https://www.apple.com/privacy/approach-to-
privacy/](https://www.apple.com/privacy/approach-to-privacy/)

