Slashdot Mirror
Lawyer Sues Apple Over FaceTime Eavesdrop Bug, Says It Let Someone Record a Sworn Testimony (cnbc.com)
A lawyer in Houston has filed a lawsuit against Apple over a security vulnerability that let people eavesdrop on iPhones using FaceTime. "His lawsuit, filed Monday in Harris County, Texas, alleges that Apple 'failed to exercise reasonable care' and that Apple 'knew, or should have known, that its Product would cause unsolicited privacy breaches and eavesdropping,'" reports CNBC. "It alleged Apple did not adequately test its software and that Apple was 'aware there was a high probability at least some consumers would suffer harm.'" From the report: The suit says that Williams was "undergoing a private deposition with a client when this defective product breached allowed for the recording" of the conversation. Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future." The lawsuit also says that iOS 12.1, the latest major release of the iPhone operating system, was defective and "unreasonable dangerous" and that Apple "failed to provide adequate warnings to avoid the substantial danger" posed by the security flaw. Williams is seeking compensatory and punitive damages as a result of the exploit.
People like him (acting like dicks) are one of the reasons lots of people can't have nice things (like dinner, for example)
C*ntish suing like where it is extremely probably someone is purely out for the money should have criminal penalties
Why do people love lawsuits in the US? Can software ever be foolproof?? Can there ever be bugproof and security proof software? Only idiots think so apparently ...
Lawyers are the scum of the earth. Another episode that confirms this truism.
Scanning the lawsuit as filed it doesn't actually seem to provide any evidence that his call was illegally recorded. He doesn't seem to have any reason to think that it might have been.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
"Allowed for the recording" could just mean that the possibility was there, or it could mean that an actual recording took place. No way to tell unless Williams has evidence of the recording, which is possible if you assume that was the reason for the harm and loss of living alledged in Clause 30, which seems rather hyperbolic to say the least; this somehow resulted in "physical pain" and "diminished quality of life"? Unless his client got physical upon finding out or something, I'm not sure how that's supposed to work, and if anything makes this sound much more like an attempt at a cash grab, quite possibly with aspirations for class status.
UNIX? They're not even circumcised! Savages!
Is anathema to consumer protection laws. Regardless of whether his case has merits, people here should meditate on the fact the culture of much of our sector of the economy is one giant middle finger to the laws the rest of the economy operates under. At some point, software should be liable. For example, I have no sympathy for medical device companies that play the dilettante on infosec, particularly in devices inside the human body. If they are going to make it remotely connectable then it needs rock solid, NSA-approved infosec measures.
The fact that we have a wide gradient of people involved is not an excuse to not acknowledge that certain categories of software should have to be "fit for purpose" under the law. Something like FaceTime--which is enabled by default--should be that way given Apple's pockets.
Just that the bug "allowed for" recording. Gotta watch those lawyers.
The full complaint is here and makes for some entertaining reading. This 30-page gem was filed by a local personal injury attorney 4 years out of law school the next day after the plaintiff supposedly found out about the bug. 'Nuff said.
> Williams claimed this caused "sustained permanent and continuous injuries, pain and suffering and emotional trauma that will continue into the future" and that Williams "lost ability to earn a living and will continued to be so in the future."
Yeah, the fuck it did.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Unless the alleged recording lost him a leg or some other maiming, not sure how "permanent injury" can be remotely close to true. Hurt feelings don't count.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
So fucking funny. Saying Apple should have known people would hack the devices. Why should Apple have expected people to hack Apple devices any more than other devices, especially other secure devices. BlackBerry was supposed to be the standard for security. Even Obama was forced to use a specific blackberry. Apple makes devices in China for crying out loud. Do they sell cases? No. They expect the user to take reasonable care and not leave the device vulnerable to being dropped or listened in on. I love my iPhone although most people just treat it like a device. If someone steals your iPhone and you decide against trying to get it back, how is that apples fault?
If such a recording happened, and it was done by someone involved in the case, it could cause permanent injury in terms of people having information in the case they should not have, which is a horse that is very difficult to put back in the barn.
Unless his client got physical upon finding out or something, I'm not sure how that's supposed to work
It sounds like the loss claimed will be fanciful and theoretical, not actual and certain.
At most he loses Facetime as a tool for recording these types of depositions in the future, but Apple never marketed Facetime as software secure for sensitive business use, and besides which, there are numerous warranty disclaimers you agree to in the Apple click-through EULA you agree to before using the software, so if you find the software doesn't do what you need, you are not so much as entitled to a refund: Which an attorney using the software for professional purposes has a higher burden than the general public to read and understand --- That is, someone who is an Attorney or legal firm cannot get out of a contract or EULA by claiming the contract was confusing, or they were ignorant, etc.
Why did he think bringing a powered on recording device to private meeting where no recording should take place was good opsec?
Smart phones have no place in a secure facility.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
From a previous Slashdot article. Apple knew about it for about a week. before they closed down the service. A week seems like a long time, for us who work in small development shops, but for a company the size of Apple, a Week to decide to turn off the feature is indeed a rapid response to a problem. Being that they have millions of users, doing things willy-nilly just isn't good policy.
Lawyers, like Medical Doctors, Engineers and Computer Programmers, seem to think because they are an expert in their field, they are an expert in all things, which is false, but then they start doing stupid things and not listening to the experts in such fields.
Who in their right mind would use any internet service especially any one that isn't peer to peer for dealing with critical and sensitive. Apple is in the Business to Consumer market. and Facetime group chats are Consumer to Consumer communicated with each other. If you are in Legal, Healthcare, Defense, or any other sector that requires high levels of security. You better be sure you are working with a vendor who will setup your own contract and personally deal with your security concerns, and not just the basic EULA that you hit OK because you want your multi-hundred dollar product to work out of the box.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
*nod* which is how permanent injury is supposed to work. The other party can not undo the damage, but can potentially face their own repercussions if they are found at fault for the horse getting away.
1. If it's connected, assume you're not protected.
2. If the glove doesn't fit, you must acquit.
3. Avoid any large, angry, crazy man arguing with a vendor over the price of a $6 hot dog.
4. Dumb lawyers who file frivolous lawsuits against multi-billion dollar companies get countersued into bankruptcy.
Yes, it's the reason people can't have leaky Apple widgets.
And other, ummm... nice things.
He's not only claiming "permanent injury" - which can absolutely include things like the an inability to use a preferred tool in legal terms where it's synonomous with "harm" and can include things like loss of reputation and finances (both of which are mentioned) - but also "physical pain", which seems a lot more more specific. Unless that somehow includes impossible to prove things like mental anguish, stress induced migraines and the like, that does seem to imply an actual injury of some kind, which is clearly not something that software alone can do, no matter how buggy; at the very least it requires some hardware as well. Assuming he is indeed claiming a physical injury of some kind, then rRealistically that leaves some form of client retribution, self-inflicted (maybe he facepalmed a bit too hard?), or it's a crock to inflate the potential damages.
UNIX? They're not even circumcised! Savages!
If you want a private conversation you should know better than to allow anyone in the room to have an electronic device on them.
If so, good luck as SCOTUS has refused to override them.
Or are you just a pure Apple Hater?
Americans no matter their political leaning, really don't like the idea of legal suits over small and silly things, where the lawyer then exaggerates the amount of suffering caused. Often shown on TV with the "victim" in a neck brace trope.
Accidents occur and people get hurt. But the line between frivolous vs necessary legal action is needed. You go to a restaurant, and you get ill the next day, and sue the restaurant, that is frivolous, if you go to the restaurant and dozens of folks get ill the next day, then there is a problem.
Suing for the quick money grab, will often hinder a businesses ability to do good things, because they have to walk on eggshells and be sure not to break the rules. You may notice this effect if you are at a hospital, and the x-ray tech will not comment if you arm is broken or not, but you wait a half an hour and the doctor walks in glances at the X-Ray and says yep its broken. The reason for this, isn't because the doctor will get paid more for doing this, but because if the tech explains this to a patient, then they are doing a diagnosis that they are not qualified to do. And if the patient does something stupid from that initial diagnosis from the unqualified individual, then the hospital is legally responsible for this.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Yes, I can easily write software which is guaranteed to be perfect.
It prints "hello world!" and isn't written in PHP 4. :)
You actually can prove programs to be correct. It costs twenty times as much to develop provably correct software than normal software. That's actually reasonable for a lot of software that we think of as "firmware", or in fact we may think of it as hardware, but in fact there is software inside, dozens to hundreds of lines of code.
* In old PHP, "Hello world" had a security problem. It's been fixed.
This is the kind of bug Apple should have caught circa ALPHA. They should not have let bullshit code like that make it to beta, let alone releasing it as if it were ready for that. I have been saying for a while that Apple has been using its poor customers as guinea pigs for a while, rather than spending the money on proper code analysis and auditing. This is like when they put out a version of macOS where you could trivially obtain root privileges by logging in as root with no password, is not merely a capital F Fuckup, but a captial FUCK FUCKUP and here is another instance of the same asshattery at Apple. Someone should have gone through the code and made sure that at no point does is allow connection without affirmative user action to accept the call. This is beyond intolerable, this should be regarded as criminal negligence on the part of the corporation and all responsible officers, up to and including Cook.
Shit like this is why I swore off Apple shit products a while ago. I was never personally a fan of Steve Jobs personally or professionally, but at least under him, Apple did not generally fuck up like this, and I think it is well past high time to do something about it. In my case, I am boycotting Apple over their general decline into shittiness until such time as all of those fuckers in senior management (Cook et al) are gone, and Apple gets some real leadership again.
Our reign has gone on long enough. Indeed. Summon the meteors.
IANAL, but unless there was an actual recording, he's going to have problems showing the damages he claims.
Moreover, in any legal proceeding any recording would not be allowed into evidence in anything without at least one-party consent, which clearly doesn't exist in an eavesdropping scenario where there is an expectation of privacy (such as anywhere you would be deposing a witness). In addition, the rules of client / attorney privilege would prevent any such eavesdropping recording from being heard to begin with, just the same as if the police left their recording equipment rolling in an interview room while a lawyer met with their client - no judge in the country would allow it to be heard by a jury, much less entered into evidence in a trial of any kind.
This is a scumbag lawyer who read a story, and is fishing for a payday from an uber-wealthy corporation. I hope Apple doesn't just get the suit dismissed outright, but squashes this asshat like the fucking worm he is. He is actually doing damage to the legal system with this bullshit and ruining it for legit cases where there is real injustice that needs remediation.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Except for the fact that a judge would toss any zero-party consent recording that didn't also have a court order for electronic surveillance applied to it, previous to the recording being made as an illegal search.
This is no different than what would happen with the recording from an illegal wiretap, or illegal audio bug planted in the room. It would get tossed during evidence discovery, long before any jury would be able to see / hear the recording. And then there would be sanctions for any prosecutor trying to use such evidence.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
More than that, why did he have any phones at all in the room while taking a secret deposition?
Not like it's news that phones can record audio and transmit it to other people - that's kind of the fucking point.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
More than that, if Apple just turned it off we'd be seeing nothing but articles about their ineptitude because they can't keep their group video chat thing running.
It's not like Apple is going to volunteer that they turned it off due to a potential privacy breach. That would earn them both the ineptitude screaming as well as the current bitch-fest they're getting.
They went with "work a solution, but let's keep the service running until the issue is publicly disclosed. And let's pray that we get the solution done and deployed before it becomes publicly disclosed" - it may not be the best way (it's very likely not to be), but it's the way they went.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Is there a counter lawsuit that he knew or should have known that there was a possibility of his phone being hacked and the microphone turned on without his knowledge, and that he failed to take reasonable precautions by not having the phone in the room with him?
I mean, it is not like there has not been a plethora of reports and sci-fi films of this actually happening. There are actually apps out there for turning off microphones and video cameras. I know people that have tape over their cameras, and cameras are sold with a sliding door to cover them.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
That's kind of obvious the guy is only interested in (trying to) make a (huge) profit from the lawsuit while he probably didn't "suffer" much from the bug.
Slashdot, fix the reply notifications... You won't get away with it...
Scanning the lawsuit as filed it doesn't actually seem to provide any evidence that his call was illegally recorded. He doesn't seem to have any reason to think that it might have been.
Not to mention that, when you see the steps required to trigger the bug, it pretty much has to be done by the caller, intentionally , which shifts the whole "causation" away from Apple, even with it being their bug.
Theoretically, yes ... practically, nope. You're making a couple of assumptions, regarding civil v criminal, and prosecution v defense. Any competent lawyer can, even if the recording is inadmissible, ask questions which will elicit the same information. Objecting to a question would also bring the subject of the recording to the record. Explicitly lying - when evidence exists to the contrary, even when that evidence is not allowed - opens up a number of legal doors: contempt, hostile witness status, and, of course, the chance to introduce the recording as proof the witness is lying under oath. And, in a large number of cases, the judge has listened to a recording before deciding on its admissibility, so lying on the stand could get you the contempt conviction on the spot.
My guess is he is hoping Apple will just send him a bit of money to go away so they don't have to deal with the news of this. I expect Apple won't do that, but I bet that is what he is hoping.
More than that, why did he have any phones at all in the room while taking a secret deposition?
Why did he have a computer capable of recording audio during a deposition? Well, if you think real hard you could probably figure that out.
Whether it was smart to use an audio-recording device which is also obviously known for transmitting audio and video is another question. Maybe he felt that he had a reasonable expectation that the device would not transmit the audio and video without his knowledge.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Oh, I'm sorry snowflake. For future reference: When using a communication device, period, your conversation may be recorded. This includes using your voice when talking in person to someone.
I refuse to sign
If such a recording happened, and it was done by someone involved in the case, it could cause permanent injury in terms of people having information in the case they should not have, which is a horse that is very difficult to put back in the barn.
My legal experience is somewhat limited, but I don't think that's a possible scenario. If it was really a deposition, which is done with the intention of putting sworn testimony on record, there would be a court reporter and/or videographer present (as a neutral party to record what is said), as well as an attorney from the opposing party (who is allowed to cross-examine the witness being deposed).
More than that, why did he have any phones at all in the room while taking a secret deposition?
My understanding of the bug is that it affects group conferencing, so I assume they were using FaceTime to conduct the deposition. They could set up a FaceTime group with the witness, attorneys from both sides, and probably a court reporter, instead of paying to get everyone together in the same room somewhere.
Correct. If the prosecution got their hands on such a recording, they'd have to somehow get it admitted into evidence to do anything with it in court.
If the recording then led them to other evidence, such as evidence the defense was withholding, then too fucking bad.
If they are lawyers that are in the business of recording depositions, and they're doing it using video conferencing, I would hope they are using a solution that has been around for longer than 3 months.
Like any of the video conferencing solutions that have existed for years longer than that, and get used by business people every day. Some of which are even free-as-in-beer.
This is a fishing expedition by this lawyer, looking to score a settlement to enrich himself.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
You should take a look at the types of misconduct that lawyers get fined for by their bar associations.
Unless it becomes a political football, "failing to take reasonable precautions" to prevent previously unknown technology bugs is not going to even get a warning, much less a fine, much less a license suspension. That is just crazy talk.
I don't disagree with any of that, I was just pointing out that, from what I could tell, it wasn't about just having a phone in the room, but that there was a perfectly logical explanation of how a third party could have exploited the bug to record the deposition. Someone else posted below that the complaint is just about having a phone in the room, though. If that's correct, then yeah, I got nothing.
All humans are ignorant. He admits to more ignorance than other commentators simply because he's less full of shit.
that does seem to imply an actual injury of some kind, which is clearly not something that software alone can do, no matter how buggy
What if financial harm caused somebody to be unable to treat a physical ailment, leaving them in pain?
That wasn't even hard. I could come up with lots more plausible scenarios.
but unless there was an actual recording
Currently, this a known unknown. We know it matters, and we know we don't know the answer.
So any hand-waving at all is speculative. You take it a step further and jump right to pejorative attacks; is that because your English comprehension is too poor for you to understand which facts have been disclosed, and which haven't been? Or is that just a personality feature?
Apple was informed at least a week before by the teen who discovered the bug, complete with a video of the exploit in action. They took no action until after the bug and trivial exploit went viral.
I seriously doubt this had anything to do with a law enforcement back door.
That part really is questionable. I don't doubt there was damage, but it wasn't likely that much damage.
You seem a bit confused.
Those things have to be proved, yes, but remember, in a civil case the other side has to share their information about it. After you file the suit, then the other side has to tell you if it is true or not, and give you access to whatever evidence there is.
The order is:
1) make accusation
2) receive evidence
3) prove accusation, or fail to
Yes, a judge would likely toss that information, but might not recognize "parallel construction". Further, depending on the nature of the statement, there could be non-court related damage from the information getting out.
Or, hearing that recording and knowing it will be inadmissible, they pretend to just stumble over the same information in some other manner and claim they were acting on a hunch or just covering all the bases.
> And golly, if firmware had dozens or hundreds of lines of code, all firmware would run on 8 bit micros, and embedding programming wouldn't even involve considerations about code size.
In fact millions of 8-bit micros ARE sold every year. Each sold to the consumer with dozens to hundreds of lines of code in it. Another 10 million larger micros contain code that would fit on an 8-bit, but the designer wants to make use of an included hardware peripheral, such as an additional UART, etc.
You can say "oh golly gee, if that were true we'd have a bunch of 8-bit micros", but the fact is we have millions of new shipped every year, in addition to the hundred million or so already in operation.
A number of those are doing something that a 555 timer or similar could do, but the mcu is actually cheaper, especially since it doesn't need the external RC network that the 555 needs.
A significant number of the small micros, perhaps even a majority, are running code that can be automatically converted to a lookup table, or a simple state machine. Proving the correctness of a lookup table is trivial*.
You might find it interesting to Google "automated theroem prover" and maybe even download ACL2.
* Incidentally, if you have a function that has a small number of possible inputs and outputs, actually coding it as a look up table can be both fast and reliable.
In case it's useful, here's basically the code my friend is proving today:
BeGreen:
output GREEN
wait
BeYellow
END
BeYellow:
output YELLOW
wait
BeRed
END
BeRed:
output RED
wait
BeGreen
END
You can of course see by inspection that it can never turn from green to red. Nor can it turn yellow if it's currently green. The only things that can happen when it's green are:
It's waiting, remaining green
It turns yellow.
You can also probably imagine how a compiler-like thing could convert that from code to a table, a data structure:
Transitions { // Current state: new states [, new state]
Green: Yellow,
Yellow: Red,
Red: Green
}
Based on that data, which *is* the program, you can imagine how a tool could then mathematically show that you can only get from green to red by going through yellow.
Having proved the code that operates a traffic light, it's then another round of the same thing to prove the code which operates an intersection.
Another round of similar steps proves the operation of coordinated lights on a road - with a simple state table you can prove that light A at intersection X is never red while light B at intersection Z is yellow.
What if financial harm caused somebody to be unable to treat a physical ailment, leaving them in pain?
That would be an example of consequential damages Or special damages.
In most civil cases, such as this one, those are not proximately caused by Apple's wrongful behavior, and the plaintiff would be entitled only to the direct damages and nothing beyond those reasonably foreseeable by Apple.
In any event, the Software License required to use Facetime includes a specific dollar limit on Apple's liability to $50.
Not all attorneys are familiar with patent, IP, or EULA laws, but all of them do know that a lot of EULA language can be found unenforcable
That is not true; however -- in the US EULAs have been held up just fine, when the user was required to click accept before using the software.
The facts may favor Apple even more strongly here, since the FaceTime software itself distributed For Free
Modifying purchase of software into a licensing the use and
voiding the implied warranties over software such as merchantability in the software EULA/license is specifically sanctioned by the UCC 2-316.
You're just waving your hands when you say it isn't direct damages.
If the person isn't suing for contract violations, that doesn't even matter.
https://en.wikipedia.org/wiki/...
No sense waving your hand at a $50 damage limit, that's has as much weight as if it wasn't even written down. And irrelevant, since it isn't a contract dispute.
We don't know the details, and you can't rule out that the harm happened but for a wrongful recording.
https://www.law.cornell.edu/we...
See also:
https://www.law.cornell.edu/we...
And:
https://www.law.cornell.edu/we...
It seems hard to argue that it wasn't a proximate cause without knowing the (as yet unknown) facts of the case. We don't know even know what facts are in dispute.
If the person isn't suing for contract violations, that doesn't even matter.
Bzzt. Wrong. The only possible claim they could make without the EULA would be product warranty.
Regardless of the theory of liability, whether in Contract, Tort, or otherwise,
the EULA governs all aspects of the relationship between the parties, and the EULA specifically asserts that.
These sorts of bugs do open a whole can of worms, you want to make extra sure that you can't activate cameras and microphones in the wrong app state.
They have enough engineers to do better, IMO.
Wow, weird world you live in, where if you harm a person and don't have a contract, no problem they can't sue.
LOL
You even "Bzzt"'d yourself! LOLOLOLOLOLOL