Full Court Document Details a Class Action filed against Microsoft's LinkedIn for Brazenly Violating Apple User Privacy
A Class Action has been filed by Apple device owner Adam Bauer against Microsoft's LinkedIn for Brazenly Violating the Privacy of Apple device owners. LinkedIn had programmed its iPhone and iPad applications to abuse Apple’s Universal Clipboard to brazenly read and divert LinkedIn users’ most sensitive data—including sensitive data from other Apple devices—without their consent or knowledge. Reportedly, the practice has been ongoing for years.
Introduction: The Full Class Action Complaint
Below is the full formal complaint filed with the court. Yellow highlighting or bold text was added by Patently Apple for emphasis only.
This lawsuit seeks to remedy a particularly brazen, indefensible privacy violation perpetrated en masse by one of the world’s largest and most trusted social networks, LinkedIn. Until abruptly exposed by Apple and independent developers, LinkedIn had programmed its iPhone and iPad applications to abuse Apple’s Universal Clipboard to brazenly read and divert LinkedIn users’ most sensitive data—including sensitive data from other Apple devices—without their consent or knowledge. LinkedIn’s conduct violated federal and State law, and harmed hundreds of thousands—if not millions—of LinkedIn users, including Plaintiff. Plaintiff brings this action on behalf of himself and others similarly situated.
In Apple’s most recent beta release of its iOS mobile device operating system—iOS 14—Apple added a new privacy setting that allows users to receive a notification each time an app on their iPhone or iPad reads from the system clipboard. Many commenters hailed this and related new features in iOS 14 as an important step toward improved data privacy in mobile devices and their applications.
But when developers and other beta testers began using the new privacy notifications in iOS 14, they discovered something quite disturbing: LinkedIn’s mobile application for iPhones and iPads was secretly reading users’ clipboards, a lot. Constantly, even.
Specifically, as of July 2, 2020, LinkedIn’s iOS App was, after each user keystroke, immediately reading the contents of the device’s system clipboard—the temporary storage where users 'cut' or 'copy' information to for their own later use through a 'paste' command in a particular app and location.
The system clipboard often contains some of the most sensitive data users routinely and temporarily store on their devices. Indeed, users store information, such as photos, text messages, e-mails, cryptographic keys, or even medical records, in their device clipboards to name a few examples. And LinkedIn was surreptitiously reading it—again and again and again—without any user-triggered paste commands, and without even notifying the user. LinkedIn’s conduct, which continued for potentially years before Apple’s iOS 14 beta laid bare its existence, was particularly egregious for users with more than one Apple device.
A feature on Apple iOS and MacOS devices called the Universal Clipboard allows nearby devices to share clipboard information. Thus, a photo “copied” on a Mac computer is instantly transferred to a nearby iPhone’s clipboard—but it only remains available to a user on that device for 120 seconds for security reasons.
Yet the LinkedIn App doesn’t just cut the user out of the clipboard equation—it circumvents the 120 second timeout on Apple’s Universal Clipboard. Specifically, the LinkedIn App repeatedly reads the Universal Clipboard with every user keystroke, and these 'reads' are interpreted by Apple’s Universal Clipboard as a 'paste' command, which takes the temporary information in the Universal Clipboard and removes the 120 second timeout. Simply put, LinkedIn has not only been spying on its users, it has been spying on their nearby computers and other devices, and it has been circumventing Apple’s Universal Clipboard timeout policy in doing so.
Users expect the information that they place in their clipboard, including their Universal Clipboard, to remain available only to them, to be used only with their consent. Indeed, information such as photos, text and e-mail messages, voice recordings, and other communications, are expected to remain in a clipboard until the user herself issues a paste command or overwrites the information. LinkedIn ignored that expectation and intentionally and repeatedly invaded user privacy—and it carefully hid what it was doing from users, knowing just how far beyond the boundaries of reasonable conduct it had gone
The LinkedIn App’s egregious behavior was never disclosed to users. Indeed, until recently, users had no idea that their most sensitive communications were being indiscriminately intercepted and read by the LinkedIn App, including prior to, or contemporaneously with, transmission from one device to another.
This action seeks to hold LinkedIn responsible for its misbehavior."
From the Lawsuit: Apple's Universal Clipboard
(Click on image to Enlarge)
For more details of this potential class action, read the Plaintiff's full 43 page complaint filed with the court in the SCRIBD document below, courtesy of Patently Apple.
Beyond our report's information directly from the lawsuit, Reuters added to their report yesterday that " According to media reports from last week, 53 apps including TikTok and LinkedIn were reported to be reading users’ Universal Clipboard content, after Apple’s latest privacy feature started alerting users whenever the clipboard was accessed with a banner saying 'pasted from Messages.'"
Reuters further added that "A LinkedIn executive had said on Twitter last week that the company released a new version of its app to end this practice."