Even though Apple’s latest major iOS release isn’t even available to the general public yet, some of the new privacy features in iOS 14 are causing enough of a stir that we’re already seeing users filing lawsuits against developers who have been caught potentially invading users’ privacy by the early betas.
According to Reuters, an iPhone user in New York, Adam Bauer, has filed a lawsuit against LinkedIn, alleging that the app, which is owned by tech giant Microsoft, has been secretly spying on users for years. Bauer is seeking to turn this into a class action lawsuit involving other users of the iPhone LinkedIn app who similarly feel that the tech giant has violated their privacy.
At the core of the issue is the fact that it has long been possible for any iOS app to read the system clipboard — and anything that happens to be stored on it — pretty much at will, without even notifying the user, much less requiring their permission to do so. After security researchers shed light on the fact that this was not only a dangerous possibility, but also one that was extremely widespread, Apple responded by adding a privacy feature in iOS 14 that will alert users each and every time data that was copied from one app is pasted into another, whether the user does it deliberately or not.
It was only days after the first private beta of iOS 14 landed in developers’ hands that it started catching apps behaving badly, beginning with the controversial app TikTok (which surprised nobody), followed by apps like LinkedIn and Reddit (which were considerably more surprising), among at least 53 others.
It’s this latter case that Bauer is now calling LinkedIn out on, claiming that its decision to read the clipboard without notifying the user is tantamount to spyware, noting in the complaint that it “secretly” reads users’ clipboard “a lot,” while also claiming that it’s been “circumventing Apple’s Universal Clipboard timeout.”
What’s Going On Here?
While some could argue that this is just another example of opportunistic litigation, it’s hard to deny that Bauer has a point. Remember that iOS 14 has simply shone a big huge spotlight on behaviours that some apps have been engaging in for many years.
To be clear, apps have always been able to read the system clipboard — at least since Apple added one back in 2009 with “iOS” 3.0 (it was actually called “iPhone OS” back then). Arguably, this is kind of the point of a system-wide clipboard — to be able to copy information from one app and paste it into another.
The problem, however, is that for all of Apple’s great work on securing iOS, they never took steps to actually prevent apps from sniffing at the clipboard without the user’s knowledge or consent. Some of this may have just been oversight on Apple’s part, of course, as clipboard data is usually fairly transitory, but it also allowed developers to make very good use of this capability, especially in the days before Apple introduced the iOS Share Sheet for more effective inter-app sharing. For example, apps like Pocket and Pinterest could scan your clipboard as soon as you opened those apps to look for URLs that you might want to save. This was extremely helpful in the days when there wasn’t really any other easy way to get URLs from Safari into those apps.
However, a feature like this is also ripe for abuse, and it’s really difficult to tell just how many developers have been misusing or abusing it. Still, as we explained last week, just because apps are reading your clipboard doesn’t mean that they’re spying on you, and LinkedIn actually specifically denied any wrongdoing in this case, pointing to shoddy programming on the part of its developers, promising to fix the issue, and reassuring users that the clipboard contents weren’t being stored or transmitted back to LinkedIn’s servers.
Why LinkedIn Probably Isn’t Spying On You
Still, it was pretty scary for users on the iOS 14 beta who opened LinkedIn to discover a barrage of constant notifications showing that it was reading the clipboard after almost every keystroke. When you think about it, however, it’s this very fact that suggests that it’s more of a result of poor programming than any nefarious intent on the part of LinkedIn.
After all, the clipboard content doesn’t change with every keystroke, so there’s absolutely no reason for an app that was actually trying to spy on you to be scanning it so often. In fact, it shouldn’t be necessary for an app to do it as long as you remain active within the app, since anything else that you would add to the clipboard in that case would either have to come from within the app itself or from your iPad or Mac via the Universal Clipboard. Anything in the app itself is obviously already accessible to the app, and it’s pretty unlikely that you’re copying data onto your clipboard from your Mac or iPad at the same time that you’re busily typing away on your iPhone.
So it’s safe to say that many of the apps that are being caught in this behaviour are not likely spying on you, especially from more reputable services like LinkedIn, but that doesn’t mean that many others couldn’t be, and the fact that Apple has added this feature in iOS 14 is going to be a huge boon for privacy, and closes what has been a pretty big loophole in iOS for over a decade now.
As for the lawsuit, it remains to be seen whether it will gain any traction at all, but it does light even more of a fire under developers to clean up their acts and make sure that their apps are avoiding every possible appearance of evil, and even if there are no actual privacy violations in this case, we can’t argue that developers should be called to account to ensure that their apps are behaving more appropriately.