New York State Officials Investigating Apple Over FaceTime Spy Bug

Things are heating up for Apple in the wake of the FaceTime eavesdropping bug that was discovered earlier this week as users question whether they’ve been unknowingly snooped on. The flaw has already resulted in at least one lawsuit, and there may be more to come, and now it looks like government officials are beginning to seek answers as to why Apple was so slow to disclose and address the issue.

According to a new report by Bloomberg, New York State has fired the first salvo, with Attorney General Letitia James and Governor Andrew Cuomo’s office launching a joint probe looking at Apple’s failure to properly disclose the bug and warn consumers when it first became aware of it, plus what it feels is Apple’s “slow response to one of the biggest privacy-related problems faced by the company.”

This FaceTime breach is a serious threat to the security and privacy of the millions of New Yorkers who have put their trust in Apple and its products over the years.

New York Attorney General Letitia James

The probe is trying to determine whether Apple violated New York consumer protection laws by failing to proactively warn consumers about the issue as soon as Apple became aware of it. While Apple was quick to shut down the Group FaceTime feature that was used to exploit the bug, and issued a statement to BuzzFeed News that a more permanent fix was in the works, it did not make any wider announcement about the problem, or even offer a direct explanation on its site as to why Group FaceTime had been disabled.

By contrast, Governor Cuomo’s office was considerably quicker to respond, issuing a consumer alert on Monday calling the bug an “egregious breach of privacy that puts New Yorkers at risk” and advising citizens to temporarily disable the app until Apple issues a fix.

The privacy flaw itself appears to be specific to Apple’s new Group FaceTime feature that was introduced last fall in iOS 12.1, and allowed users to eavesdrop on unanswered FaceTime calls to another party by starting a FaceTime call and then adding themselves to the group while the original call was still ringing. While the exploit did require a FaceTime call to ring on the other party’s iPhone, iPad, or Mac, many users may not have been aware that a call was coming in, or may have simply ignored the incoming call rather than declining it. To make matters worse, pressing the side button once to silence the ringer — rather than twice to reject the call — would actually enable video to be sent in addition to audio.

The FaceTime bug is an egregious breach of privacy that puts New Yorkers at risk. In New York, we take consumer rights very seriously and I am deeply concerned by this irresponsible bug that can be exploited for unscrupulous purposes. In light of this bug, I advise New Yorkers to disable their FaceTime app until a fix is made available, and I urge Apple to release the fix without delay.

New York State Governor Andrew M. Cuomo

While it’s fair to say that any warnings would have been irrelevant once the vulnerable Group FaceTime service had been shut down, the lack of communication is enough to raise concerns with New York State officials, especially when it’s taken in consideration with reports that an Arizona teen had actually discovered the flaw on Jan. 20, and allegedly reported it to Apple, along with full details.

The suggestion that Apple knew about such a serious security vulnerability at least a week before it was discovered and didn’t act on it is enough to understandably raise concerns among government regulators, particularly due to the effect it has in eroding trust between consumers and businesses. New York Governor Andrew Cuomo stated that his office is looking for “a full accounting of the facts” both to make sure that that no consumer protection laws have been violated, but also to work to prevent such incidents occurring in the future.

Although New York State has been remarkably proactive in addressing this, other government officials are already starting to raise concerns as well. For example, U.S. Senator Amy Klobuchar (D-MN), who is sponsoring a new data privacy bill, made the point yesterday that the bug is a perfect example of why such legislation is necessary, calling it a “clear violation of consumers’ privacy protections.”

It seems likely that this is only going to be the first of many questions that Apple will need to answer in the aftermath of what may arguably be the most serious privacy issue that the company has yet faced.