U.S. Congressional Committee Wants Answers on FaceTime Eavesdropping Flaw

The recently discovered privacy bug in Group FaceTime has caused quite a stir, resulting in at least one lawsuit and an investigation by New York State Officials. So it’s no surprise that U.S. lawmakers are also now demanding an explanation from Apple, quesitoning the extent of the flaw, why it took so long to come to Apple’s attention, and whether there are other undisclosed bugs still waiting in the shadows.

In a letter to Apple CEO Tim Cook from the U.S. Committee on Energy and Commerce, Representatives Frank Pallone Jr. (D-NJ) and Jan Schakowsky (D-IL) note that they are “deeply troubled” by the amount of time it took for Apple to address “a significant privacy violation” and are seeking more information on the nature of the flaw and the way in which it was handled by Apple. Pallone is the chairman of the committee, while Schakowsky chairs the subcommittee on Consumer Protection and Commerce.

We are deeply troubled by the recent press reports about how long it took for Apple to address a significant privacy violation identified by Grant Thompson, a 14-year-old in its Group FaceTime feature. As such, we are writing to better understand when Apple first learned of this security flaw, the extent to which the flaw has compromised consumers’ privacy, and whether there are other undisclosed bugs that currently exist and have not been addressed.

Letter to Apple CEO Tim Cook from U.S. Committee on Energy and Commerce

The letter goes on to note how almost everybody is now walking around with a microphone- and camera-enabled device in their pocket, as well as placing them around their homes in smart home devices, stating that these devices are “wonderful tools” that can also become “the ultimate spying machines,” as demonstrated by the Group FaceTime issue. This makes it important that companies like Apple be “held to the highest standards,” the letter adds, specifically asking that Apple be transparent about its investigation into the Group FaceTime vulnerability and what it is doing to protect consumer privacy.

The letter then goes on to ask several pointed questions of Apple, including when it first became aware of the vulnerability, and whether any other customers had notified Apple of the flaw other than the Thompson family, and requesting a timeline of the specific steps taken to address the problem once it had been identified. The Committee also asks Cook to outline the procedures and testing that exist to identify such vulnerabilities, why those procedures failed to identify the flaw before release, and what steps Apple will now be taking to improve testing.

We believe it is important for Apple to be transparent about its investigation into the Group FaceTime feature’s vulnerability and the steps it is taking to protect consumers’ privacy. To date, we do not believe Apple has ben as transparent as this serious issue requires.

Letter to Apple CEO Tim Cook from U.S. Committee on Energy and Commerce

Apple’s delay in addressing the issue is also specifically called out in the letter, asking why it took so long for Apple to address the issue once it was reported to Apple — over a week before the issue became public knowledge.

In addition to seeking background on the flaw, the Committee also wants Cook to explain what steps Apple is taking to identify FaceTime users whose privacy was violated as a result of the vulnerability, and whether Apple will notify and compensate affected consumers. The letter also asks if there are other vulnerabilities in Apple’s hardware and software that could result in unauthorized microphone and camera access, and how Apple is addressing any such vulnerabilities.

The flaw in question, which allowed the Group FaceTime feature to be exploited to eavesdrop on audio and video from an unanswered call, first became public knowledge last Monday, after which Apple shut down its Group FaceTime feature on its servers in order to prevent the flaw from being further exploited. However, it was later revealed that the bug was actually discovered by an Arizona teen, Grant Thompson, and reported to Apple over a week earlier. Although Apple apologized for the bug, thanking the Thompson family and promising to review its internal procedures, the company provided no specific information on exactly why the report took over a week to reach the right people. Presumably this is the lack of transparency that the committee is referring to, and since Apple’s response will most likely be on the public record, it will likely help to provide at least a little more insight into exactly what went wrong, both before and after the vulnerability was reported.

The Committee is asking Cook to respond to its questions by February 19, 2019.