Backdoor in top iPhone games stole user data, suit claims
A maker of some of the most popular games for the iPhone has been surreptitiously collecting users' cell numbers without their permission, according to a federal lawsuit filed Wednesday.
The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.
"Nonetheless, Storm8 makes use of the 'backdoor' method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed," states the complaint, which was filed in US District Court in Northern California. "Storm8 does so or has done so in all of its games."
Messages left for Storm8 representatives weren't returned.
The complaint, filed on behalf of iPhone owner and gamer Michael Turner of Lynnwood, Washington, seeks class action status so other users of Storm8 games can also join. It claims that as of Monday, five of the companies games ranked in the top 50 free apps on Apple's App Store, and seven of them ranked in the top 100. Titles include World War, iMobsters, Racing Live, Vampires Live, Kingdoms Live, Zombies Live, and Rockstars Live.
The complaint claims Storm8 has violated the Computer Fraud and Abuse Act and Calfornia's computer crime law, among other statutes.
It's not the first time Storm8 has been accused of spying on its users. In August, SFGate.com writer Yobi Benjamin analyzed precisely what information his iPhone was sending to Storm8 and dropped it into this column.
"I would not want just anyone to have my personal phone number," he wrote. "Worst of all, the information is transmitted unencrypted in plain text."
Other sites have made similar claims about Storm8 titles. In addition to taking the game maker to task, some critics have also blamed Apple for allowing the software to be sold in its heavily controlled App Store. (Storm8 titles such as iMobster continue to be available there.)
Storm8 responded by acknowledging it had been collected user phone numbers and blamed the situation on "a bug that has been fixed."
Attorneys for the plaintiff aren't buying that.
"Storm8's characterizations of its practice of harvesting phone numbers as a 'bug' and an 'oversight' are false," they wrote. "Storm8 could not have accidentally harvested its users' phone numbers - it used very specific and specialized software code to do so." ®
To The Author: Class Action
The decision to create a "class" action out of a lawsuit has nothing to do with allowing others to join in the lawsuit ... they can do that, anyway, by joining as plaintiffs or by suing individually, or in groups of plaintiffs. "Class" action status is granted to make things easier for judges and is WAAAAY more favorable to the company being sued.
The decision to make a generic lawsuit into a "class" action is all about two things: (1) Increasing what otherwise would be a puny set of damages, by claiming that a whole "class" of people has been affected, and not just the few actual plaintiffs for whom actual damages would be paltry, and (2) thus allowing the actual plaintiffs to petition for and then collect many more times the actual damages they suffered, should the lawsuit be settled in their favor. This ALWAYS ends up being FAR less than a violating company would have been forced to pay if everyone who had a viable lawsuit for the same thing won or settled their cases separately.
For example, if a single person wanted to sue Storm8 for this, what are their actual damages? Maybe the costs incurred from getting a new phone number, if that. If that person and their lawyers can convince a judge that the suit is deserving of "class" action status because lots of people were "probably" affected, then those damages just got multiplied by the number of individuals estimated to be in the "class", and now we're talking some real money.
At the end of a "class" action lawsuit, assuming it settles in favor of the plaintiffs, the lawyers get the biggest chunk of money, often in the several millions of dollars, the original plaintiffs get the next biggest chunk of money, frequently in the tens of thousands of dollars, and the rest of the "class" members get squat. Usually literally.
I refer you to the recently-settled "class" action lawsuit regarding Yahoo's policies with respect to all of the "parked" and otherwise unsavory domains they used to show your PPC ads on. The lawyers got several million dollars (more than $40M, as I recall), the original plaintiffs each received over $10,000, and the rest of us get nothing if we are still in business, or you get $20 if you went out of business during the 5 years it took to settle the case. Oh ... and Yahoo has to do exactly nothing if the deal with Microsoft goes through. That would not have prevented them from being required to make good on the award if this were NOT a "class" action.
What? You didn't know that you were a member of the "class" until the lawsuit was settled, and now you can't sue Yahoo for the same thing because those plaintiffs have already settled it for you? What a shame. Oh well, that's how "class" action lawsuits work ... either you are the plaintiff or the lawyer, or you get nothing.
I sincerely hope that this lawsuit does NOT attain "class" action status, but rather that concerned people who want to join in the lawsuit do so the RIGHT way ... by becoming official co-plaintiffs. "Class" action lawsuits are a scourge and a disgrace, and should be removed as a legal "remedy".
For the record, I did not once suggest that one OS is more secure than another. Personally most of my computers run Windows and I have a Windows Mobile based phone.
I don't worship at anyone's altar, least of all Steve Jobs'.
@magnetik, @Richard 118
Hm... I wonder if you're aware of the BlackBerry OS security model. I don't get any "security dialog" when I send an SMS or make a call, but I do get 'em when *any* app tries to do these things, unless I've explicitly granted permissions on that app.
In fact, I installed the Google Mobile App about 2 days ago, and it caused a security dialog to tell me that Google Mobile app was trying to access the phone data. This is SOP for *all* apps other than the stock BlackBerryOS apps... why can't Apple manage this?
It does show, however, that the iPhone locked-down environment isn't done for *security* reasons, otherwise something like this would be impossible to pull off. I would definitely say "no" if some game started to ask me for phone data access.