Apple sued for $5M for not recovering data after iPhone theft

If you use Advanced Data Protection, you are expected to to keep your recovery key. But what happens if someone exploits that feature?

In a filing at the U.S. District Court for the Northern District of California in January, surfaced by the Washington Post in April, Michael Mathews of Minnesota is suing Apple for access to his data and compensation.

After his iPhone was stolen by pickpockets in Scottsdale, Arizona, Mathews claims he lost access to his photos, music, tax returns, and work-related research. As a consequence, his tech consulting firm apparently had to shut down.

The plantiff tried suing Apple after they told him that the company cannot unlock his Apple Account. This is because the thieves were able to change the Apple account password and enabled ADP, preventing Apple from recovering the files.

Mathews’ problems all focus around the Recovery Key, a feature of Advanced Data Protection which is used to reset the password and recover the account. It is a 28-digit key that Apple recommends users store safely for future use.

However, in this case, it’s apparently being used by the thief. If the thief can gain access to the iPhone, such as by discovering the passcode to unlock it, they can then change the password to the Apple ID to make it harder to recover.

In some cases, a thief could also enable ADP and create the Recovery Key. It’s also possible for a thief to change an already existing Recovery Key, if they know the passcode and can use it.

Three lessons here: 1) Use a strong password for your smartphone and any relevant accounts, 2) Use on-device encryption, and 3) Make backups.

Edit: Note that Apple Insider appears to be wrong in associating the recovery key with ADP. This is probably pending a correction

Guy runs a tech consulting firm but he’s never heard of local backups.

You’d be surprised how dumb smart people are sometimes.

Sounds like a 6 digit and under password problem not a apple problem.

Apple Insider reports this incorrectly, a Recovery Key is independent of Advanced Data Protection.

Additional context on this case and similar cases: https://archive.is/1NMCR

If a user or thief has turned on a feature called Advanced Data Protection, all of that data is fully locked down and not even Apple can access it. But in cases where that advanced encryption isn’t being used — like Mathews’s — Apple isn’t hamstrung by technical limitations; it’s choosing not to return people’s data, experts allege.

Apple has “never expressed to us that they are unable to give the information back,” Breyer said.

Apple Insider is merely assuming — probably incorrectly — that ADP is being used.

To me, this just shows that Apple should make ADP the default. Leaving it as an optional feature not only leaves users open to threats from data breaches and police data requests but also attacks like this. People should get used to being responsible for their own data.

Rather embarrassing for Apple Insider! That warrants a correction on their end.

It could be that Apple is being sued based on that incorrect assumption from the plaintiff and legal team. Probably depends on the actual court case documents themselves.

This is not the Apple Business model way.

But yes.

The vast, vast majority of people have no idea what E2EE is or what it implies for data recovery.

Making ADP the default would just lead to millions of angry Apple users who constantly need their account passwords reset permanently losing data. This would be a very bad move for Apple.

Privacy is a right, but it takes personal responsibility to actually implement. If people can’t be bothered to learn about the basics then it’s on them when something bad happens because of their laziness.