Your most embarrassing musical secrets may be worth just 8 cents, according to a recent lawsuit filed against Apple.
The suit, filed Friday in the United States District Court for the Northern District of California, claims that Apple sells customers’ iTunes listening data to third-party companies. The documents revealed just how little your musical preferences might actually be worth on the open market.
The lawsuit cites a company called Carney Direct Marketing, which advertised iTunes and Pandora user data at a base price of $80 per thousand records — or 8 cents per user in the database. Carney Direct Marketing offers additional demographic data — including age, education, gender, geography, household income, marital status, and presence of children — for added fees ranging from .8 to 1 cent per user. That’s $8 to $10 per thousand users.
Though it is not clear how many brokers had access to this iTunes data, the suit names another company, SDRS, which offered similar pricing and demographic information for the same base price of 8 cents per user.
The suit alleges that this information could prove valuable to companies looking to target particularly vulnerable people, including the elderly.
“For example, any person or entity could rent a list with the names and addresses of all unmarried, college-educated women over the age of 70 with a household income of over $80,000 who purchased country music from Apple via its iTunes Store mobile application,” the lawsuit says. “Such a list is available for sale for approximately $136 per thousand customers listed.”
It may not have specifically been Apple selling your data, but rather that the company enabled third parties access, and the subsequent ability to monetize the sale of the data. The lawsuit alleges that Apple disclosed personal listening information to developers, who in turn disclosed that information to other parties for profit. This data was made available to third parties via the company’s MediaPlayer Framework API, which was used by developers alongside the company’s iOS SDK, according to the suit.
The lawsuit states that this allowed developers to “grant themselves access to metadata that identifies the titles of all the songs that a particular user of their application has purchased on iTunes.”
According to the lawsuit, the amount of information that the MediaPlayer Framework API allowed developers to access was “so invasive” that a developer named Ben Dodson submitted a bug report to Apple about it in early 2016. Dodson described the issue as a “security hole” by which, “[a]ll metadata can be pulled from the [iTunes] library without the user knowing.”
The issue was not addressed in the iOS 10.0 update, which went live eight months later, according to court documents, with Apple instead opting to inform users that their iTunes libraries may be accessed by developers of mobile applications.
The fact that such vast amounts of data could be made so readily available to developers is particularly shocking in light of Apple’s recent initiative to promote itself as a privacy-focused company.
Apple, Pandora, and Carney Direct Marketing did not respond to requests for comment.