A few years ago, Apple began pushing “two-factor” authentication on its users. Through an update in the Operating System, they began to require those who wanted to download and install software to, in addition to providing a password, use a separate out-of-band authentication mechanism. While such 2FA systems are not perfect, and those which rely on things like MMS or SMS messages to a cell phone are vulnerable to SIM swap attacks, they are, as a general rule, better than one-factor authentication, or no factor authentication. After Apple implemented 2FA, some people found it more difficult to download apps and do other things on their Apple devices. One such person was Jay Brodsky, who decided to sue Apple in federal court in San Francisco as part of a class action. Brodsky and other members of the class alleged that the 2FA was an invasion of privacy. In particular, the class action lawsuit alleged that the 2FA “intercepted” their access to third party apps, and “virtually dispossessed” them from using those apps. They sued under the theories that Apple’s 2FA was a “trespass to chattels,” violated the California right to privacy law, was an unauthorized access to a computer in violation of federal and state computer crime laws, and that Apple was “unjustly enriched” by its horrible actions.
On April 7, 2020, California Federal Judge Lucy Koh granted Apple’s motion to dismiss the lawsuit in its entirety. The Court ruled that all of the actions complained of – the updating of the code, the installation of the 2FA authentication, the “trespass” to chattels — all were expressly authorized by the Plaintiffs when they updated the software, and besides, they suffered no cognizable “harm” from the update (and certainly not the statutory damages under the federal computer crime statute.) Brodsky v. Apple, Dkt. No. 5:19-cv-00712-LHK (N.D. Cal., April 7, 2020).
The case is unremarkable in its holding, and remarkable only in the fact that it was brought at all. Lots of updates and features are unwanted, but installing them is not a computer crime or a violation of privacy. When an app collects data it’s not supposed to collect, or shares it in ways it’s not supposed to share, THAT’s a possible privacy violation. 2FA? Not so much.
And the other lesson here is that, when it comes to security, you can’t please everyone, so you’ve got to please yourself.
Mark Rasch is an attorney and author of computer security, Internet law, and electronic privacy-related articles. He created the Computer Crime Unit at the United States Department of Justice, where he led efforts aimed at investigating and prosecuting cyber, high-technology, and white-collar crime.