Apple’s Liability for the Xcode Hack

.

By Richard Stobbe

I don’t think I’m going out on a limb by speculating that someone, somewhere is preparing a class-action suit based on the recently disclosed hack of Apple’s app ecosystem.iphone6_34fl_3_color_spaced_homescreen_landing.jpg

How did it happen? In a nutshell, hackers were able to infect a version of Apple’s Xcode software package for iOS app developers. A number of iOS developers – primarily in China, according to recent reports – downloaded this corrupted version of Xcode, then used it to compile their apps. This corrupted version was not the “official” Apple version; it was accessed from a third-party file-sharing site. Apps compiled with this version of Xcode were infected with malware known as XcodeGhost. These corrupted apps were uploaded and distributed through Apple’s Chinese App Store. In this way the XcodeGhost malware snuck past Apple’s own code review protocols and, through the wonder of app store downloads, it infected millions of iOS devices around the world.

The malware does a number of nasty things – including fishing for a user’s iCloud password.

This case provides a good case study for how risk is allocated in license agreements and terms of service. What do Apple’s terms say about this kind of thing? In Canada, the App Store Terms and Conditions govern a user’s contractual relationship with Apple for the use of the App Store. On the face of it, these terms disclaim liability for any “…LOSS, CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, OR OTHER SECURITY INTRUSION, AND APPLE CANADA DISCLAIMS ANY LIABILITY RELATING THERETO.”

Apple could be expected to argue that this clause deflects liability. And if Apple is found liable, then it would seek the cover of its limitation of liability clause. In the current version of the terms, Apple claims an overall limit of liability of $50. Let’s not forget that “hundreds of millions of users” are potentially affected.

As a preliminary step however, Apple would be expected to argue that the law of the State of California governs the contract, and Apple would be arguing that any remedy must be sought in a California court (see our post the other day: Forum Selection in Online Terms).

Will this limit of liability and forum-selection clause hold up to the scrutiny of Canadian courts if there is a claim against Apple?

Calgary – 07:00 MT

No comments

No comments yet. Be the first.

Leave a reply

You must be logged in to post a comment.