`
`Aaron J. Solomon, Esq.
`OVED & OVED LLP
`Attorneys for Plaintiffs
`401 Greenwich Street
`New York, NY 10013
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF NEW YORK
`-------------------------------------------------------------------X
`
`
`INDIVIDUALLY AND ON
`
`TIGRAN OHANIAN,
`BEHALF OF ALL OTHER PERSONS SIMILARLY
`
`SITUATED, AND REGGE LOPEZ, INDIVIDUALLY
`AND ON BEHALF OF ALL OTHER PERSONS SIMILARLY
`SITUATED,
`
`
`
` :
`
`
`
`
`
`
`
`
`
`
`CASE NO.: 20-CV-05162
`
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`
`
`- against -
`
`
`
`Plaintiffs,
`
`
`
`APPLE INC. AND T-MOBILE USA, INC.
`
`
`
`
`
`Defendants.
`-------------------------------------------------------------------X
`
`
`
`
`
`
`
`
`
`
`Plaintiffs Tigran Ohanian (“Ohanian”) and Regge Lopez (“Lopez”) (collectively,
`
`“Named Plaintiffs”), by their attorneys, Oved & Oved LLP, complaining of Defendants Apple
`
`Inc. (“Apple”) and T-Mobile USA, Inc. (“T-Mobile”) allege upon knowledge as to themselves,
`
`and upon information and belief as to all other matters, as follows:
`
`
`
`
`
`SUMMARY OF CLAIMS
`
`1.
`
`This is a class action brought to redress Apple’s deceptive acts and practices and
`
`material omissions regarding the data privacy and security of its mobile devices, namely the
`
`iPhone and the iMessage and FaceTime features that are unique to the iPhone, as well as T-
`
`Mobile’s deceptive acts and practices and material omissions related to its subscriber
`
`identification modules (“SIM cards”), by which it provides telecommunications services to
`
`consumers through the iPhone.
`
`2.
`
`During the time period in question, Apple represented to consumers, through a
`
`variety of marketing campaigns both in print and through digital mediums, that the iPhone was
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 2 of 34
`
`designed to protect the privacy of users’ data and confidential personal information, and that the
`
`iMessage and Facetime features unique to the iPhone were highly secure methods of
`
`communication. As such, Apple was able to command premium prices for the sale of the iPhone
`
`as compared to other smartphones that were available for purchase on the market.
`
`3.
`
`At the same time, however, Apple deceived consumers by failing to disclose a
`
`significant security flaw in the Apple iOS software – the operating system for the iPhone –
`
`known only to Apple that allowed iMessage correspondence sent by iPhone users and FaceTime
`
`calls made by iPhone users to be improperly directed to and accessed by third parties.
`
`4.
`
`During that same time period, T-Mobile marketed and sold iPhone-compatible
`
`SIM cards to consumers for use in the iPhone. However, T-Mobile deceived consumers – who
`
`were under the reasonable belief that the SIM cards would provide them with a private and
`
`secure means to communicate through the iPhone on T-Mobile’s wireless network – by failing to
`
`disclose that its practice of recycling phone numbers linked to SIM cards, and selling those SIM
`
`cards to consumers without requiring prior users to manually disassociate their Apple IDs from
`
`the phone numbers associated with the recycled SIM cards, did not protect the privacy of users’
`
`data and confidential personal information.
`
`5.
`
`Apple’s failure to disclose the security flaw in the Apple iOS software used in the
`
`iPhone, as well as T-Mobile’s failure to disclose the fact that its SIM card practices did not
`
`protect the privacy of users’ data and confidential personal information, caused consumers who
`
`purchased iPhones and/or utilized T-Mobile SIM cards in iPhones to become the unsuspecting
`
`victims of extensive data security breaches when their iMessage correspondence and FaceTime
`
`calls were improperly accessed by third parties without their knowledge or authorization.
`
`Page 2 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 3 of 34
`
`6.
`
`Apple’s release of the iOS 12 software on or about September 17, 2018
`
`purportedly resolved these data security issues for iPhone users that actually installed the
`
`software, yet Apple never informed iPhone users, consumers, or the general public of the fact
`
`that the known security flaw in the iOS software led to innumerable unintended disclosures of
`
`iPhone users’ iMessage correspondence and FaceTime calls to third parties for nearly seven
`
`years prior to that. Indeed, even to this day, not all consumers that purchased iPhones or T-
`
`Mobile SIM cards for use in iPhones have installed the iOS 12 software on their iPhones, and the
`
`data security breaches alleged herein still may be affecting those consumers.
`
`7.
`
`Named Plaintiffs, both of whom are iPhone users that purchased T-Mobile SIM
`
`cards in order to utilize the communications features of the iPhone including iMessage and
`
`FaceTime, bring this proposed consumer class action on their own behalf and on behalf of all
`
`other persons similarly situated who, from the applicable limitations period through the present
`
`(the “Class Period”) purchased Apple iPhones and/or T-Mobile SIM cards for use in iPhones,
`
`and utilized the iMessage and FaceTime features included in all iPhones.
`
`THE PARTIES
`
`8.
`
`9.
`
`Ohanian is a natural person presently residing in Moscow, Russia.
`
`Lopez is a natural person presently residing in the State of Florida.
`
`10.
`
`Apple is a multinational company that manufactures, advertises, markets,
`
`distributes, and sells, inter alia, computer hardware, software, and mobile devices, including the
`
`iPhone. Apple is a California corporation with its principal place of business located at One
`
`Apple Park Way, Cupertino, California 95014.
`
`11.
`
`T-Mobile is a wireless mobile network operator that manufactures, advertises,
`
`markets, distributes, and sells, inter alia, SIM cards. T-Mobile is a Delaware Corporation with
`
`Page 3 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 4 of 34
`
`its principal place of business located at 12920 SE 38th St., Bellevue, Washington 98006.
`
`JURISDICTION / VENUE
`
`12.
`
`This Court has original jurisdiction over this matter pursuant to the Class Action
`
`Fairness Act, 28 U.S.C. § 1332(d)(2), because this is a class action, as defined by 28 U.S.C. §
`
`1332(d)(1)(B), in which there are 100 or more class members, a member of the putative class is a
`
`citizen of a different state than Apple and T-Mobile, and the amount in controversy exceeds the
`
`sum or value of $5,000,000.00, excluding interest and costs.
`
`13.
`
`This Court has personal jurisdiction over Apple pursuant to CPLR § 302(a)(1)
`
`because it transacts business in the State of New York by advertising, marketing, distributing,
`
`and selling its consumer product, the iPhone, throughout New York State to consumers in New
`
`York State, including Named Plaintiffs and members of the class, and it engaged in the
`
`wrongdoing alleged herein in New York State. Further, Apple has sufficient minimum contacts
`
`with New York State and has intentionally availed itself of the consumer market in New York
`
`State, rendering the exercise of jurisdiction by this Court permissible under traditional notions of
`
`fair play and substantial justice.
`
`14.
`
`This Court has personal jurisdiction over T-Mobile under CPLR § 302(a)(1)
`
`because it transacts business in the State of New York by advertising, marketing, distributing,
`
`and selling SIM cards throughout New York State to consumers in New York State, including
`
`Named Plaintiffs and members of the class, and it engaged in the wrongdoing alleged herein in
`
`New York State. Further, T-Mobile has sufficient minimum contacts with New York State and
`
`has intentionally availed itself of the consumer market in New York State, rendering the exercise
`
`of jurisdiction by this Court permissible under traditional notions of fair play and substantial
`
`justice.
`
`Page 4 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 5 of 34
`
`15.
`
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because a substantial
`
`part of the events or omissions giving rise to these claims occurred in this District.
`
`CLASS ALLEGATIONS
`
`16.
`
`This action meets the prerequisites of a Class Action under Rule 23(a) of the
`
`Federal Rules of Civil Procedure.
`
`17.
`
`This action is brought on behalf of Named Plaintiffs and a class consisting of
`
`similarly situated individual consumers who (i) purchased one or more iPhones, or purchased
`
`one or more T-Mobile SIM cards for use in iPhones, during the Class Period; and (ii) utilized the
`
`iMessage and/or FaceTime features of the iPhones through the SIM cards during the Class
`
`Period, by which they became victims of the pervasive data security breaches as alleged herein.
`
`18.
`
`This action meets the numerosity requirement because the putative class is so
`
`numerous that joinder of all members is impracticable. The exact size of the putative class in
`
`New York State is not yet known, but it is believed to be in excess of 1 million consumers.
`
`19.
`
`This action meets the commonality requirement because common questions of
`
`law and fact arise from the wrongful conduct of Apple and T-Mobile directed at Named
`
`Plaintiffs and members of the class as described herein that violated New York General Business
`
`Law § 349 (“NY GBL § 349”) and New York General Business Law § 350 (“NY GBL § 350”),
`
`and also give rise to common law claims for fraudulent misrepresentation and unjust enrichment.
`
`Such questions include, inter alia:
`
`a.
`
`
`b.
`
`Whether Named Plaintiffs and members of the class purchased iPhones or T-
`Mobile SIM cards for use in iPhones during the Class Period, and utilized the
`iMessage and FaceTime features unique to iPhones during the Class Period;
`
`Whether Apple possessed material information regarding a security flaw in the
`iOS software utilized in the iPhone that allowed iMessage correspondence and
`FaceTime calls to be improperly accessed by third parties without the knowledge
`or authorization of iPhone users;
`
`Page 5 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 6 of 34
`
`c.
`
`
`d.
`
`
`e.
`
`f.
`
`g.
`
`h.
`
`
`i.
`
`Whether Apple failed to disclose the existence of the above-mentioned security
`flaw to consumers;
`
`Whether T-Mobile possessed material information that its practice of recycling
`phone numbers linked to SIM cards, and selling those SIM cards to consumers
`without requiring prior users to manually disassociate their Apple IDs from the
`phone numbers associated with the recycled SIM cards, did not protect the
`privacy of users’ data and confidential personal information;
`
`Whether T-Mobile failed to disclose to consumers that its SIM card practices did
`not protect the privacy of users’ data and confidential personal information;
`
`Whether Named Plaintiffs and members of the class suffered damages as a result
`of Apple and T-Mobile’s violations of NY GBL §§ 349 and 350;
`
`Whether Named Plaintiffs and members of the class suffered damages as a result
`of Apple’s fraudulent misrepresentations and material omissions regarding the
`data privacy and security features of the iPhone as alleged herein;
`
`Whether Named Plaintiffs and members of the class suffered damages as a result
`of T-Mobile’s fraudulent and material omissions regarding its SIM card practices
`as alleged herein; and
`
`Whether Apple and T-Mobile were unjustly enriched by their conduct as alleged
`herein.
`
`
`
`
`
`20.
`
`This action meets the typicality requirement because Named Plaintiffs are
`
`members of the putative class and Named Plaintiffs’ claims are typical of the claims of the
`
`putative class. Specifically, Named Plaintiffs and each and every member of the putative class
`
`were victims of the same deceptive acts and practices and material omissions made by Apple
`
`regarding the data privacy and security of its mobile devices, and the deceptive acts and practices
`
`and material omissions of T-Mobile related to its SIM cards. Further, Named Plaintiffs seek and
`
`are entitled to relief under the same causes of action as other members of the putative class.
`
`21.
`
`This action also meets the adequacy requirement. Named Plaintiffs and their
`
`counsel will fairly and adequately protect the interests of the putative class, given that Named
`
`Plaintiffs have retained counsel experienced in class action litigation. Additionally, Named
`
`Page 6 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 7 of 34
`
`Plaintiffs and the class members will not have antagonistic interests to one another, because they
`
`seek the same relief for the wrongful conduct of Apple and T-Mobile as alleged herein.
`
`22.
`
`Further, this action is properly maintainable as a class action under Federal Rule
`
`of Civil Procedure 23(b), because a class action would prevent unduly duplicative litigation as
`
`well as inconsistent or varying adjudications pertaining to the unlawful actions of both Apple and
`
`T-Mobile as alleged herein.
`
`23. Moreover, this action is properly maintainable as a class action under Federal
`
`Rule of Civil Procedure 23(b), because the questions of law or fact common to Named Plaintiffs
`
`and the putative class members discussed supra predominate over any questions affecting only
`
`individual class members, and a class action is superior to other available methods for the fair
`
`and efficient adjudication of this controversy. Named Plaintiffs and the putative class members
`
`also lack the financial resources to adequately prosecute separate lawsuits against Apple and T-
`
`Mobile.
`
`FACTUAL ALLEGATIONS
`
`A.
`
`Apple’s iPhone and Marketing Campaigns
`
`24.
`
`Apple is an American multinational company that designs, develops, and sells
`
`technology products such as the iPhone. Apple’s iPhone utilizes operating software known as
`
`iOS.
`
`25.
`
`For years, Apple aggressively marketed the security and privacy features of its
`
`products, including the iPhone, in order to encourage consumers to purchase those products.
`
`26.
`
`For example, since 2009, Apple’s privacy policy has included the phrase, “Your
`
`privacy is a priority at Apple, and we go to great lengths to protect it.” In fact, a 2009 consumer
`
`Page 7 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 8 of 34
`
`survey conducted by the Ponemon Institute ranked Apple eighth in the World/USA among all
`
`companies as “most trusted for privacy.”
`
`27.
`
`In addition, beginning in July 2010, Apple consistently marketed the iPhone to
`
`consumers through its website and through other public advertisements as being “[s]afe and
`
`secure by design.” At that time, Apple also made representations to consumers that “iOS 4 [the
`
`iPhone operating system] is highly secure from the moment you turn on your iPhone. All Apps
`
`run in a safe environment, so a website or app can’t access data from other Apps. iOS 4 supports
`
`encrypted network communication to protect your sensitive information. . . .”
`
`B.
`
`Apple Introduces the FaceTime and iMessage Features on the iPhone
`
`28.
`
`In or about June 2010, Apple introduced FaceTime, allowing iPhone users to
`
`communicate with contacts who also had iPhones through a specialized and proprietary
`
`videotelephone feature.
`
`29.
`
`Approximately one year later, in or about October 2011, Apple released its own
`
`encrypted instant messaging service, called iMessage, which allowed iPhone users to
`
`communicate with contacts who also had iPhones through a proprietary messaging feature.
`
`30.
`
`Both services were automatically included in and operated on the iPhone through
`
`the iOS system, were features unique to the Apple iPhones, and were not available on other
`
`smartphones.
`
`C.
`
`SIM Cards and T-Mobile
`
`
`
`31.
`
`Following a consumer’s purchase of an iPhone, the iMessage and FaceTime
`
`features would become associated with the iPhone user’s phone number, Apple ID, and email
`
`address.
`
`Page 8 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 9 of 34
`
`32.
`
`In order to utilize the iMessage or FaceTime features of the iPhone on a wireless
`
`network, a SIM card needs to be used, which is a small, removable card used to, inter alia, store
`
`data such as the user’s phone number and mobile carrier information.
`
`33. Wireless network operators, including T-Mobile, sold SIM cards to consumers,
`
`and marketed and distributed the SIM cards specifically for use in the iPhone.
`
`
`
`34.
`
`Once the iPhone is equipped with a SIM card, both the iMessage and FaceTime
`
`features register with the iPhone user’s phone number from the SIM card, after which the iPhone
`
`user can begin sending iMessage correspondence and making FaceTime calls. Specifically, in
`
`order to send iMessage correspondence or make a FaceTime call, the iPhone reads the iPhone
`
`user’s phone number from the SIM card.
`
`D.
`
`Apple’s Continued Marketing Efforts and Representations to Consumers
`
`35.
`
`After releasing the iMessage and FaceTime features on the iPhone, Apple
`
`continued to market the security and privacy features of the iPhone, including the iMessage and
`
`FaceTime features, through various advertisements both in print and in digital media. Namely,
`
`between approximately 2011 and 2014, Apple continuously and repeatedly represented to
`
`consumers that, inter alia:
`
`
`
`
`
`
`
`iMessages on the iPhone were “unlimited” and “secure, too”;
`
`the iOS operating system on the iPhone was “highly secure from the moment you
`turn on your iPhone”;
`
`the iOS operating system on the iPhone protected users’ “sensitive information”;
`
`
`
`iOS-equipped devices such as the iPhone provided “stringent security technology
`and features”; and
`
` communications on the iPhone using iMessage and FaceTime were “fully
`encrypted.”
`
`
`
`Page 9 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 10 of 34
`
`36.
`
`Apple continued to update the technology of the iPhone and the iOS operating
`
`system through 2015. At that time, when it introduced the operating system known as iOS 9 –
`
`which continued, without interruption, to include iMessage and FaceTime – for use on the
`
`iPhone, Apple represented to consumers that “the foundation of iOS” had become “even
`
`stronger” and that Apple had brought to market “advanced security features to further protect”
`
`the privacy of iPhone users.
`
`37.
`
`Apple again continuously and repeatedly marketed the security and privacy
`
`features of the iPhone, including the iMessage and FaceTime features through 2016 and 2017,
`
`claiming, inter alia:
`
` “security and privacy are fundamental to the design of Apple hardware, software
`and services”;
`
`iMessage and FaceTime used end-to-end encryption to protect iPhone users’ data;
`
`
`
` “Customers expect Apple and other technology companies to do everything in our
`power to protect their personal information, and at Apple we are deeply
`committed to safeguarding their data”;
`
`iOS keeps iPhone users’ information private;
`
`
`
` “At Apple, protecting your information is something we build into our processes
`from the beginning”;
`
` “iOS is designed to put your privacy first”;
`
` “iOS offers the most advanced security of any mobile operating system”;
`
` “The point is, security runs throughout the entire system – everything from the
`hardware to iOS to the App Store”; and
`
` “Apple products are designed to do amazing things. And designed to protect your
`privacy.”
`
`
`
``
`
`
`
`
`
`
`
`38.
`
`In or about September 2017, Apple launched an updated website with a new look
`
`and information to highlight its position regarding consumers’ data privacy rights through the
`
`Page 10 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 11 of 34
`
`use of Apple products, including iPhones. Namely, at that time, Apple made the following
`
`representations to consumers:
`
`At Apple, we believe privacy is a fundamental human right. And
`so much of your personal information – information you have a
`right to keep private – lives on your Apple devices…Who you call,
`email, or message. Every Apple product is designed from the
`ground up to protect that information. And to empower you to
`choose what you share and with whom. We’ve proved time and
`time again that great experiences don’t have to come at the
`expense of your privacy and security.
`
`Apple’s iOS Operating System Allows Users’ Communications
`Through FaceTime and iMessage Services to Be Accessed by Third Parties
`
`E.
`
`
`
`39.
`
`From the time that Apple first introduced Facetime (June 2010) and iMessage
`
`(October 2011) on the iPhone, a significant security flaw existed in the iOS software, allowing
`
`iMessage correspondence and FaceTime calls to be improperly accessed by third parties.
`
`40.
`
`Specifically, when an iPhone user ceased using a SIM card and the phone number
`
`associated with that SIM card was subsequently recycled by a wireless network carrier such as
`
`T-Mobile, the previous owner of the SIM card associated with that phone number would still be
`
`able to receive iMessages and FaceTime calls on his or her iPhone that were intended to be
`
`received by the new owner of that phone number. This was due to the fact that the Apple ID
`
`associated with iMessage and FaceTime had a legacy connection to the phone number of the
`
`recycled SIM card.
`
`41.
`
`In other words, because of the legacy connection, iMessage correspondence and
`
`FaceTime calls directed to the new owner of a phone number would lead to the iMessage
`
`correspondence or FaceTime call being unknowingly and improperly misdirected to the prior
`
`owner of the phone number because of its previous association with the SIM card.
`
`Page 11 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 12 of 34
`
`42.
`
`As such, during the Class Period, all iPhones were capable of receiving, and
`
`routinely did receive, incoming iMessage correspondence and FaceTime calls that were intended
`
`for another iPhone user.
`
`43.
`
`Similarly, during the Class Period, all outgoing iMessage correspondence and
`
`Face Time calls were capable of being unknowingly misdirected to an unintended iPhone user.
`
`44.
`
`In fact, the only method by which the unintended and improper disclosure of
`
`iPhone users’ iMessage correspondence and FaceTime calls could be prevented during the time
`
`period in question was the forced disassociation of an Apple ID by the previous owners of the
`
`phone numbers associated with the recycled SIM cards, which neither Apple nor T-Mobile ever
`
`voluntarily disclosed to consumers.
`
`45.
`
`Rather, during the time period in question, Apple knowingly allowed multiple
`
`unrelated Apple IDs of consumers that had purchased iPhones to coexist and to be associated
`
`with the same phone number, while T-Mobile compounded the problem by engaging in the
`
`deceptive SIM card practices, as alleged supra.
`
`46.
`
`Indeed, during this time, if an iPhone user was to take another iPhone user’s SIM
`
`card out of his or her iPhone, put it inside their iPhone, and subsequently return the SIM card to
`
`the first user’s iPhone, both iPhone users would receive iMessage correspondence and FaceTime
`
`calls directed to the phone number of the first user of the SIM card, because of the automatic
`
`association with the Apple ID.
`
`F.
`
`The First Known Victims
`
`
`
`47.
`
`The first known victims of the data security breach described herein occurred in
`
`2011 when users’ iPhones were stolen or resold.
`
`Page 12 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 13 of 34
`
`
`
`48.
`
`The issue arose again in February 2012 when Sam Biddle, an employee of an
`
`Apple Store, had his personal messages duplicated on the iPhone of an unknown person.
`
`49.
`
`Apple did not conduct an internal investigation of the results of events that
`
`occurred with Sam Biddle in 2012. If there were conclusions about what happened, they would
`
`be subject to publication, since the security breaches affected an indefinite number of users.
`
`50.
`
`In 2011, Ars Technica reported that, although iPhone owners would rightfully
`
`assume that their messages were secure, in reality, “thieves and unsuspecting buyers [were] still
`
`able to send and receive iMessages as the original owner – even after the device is registered
`
`under a new account. Almost nothing seems to work – remote wiping, changing Apple ID
`
`passwords, or even moving the old phone number to a new phone—and users are becoming more
`
`than frustrated that thieves are so easily able to pose as them.” The article made reference to
`
`several iPhone users that had their communications misdirected despite several attempts to cure
`
`the problem themselves.
`
`51.
`
`iOS security expert Jonathan Zdziarski stated the following regarding this issue:
`
`“iMessage registers with the subscriber's phone number from the SIM, so let's say you restore the
`
`phone, it will still read the phone number from the SIM. I suppose if you change the SIM out
`
`after the phone has been configured, the old number might be cached somewhere either on the
`
`phone or on Apple’s servers with the UDID of the phone.”
`
`52.
`
`As such, it is clear that Apple allows its services to pull old phone numbers, even
`
`after a SIM card is removed or deactivated.
`
`G.
`
`Named Plaintiffs’ Claims
`
`53.
`
`Named Plaintiffs were exposed to Apple’s extensive public marketing and
`
`advertising campaigns, wherein Apple represented that its iPhones were secure and protected
`
`Page 13 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 14 of 34
`
`users’ data privacy and confidential information from unintended disclosure to third parties, and
`
`Named Plaintiffs purchased an iPhone 6s (Ohanian) and an iPhone 6 plus (Lopez) on that basis.
`
`54.
`
`During the Class Period, Ohanian paid a premium price to purchase the iPhone 6s.
`
`55.
`
`During the Class Period, Ohanian was on vacation in New York City, where he
`
`paid a premium price to purchase a new SIM card from a T-Mobile store in Manhattan, New
`
`York.
`
`56.
`
`The SIM card that Ohanian purchased from T-Mobile (the “Ohanian SIM Card”)
`
`provided him with a phone number for use in his iPhone, and further, gave Ohanian access to T-
`
`Mobile’s wireless network in order to utilize the iMessage and FaceTime features of the iPhone.
`
`57.
`
`Ohanian inserted the Ohanian SIM Card into his iPhone, activated it, and it
`
`automatically linked to his Apple ID.
`
`58.
`
`Ohanian used that particular phone number during the Class Period for
`
`approximately one year.
`
`59.
`
`During the Class Period, Lopez paid a premium price to purchase an iPhone 6
`
`plus at the Apple Store in Queens, New York.
`
`60.
`
`During the Class Period, Lopez switched wireless carriers accounts and obtained a
`
`new T-Mobile account.
`
`61.
`
`In connection therewith, Lopez purchased, and T-Mobile installed, a new SIM
`
`card in Lopez’s iPhone, which provided him with a new phone number (the “Affected Number”).
`
`62.
`
`Lopez’s iPhone then automatically associated his Apple Account and thus, his
`
`iMessage and FaceTime, with the Affected Number.
`
`63.
`
`Unbeknownst to Lopez, the Affected Number was the same number that T-
`
`Mobile had previously provided to Ohanian with the Ohanian SIM Card.
`
`Page 14 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 15 of 34
`
`64.
`
`Even though the Ohanian SIM Card was deactivated and not even still inserted
`
`into Ohanian’s
`
`iPhone, Ohanian began
`
`receiving extensive amounts of unwanted
`
`communications on his iPhone 6s via iMessage and FaceTime, which appeared to be addressed
`
`to an unknown new owner of the Affected Number.
`
`65.
`
`These communications, which were from total strangers, included various media
`
`content. Specifically, during the Class Period, Ohanian received more than 100 iMessages and
`
`FaceTime calls which included, inter alia, private photographs (including those of young
`
`children) and communications that clearly were directed not to Ohanian, but instead were
`
`directed to the unknown new owner of the Affected Number that Ohanian previously had utilized
`
`in connection with the Ohanian SIM Card.
`
`66.
`
`Due to the sensitive nature of the various media content that Ohanian had
`
`received on his iPhone, Ohanian attempted to address the issue with Apple.
`
`67.
`
`During the Class Period, Ohanian wrote both to an Apple Store employee and to
`
`Apple CEO Tim Cook with a request to investigate what had occurred.
`
`68.
`
`Thereafter, and during the Class Period, Ohanian sent the same request to the
`
`Apple Privacy team.
`
`69.
`
`An Apple Privacy employee subsequently advised Ohanian that he should merely
`
`delete the phone number and SIM card that he was not using, despite the fact that the SIM card
`
`was already blocked, and the fact that the proposed solution would do nothing to resolve the
`
`wide-scale problem of unintended and improper disclosures of iPhone users’ iMessage
`
`correspondence and FaceTime calls to third parties through the security flaw in the iOS software
`
`utilized in the iPhone.
`
`Page 15 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 16 of 34
`
`70.
`
`Named Plaintiffs subsequently determined that the private communications that
`
`Ohanian improperly received on his iPhone during the time period in question had been directed
`
`and meant for Lopez.
`
`71.
`
`In sum, after the Ohanian SIM Card was blocked, Lopez had purchased a SIM
`
`card from T-Mobile that had been assigned the Affected Number, which T-Mobile had recycled
`
`from the number on the Ohanian SIM Card.
`
`72.
`
`Once Lopez activated the SIM card in his new iPhone, Apple services became
`
`associated with the Affected Number, but Ohanian’s old phone number from the Ohanian SIM
`
`Card was still linked to Ohanian’s Apple ID. As such, all iMessage correspondence and
`
`FaceTime calls intended for, and directed to, the new user of the Affected Number – Lopez –
`
`were instead received by Ohanian on his iPhone.
`
`73.
`
`Apple never notified Named Plaintiffs – or any other members of the putative
`
`class – that they needed to manually disassociate old phone numbers utilized on iPhones from
`
`their Apple accounts to prevent those iPhone accounts from receiving unwanted (and potentially
`
`harmful) iMessage correspondence and FaceTime calls when those phone numbers are recycled
`
`by wireless network carriers, such as T-Mobile.
`
`74.
`
`Further, Named Plaintiffs were severely damaged by Defendants’ conduct.
`
`75.
`
`Specifically, Ohanian suffered, inter alia, significant and irreparable emotional
`
`and marital distress because he was unable to explain to his wife why he was receiving the
`
`content on his iPhone – including pictures of young children – which clearly appeared to be
`
`coming from a woman (who was not Ohanian’s wife).
`
`76.
`
`Similarly, Lopez suffered, inter alia, significant and irreparable damages,
`
`including emotional distress, because he did not receive, inter alia, the pictures of his child,
`
`Page 16 of 34
`
`
`
`Case 1:20-cv-05162 Document 1 Filed 07/06/20 Page 17 of 34
`
`which he can no longer obtain because the relationship between him and the child’s mother has
`
`terminated. Lopez can never get those pictures or memories back.
`
`H.
`
`Apple’s Knowledge and Deliberate Concealment of Security Breaches
`
`77.
`
`Contrary to Apple’s repeated assurances to the public about the variety of
`
`extensive measures it had implemented to protect the privacy rights of consumers that purchased
`
`Apple iPhones and utilized iMessage and FaceTime – by way of various advertisements and
`
`marketing campaigns touting such features of its iPhones as discussed supra – Apple had been
`
`aware of the problem in its iOS software allowing iPhone users’ communications to be
`
`improperly disclosed to third parties dating back to at least 2012.
`
`78.
`
`In order to remedy the problem of iPhone users’ communications being
`
`improperly disclosed to third parties, Apple never rewrote its code, nor did Apple advise
`
`consumers to manually disassociate their Apple IDs from the recycled SIM Cards.
`
`79.
`
`Instead, with the release of iOS 12 on or about September 17, 2018, Apple finally
`
`introduced mandatory multifactor authentication, which is a method by which an iPhone user can
`
`only be granted access to an iPhone by successfully presenting two or more factors in order to
`
`confirm his or her identity. Such factors may include a piece of information only the user would
`
`know or a password.
`
`80.
`
`Despite the foregoing, Apple never informed consumers and iPhone users –
`
`including Named Plaintiffs and members of the putative class – about the fact that, based on a
`
`security