Siding with
Apple, a federal judge has dismissed a class-action complaint accusing the company of using supposedly “coercive” cybersecurity practices.
The dispute centers on two-factor
authentication -- a security technique aimed at blocking hackers and others from accessing devices without the owners' consent. The procedure typically requires that users enter at least two codes to
access their device -- their password, and a separate verification code sent to another device owned by the same user.
Apple customer Jay Brodsky, who says he owns an iPhone and two Macbooks,
complained in an action brought in February that Apple's September 2015 software update enabled two-factor authentication.
Three other Apple users joined the lawsuit as potential class
representatives in March, and filed an amended complaint at that time. Brodsky and the others alleged that Apple “forces” them to use two-factor authentication that “requires
additional login steps” every time they turn on their computers.
They contended that the login process is “cumbersome and delay-ridden,” sometimes leaving them unable to
access their devices for between two and five minutes.
The lawsuit's host of claims included that Apple violated an anti-hacking law and privacy laws.
Apple argued in court papers that
the case should be dismissed for several reasons, including that the users hadn't shown how they may have been injured by the security practices. The company also argued that its cybersecurity
practice, which aimed to protect users' data, was lawful.
U.S. District Court Judge Lucy Koh in San Jose, California threw out the complaint on Friday. She gave several reasons for her
decision, including that Brodsky and the others didn't show how they were injured by the security practices.
“In the instant case, a delay of 2-5 minutes does not impair the functioning
of plaintiffs’ Apple devices,” Koh wrote. She added that the complaint doesn't allege that two-factor authentication prevents people from logging in after a delay, or that the delay
damages devices.
Apple also disputed that it turned on two-factor authentication without consent, arguing that Brodsky and the others acknowledged in the complaint that they enabled the
security feature.
Koh noted in her ruling that Brodsky and the others' "bald assertions" that they didn't consent to two-factor authentication amounted only to conclusions, as opposed to the type
of factual allegations that would support a lawsuit.
The dismissal was “without prejudice,” meaning that Brodsky and the others can beef up their allegations and try again
within 30 days.