Siding with Apple, a federal judge has dismissed a class-action complaint accusing the company of using supposedly “coercive” cybersecurity practices.
The dispute centers on two-factor authentication -- a security technique aimed at blocking hackers and others from accessing devices without the owners' consent. The procedure typically requires that users enter at least two codes to access their device -- their password, and a separate verification code sent to another device owned by the same user.
Apple customer Jay Brodsky, who says he owns an iPhone and two Macbooks, complained in an action brought in February that Apple's September 2015 software update enabled two-factor authentication.
Three other Apple users joined the lawsuit as potential class representatives in March, and filed an amended complaint at that time. Brodsky and the others alleged that Apple “forces” them to use two-factor authentication that “requires additional login steps” every time they turn on their computers.
They contended that the login process is “cumbersome and delay-ridden,” sometimes leaving them unable to access their devices for between two and five minutes.
The lawsuit's host of claims included that Apple violated an anti-hacking law and privacy laws.
Apple argued in court papers that the case should be dismissed for several reasons, including that the users hadn't shown how they may have been injured by the security practices. The company also argued that its cybersecurity practice, which aimed to protect users' data, was lawful.
U.S. District Court Judge Lucy Koh in San Jose, California threw out the complaint on Friday. She gave several reasons for her decision, including that Brodsky and the others didn't show how they were injured by the security practices.
“In the instant case, a delay of 2-5 minutes does not impair the functioning of plaintiffs’ Apple devices,” Koh wrote. She added that the complaint doesn't allege that two-factor authentication prevents people from logging in after a delay, or that the delay damages devices.
Koh noted in her ruling that Brodsky and the others' "bald assertions" that they didn't consent to two-factor authentication amounted only to conclusions, as opposed to the type of factual allegations that would support a lawsuit.
The dismissal was “without prejudice,” meaning that Brodsky and the others can beef up their allegations and try again within 30 days.