Right to Repair

Apple, Insurance, and Stolen Photos: The “Authorized Service” Scandal

Sign indicating Apple Authorized Service provider's business hours, in German.

This post was written by Paul F Roberts, founder of Securepairs.org and author of the Fight to Repair Newsletter. It is republished here with his permission.

A dispute over insurance led to the revelation that Apple agreed to pay a multi-million settlement to an Oregon woman after employees at Pegatron, an Apple authorized repair provider, lifted compromising photos from her iPhone and posted them to Facebook.

Stolen images

As first reported by The Telegraph, Apple settled with the 21 year-old Oregon college student after the authorized repair technicians posted explicit photos and videos from her phone to Facebook, resulting in “severe emotional distress” to the young woman, who is only identified as “Jane Doe” in the legal documents.

The five year-old incident came to light only after Apple was named as the organization referred to only as the “Customer” named in the legal proceedings as part of an unrelated lawsuit against the Cupertino, California electronics giant. Apple subsequently confirmed the incident to The Telegraph.

The case undermines a key argument the company makes against proposed state right to repair laws: that Apple’s authorized service providers are more trustworthy than independent cell phone and electronics repair shops. That is an especially potent claim in regard to the handling sensitive personal information stored on electronics devices like phones and tablets.

But, as it turns out, it’s an empty claim. Legal filings viewed by Fight to Repair suggest the breach happened at a Pegatron facility in Elk Grove, California, a suburb of Sacramento after the woman known as “Jane Doe” shipped the phone to PTSI’s repair facility on January 12, 2016. “Shortly thereafter, friends informed her of the sexually explicit images on her Facebook page,” the document reads. “The manner in which the images were uploaded suggested that Jane Doe had uploaded the images herself, casting Jane Doe in the falsest of light, and causing her severe emotional distress.”

The fix that launched a thousand lawsuits

While the amount of Apple’s settlement is redacted from the filings, they note that the woman initially requested a payment of $5 million in damages – a request that “the Customer” (aka Apple) refused to agree to. The court documents note that mediated negotiations between the “Customer” and the woman failed to agreed upon an amount. The final settlement, arrived at by a mediator in February 2016, still totaled “millions of dollars,” The Telegraph reported.

It was that settlement and the need to reimburse Apple for it that launched a volley of lawsuits. First, Apple turned to Pegatron to reimburse it for the amount of the settlement. Pegatron its subsidiary, Pegatron Technology Service Inc. (PTSI) referred the matter to its insurers, including American Guarantee & Liability Insurance (AGLI), to indemnify it under a General Commercial Liability policy it had with the firm for up to $1 million in coverage. AGLI and another insurer, Zurich American Insurance, balked, leading to the litigation. In 2019, the case expanded from California to Oregon, where AGLI and Zurich American Insurance sought to compel testimony from the victim, Jane Doe in the matter.

Apple Authorized Repair: Not a pretty picture

Section of a legal filing, explaining why Apple’s identity as “Customer” was concealed.

While the legal wrangling over the terms of liability coverage isn’t really that relevant. What is clear in the filings is that Apple was desperate to keep the matter under wraps and its name out of the headlines on this. The company entered into arbitration to settle the matter within weeks and reached a settlement with Jane Doe in a matter of months. According to filings, Apple produced thousands of pages of internal documents in response to discovery requests by the litigants, but took steps, at each turn, to make sure its name and those of its executives and employees did not appear in the public record.

While protecting the name of the victim of such a salacious crime is to be expected, it is unclear why Apple went through such extraordinary means to wipe its name from a lawsuit that did not concern any wrongdoing by Apple itself.

My contractor’s contractor’s contractor

The answer, of course, is that the case shines a spotlight on the little known world of Apple authorized repair. And the picture that emerges isn’t a pretty one. As an argument against proposed right to repair laws, Apple and other technology vendors have long touted their “authorized” repair offerings to lawmakers as superior in every way to independent providers. Typically, these arguments assert that authorized repair technicians are preferred over independent repair shops because their technicians are better trained and – importantly – more trustworthy than independent repair shops. In fact, authorized repair providers and lobbyists for the technology industry speak darkly about the danger of independent repair professionals stealing photos and other sensitive data from devices sent to them for service.

Neither Apple nor other technology vendors go on at length about how their actual authorized repair service operates. You could be forgiven, however, for imagining it is a closely held function with ample oversight by the manufacturer to protect customer data and ensure the quality of repairs.

The image that emerges from the court documents between Pegatron and its insurers is anything but that. In this case, an Apple customer with a broken iPhone reported it to Apple, who instructed her to send it to a company it subcontracts to for repair, Pegatron Technology Services Inc. (PTSI), a wholly owned, U.S. subsidiary of Pegatron Corporation of Taiwan. PTSI operated the repair facility in Elk Grove but, it turns out, used yet another firm, identified in the documents as a Third Party Vendor, to staff it with repair technicians. It was employees of that vendor who stole and posted Jane Doe’s photos and video.

This kind of arrangement isn’t unusual. In fact, large companies almost always outsource repair and servicing to third parties. But it is also not something they readily acknowledge when they’re arguing against right to repair laws. And for good reason. As it turns out: the incidence of misdeeds by employees at authorized service providers are actually pretty common – and certainly no less common than independent repair shops. In 2019, for example, an Apple Genius Bar employee was caught texting intimate photos of a customer to himself under the guise of helping her with a repair. The same thing happened in 2016 at an Apple Store in Brisbane, Australia.

Water Alcorn of the Consumer Technology Association acknowledged that there is no data showing authorized repair is superior to- or more secure than independent repair at the 2019 FTC Nix the Fix event.

Also, there is lots of evidence that, far from emphasizing quality of service, OEMs work to spend as little as possible on authorized repair. Note the 2019 ICE raid on a Texas-based Samsung authorized repair provider CVE Technology that discovered undocumented workers performing authorized repair on Samsung devices.

In fact, when asked directly at the 2019 FTC Nix the Fix symposium whether there was any data to support industry’s contention that authorized repair is either higher quality or more secure than independent repair, Walter Alcorn of the Consumer Technology Association (CTA) admitted straight out that there was none. You can watch it here or by clicking the button below.

How this will play out in the ongoing battle in the states and Washington D.C. for a digital right to repair remains to be seen. Fear mongering about data privacy and stolen photos is certainly effective at dissuading legislators – but hardly the only argument repair opponents use. It is unclear if the new revelations about Apple’s authorized will change many minds. Stay tuned!

Subscribe to Paul Roberts’ weekly update on the Right to Repair battle at Fight to Repair.