Apple Agrees to FTC Terms Over In-App Purchases With $32 Million Settlement

[Renzatic]

Nice analogy, you "forgot" to mention the part where you take the ATM with you and hand it to someone else. But... nice try anyway.

Actually it's more like you're sitting around one day, and 'lil toeheaded Timy comes up to you with his iPad and asks you to buy a game for him. It looks innocent enough. Just a bunch of singing animals you collect and raise, sorta like Pokemon. And hey, it's free. So you enter your password, download the app, then hand the iPad back to the kid. You think the password is enough, so you're not too worried about much of anything.

...completely unaware that after 5 minutes of playing, 'lil Timmy sees a pop up in his game saying he can get extra coins to buy more monsters if he presses here. Not thinking about anything besides getting more cool monsters to play with, Timmy starts hammering the buy button to get those coins. One month later, you've got an extra $300 charge on your credit card bill.

Then the state comes to take away 'lil Timmy, because a bunch of people on the internet are saying you're a terrible parent. Shouldn't have spared the rod, man. This is what happens when you don't pay enough attention to everything your kid does. Now 'lil Timmy is destined to a life of hardcore drugs and cheap, loose women because YOU. DIDN'T. CARE. ENOUGH.

 

[Crzyrio]

It's one smaller inconvenience to answer a greater one. I'm pretty sure a parent with a spend-crazy kid would rather endure the occasional in-app password prompt than deal with an extra $600 worth of charges on their credit card.

As a parent it is also your responsibility to take care of your phone and credit card and not depend on apple. It is not like the phones are being stolen and then being used for in app purchases, you are giving the phone to your kid and know of all that could happen.

It honestly takes less than 2 mins to disable in-app purchases. If you don't know, a simply google search and you will find it in the first link.

 

[thekev]

Nice analogy, you "forgot" to mention the part where you take the ATM with you and hand it to someone else. But... nice try anyway.

This doesn't seem like a good analogy. In the case of IAPs here the primary method of gating payment authorization is implicit within a 15 minute window. If it wasn't default behavior, it would be different, as the user would have to directly acknowledge that they wanted the functionality. The other silly thing that comes up is outrage to parents who desire a reverse transaction. While game companies have to make money, they do not have to deal with the inspection or limitations imposed upon returned product when the entire product is intangible and not something that would be easily identified from across the room. Their child isn't holding anything other than the device that was handed to them.

I think there is also far too much assumption that all of these parents follow the technology and familiarize themselves with the full functionality of these devices. Most of them are more likely to just be typical consumers.

 

[Renzatic]

As a parent it is also your responsibility to take care of your phone and credit card and not depend on apple. It is not like the phones are being stolen and then being used for in app purchases, you are giving the phone to your kid and know of all that could happen.

It honestly takes less than 2 mins to disable in-app purchases. If you don't know, a simply google search and you will find it in the first link.

I think thekev summed it up quite well...

I think there is also far too much assumption that all of these parents follow the technology and familiarize themselves with the full functionality of these devices. Most of them are more likely to just be typical consumers.

Or to put it another way, it's hard to account for something you don't know exists until it's too late to do anything about it. Everyone makes mistakes. Apparently a lot of people made this one...

 

[dec.]

Actually it's more like you're sitting around one day, and 'lil toeheaded Timy comes up to you with his iPad and asks you to buy a game for him. It looks innocent enough. Just a bunch of singing animals you collect and raise, sorta like Pokemon. And hey, it's free. So you enter your password, download the app, then hand the iPad back to the kid. You think the password is enough, so you're not too worried about much of anything.

...completely unaware that after 5 minutes of playing, 'lil Timmy sees a pop up in his game saying he can get extra coins to buy more monsters if he presses here. Not thinking about anything besides getting more cool monsters to play with, Timmy starts hammering the buy button to get those coins. One month later, you've got an extra $300 charge on your credit card bill.

Then the state comes to take away 'lil Timmy, because a bunch of people on the internet are saying you're a terrible parent. Shouldn't have spared the rod, man. This is what happens when you don't pay enough attention to everything your kid does. Now 'lil Timmy is destined to a life of hardcore drugs and cheap, loose women because YOU. DIDN'T. CARE. ENOUGH.

So you agree that kdarlings "analogy" was less accurate?

To be clear: I do think that the 15 minute window is a huge flaw in the system, not only because of the IAPs but also because of the possibility of spending more money on apps themselves in the app store. I'm not the most articulate and knowledgable when it comes to legal terms, so I apologize for sounding slightly "simple", but imho it's like "I enter my password to acknowledge the contract and buy this app, why would this open up a 15 minute window for acknowledging any futher contracts untouched by the initial purchase by default without any further confirmation", or something like that.

And obviously it's necessary to implement another hurdle as kids just are kids and don't care what their parents say about IAPs.

Also, I'd offer some training courses for adults as it seems to be common sense that people do not know enough about the functionality of their devices.

 

[Renzatic]

So you agree that kdarlings "analogy" was less accurate?

kdarling's analogy is like a Nissan...

To be clear: I do think that the 15 minute window is a huge flaw in the system, not only because of the IAPs but also because of the possibility of spending more money on apps themselves in the app store. I'm not the most articulate and knowledgable when it comes to legal terms, so I apologize for sounding slightly "simple", but imho it's like "I enter my password to acknowledge the contract and buy this app, why would this open up a 15 minute window for acknowledging any futher contracts untouched by the initial purchase by default without any further confirmation", or something like that.

And obviously it's necessary to implement another hurdle as kids just are kids and don't care what their parents say about IAPs.

I wouldn't say it's a huge flaw, so much as it's a little too broad. If the 15 minute buying window only applied to the app store, that'd be fine. But applying to apps you have sitting on your home screen? No one's gonna intuitively account for that, not unless they've had previous experience with it.

...and unfortunately, most people's previous experiences with it are from their kids buying hundreds of dollars of IAPs.

It needs to be an opt-in setup. Not one you have to dig through the settings menu to opt out of. You want the convenience, you turn it on yourself. Problem solved.

 

[sseaton1971]

I hadn't thought of it that way, that's a real flaw and something Apple should look into. Even if it just means having a switch on your account or in settings which makes the App Store require a password for every purchase.

You mean like in Settings > General > Restrictions? Go to the Allowed Content section and set Require Password to Immediately (instead of 15 minutes).

I must admit that this seems a little buried, but it is a restriction... so, Restrictions is a logical place for the setting.

 

[thekev]

Or to put it another way, it's hard to account for something you don't know exists until it's too late to do anything about it. Everyone makes mistakes. Apparently a lot of people made this one...

My issue is basically one of "implicit" credit card authorization as default behavior, especially when there isn't an established convention. The best examples I could give would be utilities that are billed by consumption. There is an established convention of this, and you agreed to it in order to obtain service. I can't find a really good parallel to this one. It's more of people trying to jam random free-form shapes into square holes.

You mean like in Settings > General > Restrictions? Go to the Allowed Content section and set Require Password to Immediately (instead of 15 minutes).

I must admit that this seems a little buried, but it is a restriction... so, Restrictions is a logical place for the setting.

Concerning payments I would call it prudent to have that set as default behavior.

 

[Renzatic]

My issue is basically one of "implicit" credit card authorization as default behavior, especially when there isn't an established convention. The best examples I could give would be utilities that are billed by consumption. There is an established convention of this, and you agreed to it in order to obtain service. I can't find a really good parallel to this one. It's more of people trying to jam random free-form shapes into square holes.

At its most basic, the biggest problem is that Apple didn't do enough to inform people exactly how their transaction setup works. For instance, I didn't know Apple only needed your password once every 15 minutes until I bought two apps within a short time of each other. Before that, I thought it'd prompt for my credentials for every purchase I wanted to make. And I knew absolutely nothing about purchasing through apps outside the App Store falling under the same 15 minute rule. Not until I started reading about people being charged for IAPs their kids rang up.

It's not something you feel the need to learn more about. It's so straightforward and simple, set up exactly like the thousand other digital storefronts you've used a thousand times before, you don't expect it to have exceptions and extra features. You don't know about them until you stumble upon them yourself.

When it comes to making transactions with your credit card, the last thing you want is a bit of built in serendipity.

 

[LuigiWeegee]

For me it was simple. Do not link a card to your ID. If I want to purchase something from iTunes or the App Store, then I purchase gift cards in the closest amount I require to make that purchase. Then there is no chance of funds being spent without my knowledge.

Everyone should listen to this. It's a good idea in general to use gift cards.

----------

I think thekev summed it up quite well...



Or to put it another way, it's hard to account for something you don't know exists until it's too late to do anything about it. Everyone makes mistakes. Apparently a lot of people made this one...

It should be common sense that you shouldn't give your kid control over any account in which you've entrusted your credit card information. It's sad that anyone besides the parents has to pay for that. It's like the rest of America. Bang your head on a wall, sue the guy who owns the wall.

EDIT: Actually, I've run into an app that charges you for IAPs without ever telling you explicitly! It just asks for your password at some point. Now that's BS. And there ought to be a limit on the price of an IAP. Who would ever spend $50 on Fruit Ninja power ups?! Those things are obviously there to profit from someone messing up and nothing else.

----------

Somewhere I blame android for this IAP ****... The piracy on android gave birth to this model...

I crack the IAPs on my iPhone too. Paying real money for Temple Run gems? Heck no. It would probably be a good idea to crack the IAPs on a child's iPod touch just in case

 

[globalist]

It needs to be an opt-in setup. Not one you have to dig through the settings menu to opt out of. You want the convenience, you turn it on yourself. Problem solved.

Exactly.

But rest assured, Tim Cook is claiming that Apple have since implemented "improvements and additional steps" to remedy this faulty setup. Too bad he never specifies what those improvements might be. What a typical corporate hack:

We heard from some customers with children that it was too easy to make in-app purchases, so we moved quickly to make improvements. We even created additional steps in the purchasing process, because these steps are so helpful to parents.

 

[downpour]

Apple makes in-app purchases more than clear. It says that a game contains in-app purchases on the game's download page in the app-store, it's not like the name is ambiguous. Even if they didn't do this, it should be pretty obvious that if you are entering your credit card details and associating them with a password, then using that password will allow you, or your child, to make a purchase. SO DON'T GIVE THE PASSWORD TO YOUR CHILD.

Even if the parent setting up the IOS device can't read what it says on the screen, they should have heard about IAP's by now, it's been all over the news and the internet a number of times, for several years now.

Taking away IAPs for the sake a few people who are too lazy to read about the expensive device they just purchased, while giving away their credit card details without a moments thought, would hurt the rest of us who behave responsibly.

IAPs are the reason we can enjoy so many excellent games and apps for free. I personally don't want that to change.

 

[bcnmac]

Easy solution but it'll never happen

I lurk quite a bit, but I have to comment. I'm more literate than the average user and it is not clear that purchases are authorized for a 15 min window.

By default every purchase should require a password and this can be something a user can opt out of.

I have all the parental controls set up on my ipad, but not on my phone. I've seen the continuous popups on games my kids play, which fortunately don't cause issues because of the password prompt.

There is no way my parents or the in-laws would have found this. They have consumer devices that "just work".

But this is my feeling about a lot of technology/services. Privacy settings in Facebook and Google, signing up for any website. Those should be limited by default and let the user choose what he/she wants to share.

I'm privileged to have the means and knowledge to inform myself and those around me. There is a great deal more which I am ignorant about and I luckily have people to inform me. Compared to the millions of IOS users I would guess that I'm in the minority.

 

[Winni]

Why? This is the parents responsibility. How many more flags will Apple be forced to place before the experience of using the Apps becomes frustrating. What about the competitors in-app store? Where is the FTC for those companies? Hello???

You are right, the parents are ALSO responsible - they should not give their kids iToys with unrestricted user accounts.

But Apple has to be held responsible as well. If Apple implemented restricted user accounts and "nanny" features - as e.g. Windows has them - then there would be a simple technical solution for this problem and kids would only have controlled access to the Internet.

Until now, Apple simply didn't care about any of this because it washed money into its wallet. So much for "moral".

 

[downpour]

"...then there would be a simple technical solution for this problem and kids would only have controlled access to the Internet".

You can already control kids access to the internet on iOS, just enable restrictions on Safari. It's also trivial to turn off in-app purchases, it only takes a few seconds to do.

 

[Shivetya]

Parents should be more involved with their kids and know what they are giving them access to on devices.

Apple should have disclosed the fact that there was a fifteen minute window where restrictions were not active too.

 

[thisi]

Is it not common sense to understand the issue before commenting?

The whole problem was that...

THE PASSWORD WAS _NOT_ NEEDED TO MAKE THE PURCHASES.

.
It's as if you had withdrawn money from an ATM, finished your business, left, and yet the ATM continued to give out money from your account for the next quarter hour to anyone who pushed the withdrawal button... no PIN needed.

You don't understand the issue either. It wasn't the atm giving free money away, it was you irresponsibly giving your atm card to someone with your PIN and then getting upset that they used it.

 

[Zimmy68]

You don't understand the issue either. It wasn't the atm giving free money away, it was you irresponsibly giving your atm card to someone with your PIN and then getting upset that they used it.

Nope, more like walking away from the ATM and your kid is there, and the ATM has a big button that says press this for free cookies, then proceeds to empty your account out.


Your analogy doesn't work, I never gave my kid my "PIN" number.

The restriction is there, true, but it should be turned on by default. I switch out phones and ipads every year.

I like the 15 minute windows, heck I hate that Apple makes me use a password (instead of Touch ID) after I boot my phone.

IAP, where the potential of this type of attack is huge, should always be password locked. At least give me a threshold, $5?

 

[samcraig]

That's what parental controls are for. That's why parents should check into stuff before buying kids stuff like this. At the end of the day, they're the one responsible for their kids, not Apple. It's ridiculous.

So let me ask you - why does Apple curate their store to avoid malicious apps (well they do the best they can) and/or porn and/or ones that don't adhere to API rules.

After all - you should know what you're downloading at all times and you're responsible for you device, right? Why is it Apple's fault that you downloaded an app and used it.

/end sarcasm

Apple's responsible because they had a 15 minute window where it was a free-for-all. And it was set as a default.

Now you might know where every single setting is and how to use it - but can you really say that the majority of people (given that the iPhone has no user manual that comes with device - and one would need to actively search for this setting) would know how to do it out of the box?

By clear definition of the word - some parents were ignorant to this happening. That's very different from being stupid, neglectful, and other words being stated in this thread.

 

[Luis Ortega]

What a load of self-serving twaddle from Cook.
Apple is way behind others in the steps it takes to protect children from crappy apps. His memo is a dishonest crock.

 

[zaphon]

I thought this article summed it up nicely. http://www.technewsworld.com/story/...-or-Tim-Cooks-Latest-Crock-of-Bull-79800.html

 

[kdarling]

It seems much more sensible to always require password for IAP per default. The fact that a 15 minute window exists where anything goes is not something a reasonable consumer can be expected to know.

Exactly what the FTC thought.

"Under the terms of the settlement with the FTC, Apple also will be required to change its billing practices to ensure that it has obtained express, informed consent from consumers before charging them for items sold in mobile apps."- FTC

EDIT: Actually, I've run into an app that charges you for IAPs without ever telling you explicitly! It just asks for your password at some point. Now that's BS.

Yep, the FTC pointed that out as well:

"The complaint alleges that Apple does not inform account holders that entering their password will open a 15-minute window in which children can incur unlimited charges with no further action from the account holder.

In addition, according to the complaint, Apple has often presented a screen with a prompt for a parent to enter his or her password in a kids’ app without explaining to the account holder that password entry would finalize any purchase at all." - FTC

And there ought to be a limit on the price of an IAP. Who would ever spend $50 on Fruit Ninja power ups?! Those things are obviously there to profit from someone messing up and nothing else.

While they are at it, ban ads from children's games. A kid can't tell the difference between an ad and a game element. Smells highly unethical to me.

Indeed. The developers of these games should also be put under FTC observation.

In the meantime, Apple has set itself up as the final authority and gatekeeper of the morality and safety and payments of the apps in its store. They therefore have the final responsibility.

 

[xxmrcxx]

It would be cool if they could use the TouchID to verify IAP.

 

[groovyd]

pass the blame game

ultimately parents need to be responsible for what they put in their child's hands and what they do with it. Apple does provide controls for restricting use on their devices and it is up to the parents to learn about those features and enable them or not. Unfortunately passing the blame game is all too common anymore which only serves as an education for your kids to do the same. man up and parent your kids properly instead of blaming others for your problems.

 

[TsunamiTheClown]

I've been noticing a drastic rise in the US Government's litigation with large firms doing business in the US. It seems like every week there is a headline on some firms getting slapped with huge "fines" by the relevant government agency or even multiple agencies.

I sure hope that ridiculous "settlements" like what Apple is begrudgingly agreeing to are somehow offsetting their tax bill.