Democrats pen letter to Tim Cook seeking answers on FaceTime eavesdropping bug

The US House of Representatives Energy and Commerce Committee has today penned a letter to Apple CEO Tim Cook with a list of questions about the FaceTime eavesdropping bug. The letter is signed by Energy and Commerce Chairman Frank Pallone, Jr. and Consumer Protection and Commerce Subcommittee Chairwoman Jan Schakowsky.

In the letter, the committee says it is “deeply troubled” about the bug, as well as how long it took Apple to address the issue.

The letter, addressed to Cook himself, questions Apple’s response to the FaceTime bug. Apple was notified by 14-year-old Grant Thompson a week before the security hole was publicized. The Energy and Commerce Committee wants to know more:

We are deeply troubled by the recent press reports about how long it took for Apple to address a significant privacy violation identified by Grant Thompson, a 14-year-old in its Group FaceTime feature. As such, we are writing to better understand when Apple first learned of this security flaw, the extent to which the flaw has compromised consumers’ privacy, and whether there are other undisclosed bugs that currently exist and have not been addressed.

The letter outlines six specific questions, including details about when Apple first identified the vulnerability and whether or not other users reported the issue in addition to Thompson.

Further, the committee seeks details about what testing Apple puts features through before making them publicly available, as well as why that testing failed to identify this Group FaceTime vulnerability. Cook is also asked whether there are “other vulnerabilities in Apple devices and applications” that could provide unauthorized access to microphones and cameras.

Here are the questions to which the House Energy and Commerce Committee would like Cook to respond:

1. When did your company first identify the Group FaceTime vulnerability that enabled individuals to access the camera and microphone of devices before accepting a FaceTime call?  Did your company identify the vulnerability before being notified by Mr. Thompson’s mother?  Did any other customer notify Apple of the vulnerability?
2. Please provide a timeline of exactly what steps were taken and when they were taken to address the vulnerability after it was initially identified.
3. What procedures and testing were in place, and what procedures are now in place, to identify such vulnerabilities prior to the release of a consumer product? Why did those procedures fail in this case? What steps are being taken to improve pre-launch testing in the future.
4. Why did it take so long for Apple to address the Group FaceTime feature vulnerability once it was discovered and reported to Apple by Mr. Thompson’s mother?
5. What steps are being taken to identify which FaceTime users’ privacy interests were violated using the vulnerability?  Does Apple intend to notify and compensate those consumers for the violation?  When will Apple provide notification to affected consumers?
6. Are there other vulnerabilities in Apple devices and applications that currently or potentially could result in unauthorized access to microphones and/or cameras?

This isn’t the first time Cook has faced scrutiny from the Energy and Commerce Committee. Last summer, the committee sent a list of questions to Cook regarding iOS location features and “Hey Siri.” Last January, lawmakers questioned Cook about iPhone throttling and exploding batteries.

Chairs of the House Energy and Commerce Committee are seeking a response from Cook by February 19th, 2019. Generally, Apple representatives respond to the questions on behalf of Cook. Read the full letter here.