Slashdot Mirror
FTC Drops the Hammer On Maker of Location-Sharing Flashlight App
chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."
But if the app doesn't know your location, how would it possibly know where to provide the light?
Whenever I need quick light I just go to an all white screen on my phone. Why would you ever need an app for this?
slip thier meant to say Users
The government has a lot of balls pointing fingers like that...
Four keywords: cyanogenmod with p-droid patch
If someone still says that Android's (or IOS I suppose) security model isn't completely broken...
Why can't the user choose to disable networking on a per-app level?
Who gives a flashlight app permissions to access location, internet, flash drive, etc?
When you installed it, didn't you look at the list of what it has access to? If I saw it wanting to get my location I would have stopped right there and not installed it. No flashlight app needs to know my location to work.
I think at this point, the default mode for most Android users is to just allow, as most apps have a laundry list of things they want access to. It's probably the second-least read message from an app install of all time (first being the EULA).
No, that is not wise. But people aren't always wise.
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
No civil fines.
No criminal penalties.
No admission of guilt.
[Fuck Beta]
o0t!
This is just the tip of the dirty iceberg here. Thousands of apps do this and far worse for your privacy. Caveat Emptor
Hi, I'm an Silicone Valley entrepreneur. We use that data for this innovative app we have.
See, by getting your location, browsing and every other piece of personal information we can possibly get from you device, we can then push to your device information that you would be interested in. Of course, (1)some of this information would be products that you may be interested in buying from our partnered (2)certified suppliers.
And we absolutely will NOT share your information without your permission(3).
...
1 . By "some" we mean all.
2. certification - they pay us and we pimp your data.
3. By using our app, you opt-in and there's no way to turn it off and we sell it to anyone who forks over the cash.
-Yours, your typical Silicone valley Lamoe company.
I switched to a FireFox phone.
I have an iPhone 5 and a Nexus 7.
When I download an app on the Nexus, I always feel an uneasiness as I look at all the access it wants to my contacts and other invasively unnecessary permissions. So each time I must make a decision to accept or reject using the app. I've rejected some that just seem overreaching, but I've become less strict over time... like I'm accepting to lose a battle. I assure myself, that my phone has all my real contacts, not my Nexus 7 and then begrudgingly accept the conditions. This is one reason I will not use an android phone and why I rarely download apps on android.
http://yro.slashdot.org/story/13/12/06/1452241/ftc-drops-the-hammer-on-maker-of-location-sharing-flashlight-app#
iOS, for those that don't know, will let me decline permissions to track my location or share my contacts on a per-app basis. Even if I enabled it before, I can go into the control center and disable it. I don't benefit from that aspect of the iOS app, but I'm fine with that. For all the control that Android is supposed to give the user, iOS shines here and I wish that is one thing that Android would copy.
1) Uninstall this app
2) Install F-Droid. Use that as your go-to source for apps.
3) Use a spyware-free flashlight app from there.
I'd heard Cyanogenmod was experimenting with a means to deny specific privs to an application rather than take the all-or-nothing approach of "You have to give me all this shit or you can't install it." That's a feature I'd really like to have for my Android phone.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Only the NSA may track every phone on the planet!
But in their defense, you at least got a free flashlight out of it and your tax money didn't have to pay for it, so...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Even if application permissions were granted individually and even if application developers wrote their code in such a way that the application would behave as normally as possible without them, what's there to stop them from sabotaging the application in another manner until it's granted the permission they want? For example, let's say an application requests location access, and until it's granted, it simply "decides" not to work. Another example, one that cannot be simulated, is network access. Rinse, wash, repeat.
Should have said "products".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
As someone that used to work with mobile security - this is tiny minority that got caught. If you carry your mobile phone with you, then you have no reasonable expectation of privacy. Treat your smartphone as a combination of public WiFi and a court-assigned GSP tracking ankle bracelet.
What is the best/simple alternative? Thank you in advance.
flAshlight app. With an 'a'. Had me worried for a bit.
Part of my job involves inspecting outbound network connections from android apps. Practically every ad network is sending your coordinates or location anyways. It seems a bit weird the FTC cared that the app was doing the same when it already had ads on it...
Before you mod me funny, think, perhaps I was insightfully funny?
Isn't it just metadata?
Just the name of the app already triggers my warning bells. Poor grammar (why is "Free" in the app name, let alone at the end?!) and the "Brightest!" modifier (reminds me of all those countries with "People's" and "Democratic" in the names) make me suspicious. And this was in the Google store? Shame, Google.
Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
Does anyone have any experience with this? I'd love to have an app where I can spoof the GPS info sent to apps on a per app basis. I.E. tell everything except Maps, Yelp and Cerberus that I'm located in the NSA offices at Fort Meade. Not only would that get me a little more privacy, but also corrupt the data being collected by these shady app companies.
This settlement meant that the company had to do NOTHING other than to go forth and sin no more. They did not have to pay a single solitary dime, consent to long-term monitoring, or do anything really, beyond promising they would not continue to do something they unambiguously should never have been doing in the first place.
Yeah, that'll teach 'em!
When you install an app, Andorid tells you the permissions the app needs and asks you to confirm.
If your'e dumb enough to not question why a flashlight app would need access to GPS and the internet, and you still install the app anyway, then you deserve all you get.
The government has a lot of balls pointing fingers like that...
Strange thing about the (US) government: it's friggin' huge, with millions upon millions of people working for hundreds, if not thousands, of departments, agencies, and bureaus. They don't all want the same things; sometimes, different departments and agencies want diametrically opposed things. Some of them are charged with spying on group A, some with protecting the privacy of group B, and vice versa.
(Many people would argue that this is a major a problem. Other people would argue that this is by design. And some in the first group would argue that that is the real problem. At which point, some in the second group would allege that they, in fact, are the problem. After that, both groups just start arguing about the health care law.)
Great, the FCC told them not to do it. Let's just say that actually gets them to stop harvesting the data (hahahaha)... what about the data that's already been harvested? They've already stolen a valuable resource which they can continue to sell to 3rd parties.
For that matter, what about the data already in the hands of the 3rd parties? They can do whatever they want with it with impunity.
Maybe we need to hold 3rd party marketers liable, too. Pawn shops are on the hook if they buy stolen items. Let's make marketers pay the same way. Did you buy marketing data from a skeevy company, and that company just got fined? You get fined too, for at least the same amount. Or double. Just watch how quickly the industry starts policing itself, overnight.
UTF-8: There and Back Again
When I read the access request for any Android app, I end up declining. SD card, network, contacts, and location access, for a kitchen timer? No thanks. That's why I have no apps on my phone and why I miss my Startac.
And I just don't have the time to mess around with custom roms or rooting the phone.
:wq
I have a couple of calculator apps on the Android market. Obviously, a calculator has zero need for any of your personal data, and that's how much I collect -- zero.
I recently received an email from "Appayable.com". They provide me with a spyware module to add to my apps. The spyware module collects users' personal data and uploads it to Appayable.com. I get paid. Profit!
They say they only sell anonymized data, but I still thought it was a pretty reprehensible business model. I suspect it's pretty common practice, though.
The letter:
I noticed that RpnCalc Financial -- HP 12C has seen a growing number of downloads in recent weeks. I wanted to reach out and discuss how my company, Appayable, offers developers the opportunity to monetize their app without placing ads or impacting user experience
We pull the social profile of your users, anonymize the data, and identify the mobile device. Appayable's SDK does not take up screen real estate on your application, maintaining the great user experience, and providing more revenue for you. Plus, we do not rely on impressions - as we do not place ads within your app - thus, you generate revenue based on a single download and install. No need to retain the user - only have them open the application once.
The revenue stream created is ongoing based on our data partnerships, regardless of continued use of the mobile application.
We've worked hard to make it really simple for you to integrate our service into your app, and as a result have over 6,500 applications on our platform in only 6-months! Whe you have a few minutes, I'd love to talk to you or the appropriate person about working with us.
I must have read the title wrong.
I thought it allowed you to find other people using the app near you while you were using your flashlight.
You know, because, when the power's out, there's only ONE thing worth doing . . .
I just recently got a Nexus 5 to replace my aging Nokia N9 and was amazed by the near complete lack of simple tools that don't want access to your data in return. For the N9, there were a ton of useful free open source tools provided by the community over at maemo.org. That community was great. Every time I thought that there was something that was missing or new capability I wanted, I'd look there and find an app that already exists or a group of people in the process of building it.
The contrast between that experience and the excessive commercialism of Android was startling. After looking around for a while I did find this Simple LED Widget that is just what it says and doesn't require any unnecessary permissions, but I had to sift through dozens of apps like the one in the TFA.
Is there anything even close to maemo.org for Android? I've heard some good things about F-Droid, but I haven't looked into it enough yet to know if it's the best option.
Knowledge Brings Fear
I'm going to get flamed for this, but.... buy an iPhone? can't happen in iOS, apps can not access contacts or location without asking first, the operating system won't allow it, and you can remove the access anytime in settings. I know, flame on, but if this was Windows and someone said how can I stop getting viruses and someone recommended Linux it would be +5 insightful
my karma will be here long after I'm gone
What's obviously missing is a Mock App - something that will satisfy all those requests and provide them with the data they want - fake data.
Sadly, I don't expect Google - whose revenue stream is largely based on advertisement - would make that possible in Android.
Assorted stuff I do sometimes: Lemuria.org
When you installed it, didn't you look at the list of what it has access to? If I saw it wanting to get my location I would have stopped right there and not installed it. No flashlight app needs to know my location to work.
Many ad supported apps want your location so they can serve geo targeted ads.
Though there are plenty of free non, ad-supported flashlight apps. The only permission the app I'm using has is the ability to access the camera.
So when will the Government fine itself or the NSA for gathering my location info without telling me. Heck, I didn't even download their app.
The NSA never disclosed that they were tracking my location etc. where's the hammer for those schmucks?
It's a pain, but the average user needs to start actually paying attention to app permissions.
Except the "average user" literally CANNOT understand the permissions being asked for.
That's why an up-front model for permissions is inherently broken. If an app sneaks in location in the set of permissions an "average user" will never see it. If it asks them if the flashlight app can have their location when they run it, or access to contacts - there's few people that would agree to that.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You people have no idea what you're loading onto your phones or what it's doing with your data and your life!
Why isn't there more comprehensive oversight of these apps before they're released to the public? Can't they require the source code be submitted to the 'app stores', and proofread to prevent this sort of thing from happening?
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
When I read the access request for any Android app, I end up declining. SD card, network, contacts, and location access, for a kitchen timer? No thanks. That's why I have no apps on my phone and why I miss my Startac.
I'm looking for a feature phone to replace my smartphone now. There just are no apps I'm willing to install, plus I want physical buttons.
Socialism: a lie told by totalitarians and believed by fools.
And paid for the blow jobs too.
Just google it. You don't need to get from play store.
It is as clean as possible. Only does what it needs to do.
You are being MICROattacked, from various angles, in a SOFT manner.
1) Use DroidLight. It's by Motorola, but it works on non-motorola phones too. It requires no permissions.
2) We are in a sad state of affairs.
9 out of 10 flashlight apps in the Android store require unnecessary permissions. The Android store needs ONE flashlight app. Maybe 2. Unfortunately, idiots download apps that requires 100 permissions, then rank it a 5/5. This is such a trivial problem for Google to solve: one Google Play Store employee could ban 90% of those apps with a day of research and resolve the problem for the most part.
Even in the wild wild world of PC shareware, malware wasn't as bad as it is in the Google Play store.
Ahhh, the day and age when "dropping the hammer" means "you're changing this stuff in this software, but don't worry about a fine or anything".
BOOM! HAMMER DOWN!
What app do u make?(desperately seeking non-evil android apps)
Whenever I'm looking for an app of some kind, I check F-Droid first.
I remember sigs. Oh, a simpler time!
It's completely fine for the NSA to gather data without your consent or knowledge... but for a phone app to do the same? HERESY!!!
The answer is the user can't differentiate, unless we have access to the source code.
So here's an open source flashlight app you should be using:
MrWhite: https://fdroid.org/wiki/page/org.bc_bd.mrwhite
Or Torch: https://fdroid.org/wiki/page/com.colinmcdonough.android.torch
Install them by installing the F-Droid (FOSS for Android) package manager from Google Play.
I'm not a lawyer, but I play one on the Internet. Blog