Phone Maker BLU Settles With FTC Over Unauthorized User Data Extraction

lod123 shares a report from Threatpost: Android phone-maker BLU Products agreed to a proposed settlement on Tuesday with the Federal Trade Commission, over allegations it allowed the third-party firm Adups Technology to collect detailed consumer data from users without their consent. In an administrative complaint filed earlier this week against BLU and the company's co-owner and president Samuel Ohev-Zion, the FTC accused the firm of sharing with China-based Adups the full contents of their users' text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices.

Ultimately, the FTC is alleging Ohev-Zion and BLU violated the FTC Act's section pertaining to "deceptive representation regarding disclosure of personal information." The proposed settlement will be made final after a 30-day public comment period. In its proposed complaint, the FTC said Florida-based BLU contracted with Adups to issue security and operating system updates to millions of phones sold by the firm through Amazon, Best Buy and Walmart. In addition to allegedly failing to protect consumer privacy, the FTC asserts that BLU failed "to adequately assess the privacy and security risks of third-party software installed on BLU devices" resulting in "common security vulnerabilities that could enable attackers to gain full access to the devices." Security researchers at Kryptowire first reported in 2016 that several models of BLU phones actively transmitted user and device information to Adups.

The problem is fndemental it's android

Get google out of the hand top

Re:The problem is fndemental it's android

Found the Apple fanboy.

Millennial snowflakes

Stop being crybaby millennial snowflakes. If you don't like your data being extracted, don't use a smartphone. Grow up. Nobody needs a smartphone; it is a luxury item.

Re:Millennial snowflakes

Says the snowflake whining about other people.

FCC Xenophobes

[sdinfoserv]

The FCC fully supports ISP's extracting every single bit of user data for any whim, yet when a Chinese based company does it they file against them?
BLU must have forgotten Pai's payola.......

Re:FCC Xenophobes

[Desler]

Protip: The FCC and the FTC is not the same agency.

Re:FCC Xenophobes

[freeze128]

BLU is based in Florida.

That would be Trump’s FTC

Always curious when slashdot editors decide to omit the political slants when it’s something they like.

Wrong three-letter agency

[WoodstockJeff]

The Federal TRADE Commission is not the same as the Federal COMMUNICATIONS Commission.

No penalty. So we'll get more of this.

[Ungrounded+Lightning]

Under the proposed settlement with the FTC, BLU and Ohev-Zion are prohibited from misrepresenting the extent to which they protect the privacy and security of personal information and must implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information. In addition, BLU will be subject to third-party assessments of its security program every two years for 20 years as well as record keeping and compliance monitoring requirements.
Business model:

1. Break the law.
2. Get paid for it.
3. Get caught.
4. Propose a settlement where you are prohibited from breaking the law in the way you were were already prohibited from breaking the law but did (for pay) anyhow.
5. PROFIT!

So breaking this law is still a way to make money, even if you're caught. Expect a lot more of it.

BLU?

[Chris+Mattern]

What about RED? Saxton Hale will hear of this!

Oh wow I bet those responsible are in trouble!

Good news!

How many of the executives and controlling minds at BLU are going to jail?

"The proposed settlement agreement with the FTC does not include any financial penalty or consumer restitution over the alleged issues with affected phones, because in first offense matters such as this, the FTC lacks the power to levy such financial penalties."

Oh...

Re:No penalty. So we'll get more of this.

Yep. America is fucked up. And the boiling frogs don't even notice.

Re:No penalty. So we'll get more of this.

Yup, that's exactly right. And even the monitoring and auditing can be defeated by hiding it all behind Chinese "partner" companies or subsidiaries that are beyond the reach of US law.

"Gee, it says right here in our contract that Wun Hung Lo Industries promised not to misuse any of our customer data that they accessed while performing this work. Must be their fault!"

Re:No penalty. So we'll get more of this.

[Streetlight]

Why isn't BLU closed from doing business in the US? Close them down after returning all subscription fees to subscribers.

and customers?

How much of this settlement goes to the customers who bought the phones? That's right, none.

Worse than useless

[craighansen]

As a purchaser of BLU phones, I've read the proposed settlement, and find it worse than useless. No compensation, and no firmware repairs/upgrades are promised to customers. I put a complaint to that effect in the FTC comment files. BLU phones should be blocked from the US market until they clean up the mess.

Re:Worse than useless

[CanEHdian]

From TFA:

The proposed settlement agreement with the FTC does not include any financial penalty or consumer restitution over the alleged issues with affected phones, because in first offense matters such as this, the FTC lacks the power to levy such financial penalties.

IANAL but a class-action lawsuit would be your best bet.

Bold like Us

[spinitch]

I doubt BLU knew of this exploit by Adups but should be a wake up call for low tier product sourcing from China. Not a big surprise, this is how BLU could offer such low cost mobile devices.

Re:Bold like Us

BLU knew. This incident was first time reported in 2016. At that time BLU "fixed" things and started selling phones without included tracking apps but still using ADUPS for updates. Things were good till fall 2017 when with Android security update ADUPS installed 3 user tracking apps. The apps were setup so that one would periodically download and install first one which would install two more (if they were already installed, it would just reset their permissions to what they needed for data collection), one for data collection and one for collected data uploads. They were named similar to real apps and attempt was made to mask them. I expected that one point these will return and was waching for them during Fall 2017 update and was not disappointed (I submitted samples of these apps to malwarebytes).

I believe all this might be perfectly normal for Chinese market, where government surveillance is a fact, and they tried and succeed expanding this surveillance to US market. As paranoid as it may sound, I strongly believe that selling these phones generated no profit and that entire company is sponsored by Chinese government.

All that being said there is no other phone where you get so much hardware for the price and after cleaning it and replacing offending software this is pretty great phone.

Verizon does it

...And its their 'businss model'. BLU does it, and its 'unlawful'?

Come on. Stop being the regulatory equivalent of Barney Fife, and start enforcing privacy laws across the board, evenly, to all comers, stupid fucking US government agencies.

Wait, this describes google perfectly.

Esp. with needing location services turned on to use some bluetooth and wifi functions, evil terms and services. There's plenty of data-perv slurping going on. Plain evil.

Storage

[cascadingstylesheet]

They should be prosecuted instead for selling phones with tons of preinstalled unremovable crapware, coupled with the storage space of a Vic20.

Like Windows 10

Just like Win10, except MS never gets in trouble for anything.
Because no, we did not agree to the spying and GB's of data harvested from our Desktop because those facts are not called out in the EULA.

What'd you expect

[farble1670]

They were selling mid-range-ish phones for $150. You have to assume they are making money somehow.