Slashdot Mirror

← Back to Stories (view on slashdot.org)

Phone Maker BLU Settles With FTC Over Unauthorized User Data Extraction (threatpost.com)

Posted by BeauHD on from the you-get-what-you-pay-for dept.

lod123 shares a report from Threatpost: Android phone-maker BLU Products agreed to a proposed settlement on Tuesday with the Federal Trade Commission, over allegations it allowed the third-party firm Adups Technology to collect detailed consumer data from users without their consent. In an administrative complaint filed earlier this week against BLU and the company's co-owner and president Samuel Ohev-Zion, the FTC accused the firm of sharing with China-based Adups the full contents of their users' text messages, real-time cell tower location data, call and text-message logs, contact lists, and applications used and installed on devices.

Ultimately, the FTC is alleging Ohev-Zion and BLU violated the FTC Act's section pertaining to "deceptive representation regarding disclosure of personal information." The proposed settlement will be made final after a 30-day public comment period. In its proposed complaint, the FTC said Florida-based BLU contracted with Adups to issue security and operating system updates to millions of phones sold by the firm through Amazon, Best Buy and Walmart. In addition to allegedly failing to protect consumer privacy, the FTC asserts that BLU failed "to adequately assess the privacy and security risks of third-party software installed on BLU devices" resulting in "common security vulnerabilities that could enable attackers to gain full access to the devices." Security researchers at Kryptowire first reported in 2016 that several models of BLU phones actively transmitted user and device information to Adups.

15 of 26 comments (clear)

  1. Millennial snowflakes by Anonymous Coward · · Score: 1

    Stop being crybaby millennial snowflakes. If you don't like your data being extracted, don't use a smartphone. Grow up. Nobody needs a smartphone; it is a luxury item.

  2. FCC Xenophobes by sdinfoserv · · Score: 1

    The FCC fully supports ISP's extracting every single bit of user data for any whim, yet when a Chinese based company does it they file against them?
    BLU must have forgotten Pai's payola.......

    1. Re:FCC Xenophobes by Desler · · Score: 1

      Protip: The FCC and the FTC is not the same agency.

    2. Re:FCC Xenophobes by freeze128 · · Score: 1

      BLU is based in Florida.

  3. Wrong three-letter agency by WoodstockJeff · · Score: 3, Informative

    The Federal TRADE Commission is not the same as the Federal COMMUNICATIONS Commission.

  4. No penalty. So we'll get more of this. by Ungrounded+Lightning · · Score: 3, Interesting

    Under the proposed settlement with the FTC, BLU and Ohev-Zion are prohibited from misrepresenting the extent to which they protect the privacy and security of personal information and must implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information. In addition, BLU will be subject to third-party assessments of its security program every two years for 20 years as well as record keeping and compliance monitoring requirements.
    Business model:

    1. Break the law.
    2. Get paid for it.
    3. Get caught.
    4. Propose a settlement where you are prohibited from breaking the law in the way you were were already prohibited from breaking the law but did (for pay) anyhow.
    5. PROFIT!

    So breaking this law is still a way to make money, even if you're caught. Expect a lot more of it.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  5. BLU? by Chris+Mattern · · Score: 1

    What about RED? Saxton Hale will hear of this!

  6. Oh wow I bet those responsible are in trouble! by Anonymous Coward · · Score: 1

    Good news!

    How many of the executives and controlling minds at BLU are going to jail?

    "The proposed settlement agreement with the FTC does not include any financial penalty or consumer restitution over the alleged issues with affected phones, because in first offense matters such as this, the FTC lacks the power to levy such financial penalties."

    Oh...

  7. Re:No penalty. So we'll get more of this. by Streetlight · · Score: 2

    Why isn't BLU closed from doing business in the US? Close them down after returning all subscription fees to subscribers.

    --
    In a time of universal deceit, telling the truth is a revolutionary act. George Orwell
  8. Worse than useless by craighansen · · Score: 2

    As a purchaser of BLU phones, I've read the proposed settlement, and find it worse than useless. No compensation, and no firmware repairs/upgrades are promised to customers. I put a complaint to that effect in the FTC comment files. BLU phones should be blocked from the US market until they clean up the mess.

    1. Re:Worse than useless by CanEHdian · · Score: 1

      From TFA:

      The proposed settlement agreement with the FTC does not include any financial penalty or consumer restitution over the alleged issues with affected phones, because in first offense matters such as this, the FTC lacks the power to levy such financial penalties.

      IANAL but a class-action lawsuit would be your best bet.

      --
      When the copyright term is "forever minus a day", live every day like it's the last.
  9. Bold like Us by spinitch · · Score: 1

    I doubt BLU knew of this exploit by Adups but should be a wake up call for low tier product sourcing from China. Not a big surprise, this is how BLU could offer such low cost mobile devices.

    1. Re:Bold like Us by Anonymous Coward · · Score: 1

      BLU knew. This incident was first time reported in 2016. At that time BLU "fixed" things and started selling phones without included tracking apps but still using ADUPS for updates. Things were good till fall 2017 when with Android security update ADUPS installed 3 user tracking apps. The apps were setup so that one would periodically download and install first one which would install two more (if they were already installed, it would just reset their permissions to what they needed for data collection), one for data collection and one for collected data uploads. They were named similar to real apps and attempt was made to mask them. I expected that one point these will return and was waching for them during Fall 2017 update and was not disappointed (I submitted samples of these apps to malwarebytes).

      I believe all this might be perfectly normal for Chinese market, where government surveillance is a fact, and they tried and succeed expanding this surveillance to US market. As paranoid as it may sound, I strongly believe that selling these phones generated no profit and that entire company is sponsored by Chinese government.

      All that being said there is no other phone where you get so much hardware for the price and after cleaning it and replacing offending software this is pretty great phone.

  10. Storage by cascadingstylesheet · · Score: 1

    They should be prosecuted instead for selling phones with tons of preinstalled unremovable crapware, coupled with the storage space of a Vic20.

  11. What'd you expect by farble1670 · · Score: 1

    They were selling mid-range-ish phones for $150. You have to assume they are making money somehow.