Mobile Phone Maker Settles With FTC Over Data Collection
Mobile phone maker BLU Products this week reached a settlement with the Federal Trade Commission (FTC) over allegations that software in its devices collected users' personal information.
In November 2016, security firm Kryptowire revealed that a backdoor in various Android phone models sold in the United States, including BLU devices, sent personally identifiable information (PII) to third-party servers without informing users on the practice or asking for their consent.
The backdoor activities were performed via Shanghai ADUPS Technology Co. Ltd's Firmware Over-The-Air (FOTA) update software system. Collected sensitive data included text messages, contact lists, call history (including full telephone numbers), the International Mobile Subscriber Identity (IMSI), and the International Mobile Equipment Identity (IMEI).
In July 2017, during a Black Hat presentation, Kryptowire revealed that the pre-installed system apps from ADUPS could be used to target only "specific users and text messages matching remotely-defined keywords."
Soon after, Amazon suspended sales of BLU phones citing security and privacy concerns.
The retailer, however, resumed the sales only one week later.
At the time, BLU issued an official statement saying it hadn't been aware of ADUPS' practices and that it decided to replace the OTA application on future devices with Google's GOTA. Older devices, however, remained stuck with the ADUPS software.
Now, the FTC says a settlement was reached over allegations that BLU Products allowed ADUPS to "collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private."
In its complaint (PDF), the FTC claims that BLU and its co-owner and President Samuel Ohev-Zion misled consumers by falsely saying that the third-party collection of data from BLU devices was limited to information needed to perform requested services. Furthermore, the Commission alleges that BLU falsely claimed it implemented the appropriate procedures to protect the personal information of users.
"As part of the settlement, BLU must implement a comprehensive data security program to help prevent unauthorized access of consumers' personal information and address security risks related to BLU phones," the FTC says.
The FTC complaint also alleges that the phone maker failed to implement the necessary mechanisms to oversee the security practices of their service providers.
The company also failed to "perform appropriate due diligence of service providers," failed to come up with written data security procedures regarding service providers, and failed to assess the privacy and security risks of third-party software installed on BLU devices.
This is what led to ADUPS collecting sensitive user data via BLU devices without consumers' knowledge and consent, although the company didn't need to perform the data collection as part of the contracted services. Moreover, the FTC claims, the ADUPS software preinstalled on BLU devices included common security vulnerabilities that could allow attackers to take over the smartphones.
"After reports about the unexpected collection and sharing by ADUPS became public in November 2016, BLU issued a statement informing consumers that ADUPS had updated its software and had stopped its unexpected data collection practices. Despite this, the FTC alleges that BLU continued to allow ADUPS to operate on its older devices without adequate oversight," the Commission says.
Under the proposed settlement, BLU and Ohev-Zion are "prohibited from misrepresenting the extent to which they protect the privacy and security of personal information and must implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information."
Furthermore, BLU's security program will be assessed by a third-party every two years for 20 years.
The mobile phone manufacturer will also be subject to record keeping and compliance monitoring requirements.