Florida-based mobile device maker BLU has settled with the Federal Trade Commission (FTC) over charges it allowed a Chinese partner to collect detailed personal customer information from some of its devices without authorization or consent.
The move is one of the first official government actions in the United States to result from tighter scrutiny of how companies that deal with large amounts of customer information—such as social networks and mobile device makers—handle the privacy and security of that data.
Under the terms of the proposed deal, BLU will put in place “a comprehensive data security program to help prevent unauthorized access of consumers’ personal information and address security risks related to BLU phones,” the FTC said in a press release about the settlement. The program must address security risks associated with new and existing mobile devices and protect consumer information.
BLU also will face third-party assessments of this program every two years for 20 years as well as be held to record-keeping and compliance-monitoring requirements. In addition, the company and its co-owner and president Samuel Ohev-Zion also are prohibited from “misrepresenting the extent to which they protect the privacy and security of personal information,” according to the FTC.
[You might also like: Updated: A New Lobbying Group is fighting Right to Repair Laws]
BLU’s troubles with the FTC stem from a report published by security firm Kryptowire in November 2016 revealing that firmware from Shanghai-based company ADUPS Technology Co. Ltd. that BLU was using on its devices to issue security and OS updates also was collecting and transferring personal information to servers in China at regular, 72-hour intervals.
Kryptowire found that the ADUPS firmware was doing far more than merely providing updates to BLU devices. It could identify specific users and text messages matching remotely defined keywords and collected and transmitted information about the use of applications installed on the monitored device. And because the remote update software was used to update the OS and other key components, it ran with elevated permissions and could remotely reprogram the devices.
[Also check out: China Using Big Brother-Like System to Track, Monitor Minorities]
Customer data collected and sent to China included full content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on BLU devices to ADUPS Technology servers.
After the report went public, BLU issued a statement informing consumers that ADUPS had updated its software and had stopped the data-collection practice discovered by Kryptowire. However, the FTC investigated and alleged that BLU continued to allow ADUPS to operate on its older devices without adequate oversight, eventually filing a complaint against BLU and Obev-Zion for what the commission viewed as misconduct.
In its complaint, the FTC charged that BLU and Obev-Zion misled consumers by claiming falsely that they were limiting third-party collection of user data to only information the company needed to provide security and OS updates.
The commission also alleged that BLU and Obev-Zion falsely represented that they had implemented “appropriate” physical, electronic and managerial procedures to protect consumers’ personal information.
“BLU and Ohev-Zion failed to implement appropriate security procedures to oversee the security practices of their service providers, including failing to perform appropriate due diligence of service providers; failing to have written data security procedures regarding service providers; and failing to adequately assess the privacy and security risks of third-party software installed on BLU devices,” the FTC wrote in its complaint. “As a result, ADUPS collected sensitive personal information via BLU devices without consumers’ knowledge and consent that it did not need to perform its contracted services.”
The company also exposed customers to unnecessary security risk, as ADUPS software preinstalled on BLU devices included “common security vulnerabilities” that could enable attackers to gain full access to the devices, the FTC alleged.
BLU did not immediately respond to request for comment on the settlement Tuesday. The public can comment on the proposed deal through May 30, 2018, after which the Commission will decide whether to make it final.
While BLU appears to be getting off fairly lightly—ie, without a financial penalty–its settlement with the FTC could set a precedent for future data-privacy regulations in the United States, especially in light of the ongoing Facebook-Cambridge Analytica debacle.
Still, it remains to be seen if the United States will follow the lead of the European Union (EU) and decide to regulate data privacy with a heavier hand. The EU’s General Data Protection Regulation (GDRP)—aimed at protecting the data privacy of citizens and enforcing corporate accountability using the threat of heavy fines if data breaches aren’t disclosed—is scheduled to take effect at the end of this month.