Mobile phones are ubiquitous extensions of our personal and professional lives and few think deeply about the tangled webs of software and hardware providers that formulate components to mobile phone fabricators.  However, the Federal Trade Commission’s recent settlement with BLU Products represents an important reminder of the importance of appropriate vendor oversight in all phases of the manufacturing and sales process.

BLU Products, Inc. a Florida based consumer electronics company and its co-owner, entered into an FTC settlement resolving allegations that it misled consumers by falsely claiming that they limited third-party collection of data from users of BLU’s devices to only the information needed to perform requested services.   BLU allowed a China-based, third-party service provider to collect detailed personal information about consumers, including text message contents and real-time location information, without  consumers’ consent and despite representations that such information would be kept secure and private.

BLU sold over 50 million mobile devices that run on Android software all over the world.  In the U.S., these were sold to consumers through retailers such as Amazon, Walmart, and Best Buy.  BLU outsourced the device manufacturing process to a number of original device manufacturers (ODMs).  The ODMs manufacture the devices branded with the BLU name according to BLU’s instructions and after receiving purchase orders.  In order to provide firmware updating services, BLU licensed software from ADUPS Technology and directed ODMs to preinstall this software on all ODM BLU devices.

Data collection without consumer consent    

ADUPS is a China-based company that offers advertising, data mining and firmware over-the-air (FOTA) update services to mobile and Internet of Things connected devices.  FOTA updates allow device manufacturers to issue security patches or operating system upgrades to devices over wireless and cellular networks.  BLU contracted with ADUPS  to perform FOTA update services on its devices.

According to the complaint, until November 2016, the ADUPS software on BLU devices transmitted personal information about consumers to ADUPS servers without consumers’ knowledge and consent.  The type of information transmitted included the full content of text messages, real-time cellular tower location data, call and text message logs with telephone numbers, contact lists, and lists of applications used and installed on each device.  The complaint alleges that ADUPS software collected and transmitted consumers’ text messages to its servers every 72 hours and location data was transmitted every 24 hours.

Press reports surfaced in November of 2016 about this unexpected collection and sharing of personal data from BLU devices.  Some consumers who became aware of these practices disabled the ADUPS software from their devices; however by taking that action, they were then unable to receive critical updates through FOTA.  BLU posted a security update on its website informing consumers that ADUPS had updated its software to cease this unexpected data collection, but according to the complaint, BLU continued to allow ADUPS to operate on its older devices without adequate oversight to ensure that the data mining had ceased.

The FTC Complaint and Consent Order

The FTC’s two count complaint alleges that the respondents violated Section 5 of the FTC Act by deceiving consumers about BLU’s data collection and sharing practices as well as BLU’s data security practices.  The FTC relies on representations made in BLU’s privacy policy which provides that BLU limits the disclosure of consumer’s information to third party service providers only to the extent necessary to perform their services or functions on behalf of BLU and that such service providers only have access to personal information needed to perform their services or functions and for no other purposes.

According to the complaint, ADUPS had access to personal information that was not needed to perform FOTA updates, the only service BLU contracted with ADUPS to perform.    In addition, the complaint alleged that BLU did not implement appropriate data security practices and referenced its failure to oversee the security practices of its service providers.  Specifically, the complaint identifies that BLU failed to:

• Perform adequate due diligence in the selection and retention of service providers such as failing to assess or evaluate the privacy or security practices of ADUPS prior to entering into an agreement with that company.
• Adopt and implement written data security standards, policies, procedures or practices that apply to the oversight of service providers.
• Contractually require their service providers to adopt and implement data security standards, policies, procedures or practices.
• Adequately assess the privacy and security risks of third-party software such as ADUPS.

The proposed consent order   prohibits the respondents from misrepresenting the extent to which they collect, use, share or disclose personal information, the extent to which consumer may exercise control over the collection, use or disclosure of personal information, and the extent to which they implement physical, electronic, and managerial security procedures to protect personal information.  In addition, the order requires that prior to collecting or disclosing any covered information respondents clearly and conspicuously disclose—separate and apart from the privacy policy, terms of use page or similar document—the categories of information collected and shared, the identity of any third parties that receive such information and the purposes for collecting the information, as well as obtaining affirmative express consent.

The consent order also requires BLU to implement and maintain a comprehensive security program that is reasonably designed to address security risks related to the development and management of new and existing covered devices; one that protects the security, confidentiality and integrity of personal information.  This program must be fully documented, and contain administrative technical and physical safeguards appropriated to the respondent’s business.

The consent order also requires that BLU obtain an assessment and report from a qualified, independent third-party professional covering the first 180 days after issuance of the order and each two year period for 20 years.

The proposed complaint and consent agreement will be out for public comment for 30 days.  The FTC will then review and comments receive before issuing the consent order in final form.