Phone maker BLU is settling charges that it allowed a China-based partner to collect a mountain of customers' personal data—including full content of text messages, real-time locations, telephone numbers, contacts, and installed apps—despite promises it would keep such details private.
Under a settlement with the US Federal Trade Commission announced Monday, BLU agreed to implement a "comprehensive data-security program" to prevent similar privacy leaks in the future. Both the company as a whole and co-owner and president Samuel Ohev-Zion are barred from misrepresenting the extent to which they protect the privacy and security of personal information. The company further will be subject to third-party assessments of its security program every two years for 20 years and must comply with record-keeping and compliance-monitoring requirements.
The settlement stems from research published in November 2016 by security firm Kryptowire. It found that BLU phones were transmitting a massive amount of private customer data to AdUps Technologies, a Shanghai-based provider of firmware that ran on the affected devices. Kryptowire said AdUps appeared to gather the data to help phone manufacturers and carriers track the behavior of their customers for advertising purposes.
In a complaint filed Monday, FTC regulators said AdUps provides advertising, data mining, and FOTA—short for "firmware over the air"—update services to mobile and Internet of Things connected devices.
"BLU entered into a contract with AdUps to have the China-based company perform FOTA update services on their devices," FTC attorneys wrote. "Respondents did not ask ADUPS to perform any other services."
Despite the limited mandate, AdUps collected a wealth of customer information, including:
- full contents of text messages
- real-time cellular-tower location data
- call and text message logs with full telephone numbers
- contact lists
- lists of applications used and installed on each device
AdUps collected text messages and transmitted them back to company servers every 72 hours while collecting location data in real-time and transmitting it to servers every 24 hours, the FTC's complaint said.
Following the 2016 Kryptowire report, BLU notified customers that AdUps ceased its data collection activities. Even then, however, BLU "continued to allow AdUps to operate on its older devices without adequate oversight," FTC attorneys wrote.
The FTC action made no mention of a follow-up report from Kryptowire in 2017. It said three models of BLU phones continued to collect a more limited set of users' personal information and sent them to servers located in China. For instance, Kryptowire said that two models—the Grand M and Life One X2—sent phone numbers, IMEIs, IMSIs, Wi-Fi MAC addresses, device serial numbers, and lists of installed applications, as well as cell-tower IDs and locations. The security firm said the BLU Advance 5.0 contained code-execution and logging capabilities that could be used by third-party apps.
A BLU executive responded to the Kryptowire update at the time by saying the data collection was standard for over-the-air functions. "This is in line with every other smartphone device manufacturer in the world," BLU Marketing Director Carmen Gonzalez wrote in the response. "There is nothing out of the ordinary that is being collected," she wrote, and she also asserted that BLU "certainly does not affect any user's privacy or security."
At the time of the Kryptowire update, Amazon said it was suspending sales of BLU phones. A quick search on Monday showed a variety of BLU phones available from the online retailer.
[contf] [contfnew] 
Ars Technica
[contfnewc] [contfnewc]
