BLU Settles with the FTC Over Deceptive Privacy and Data Security Violations
Amidst all of the chaos surrounding ZTE and Huawei, another Android OEM is getting caught up in the mess. BLU has agreed to a settlement with the Federal Trade Commission (FTC), over allegations of misleading consumers and allowing a third-party Chinese company to collect personal details, such as text message contents and location information without knowledge or consent. When the news first came to light back in 2016, Amazon ceased sales of all BLU products until further notice.
As a result of the settlement, the company is now required to implement a “comprehensive data security program” to help prevent unauthorized access to consumers’ personal information. They also must address security risks related to past and present smartphones in order to make amends. What’s more, the company will be subject to third-party audits of their security every 2 years for the next 20 years. They must make sure to comply with record-keeping and compliance monitoring agreements during this time.
They had contracted the company ADUPS to issue security and OS updates, which took far more information than needed from consumers’ devices. This includes text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed. Not only that, but BLU was also accused of misleading consumers by falsely claiming that they limited third-party collection of data from users of BLU’s devices to only information needed for software updates. If that’s not bad enough, ADUPS software was often found to contain security vulnerabilities which further put consumer data at risk. BLU and its co-owner and President Samuel Ohev-Zion failed to implement appropriate security measures in order to ensure the complete safety of user data, and also failed to evaluate the security of these preinstalled applications.
Despite the ADUPS software being disabled on BLU phones through software updates in 2016, the company failed to adequately disable it on all of their devices. BLU continued to allow ADUPS to operate on its older devices without adequate oversight, meaning that many users of their devices were still at risk.