Agency alleges BLU misled consumers and put their personal data at risk
Mobile phone manufacturer BLU Products, Inc. and its co-owner have reached a settlement with the Federal Trade Commission over allegations that the company allowed a China-based third-party service provider to collect detailed personal information about consumers, such as text message contents and real-time location information, without their knowledge or consent despite promises by the company that it would keep such information secure and private. As part of the settlement, BLU must implement a comprehensive data security program to help prevent unauthorized access of consumers’ personal information and address security risks related to BLU phones.
In its complaint, the FTC alleges that BLU and its co-owner and President Samuel Ohev-Zion misled consumers by falsely claiming that they limited third-party collection of data from users of BLU’s devices to only information needed to perform requested services. They also falsely represented that they had implemented “appropriate” physical, electronic, and managerial procedures to protect consumers’ personal information, according to the complaint.
Florida-based BLU contracted with ADUPS Technology Co. LTD to issue security and operating system updates to BLU’s devices. ADUPS, however, collected and transferred to its servers far more information than needed to do its job, including the full content of consumers’ text messages, real-time location data, call and text message logs with full telephone numbers, contact lists, and lists of applications used and installed on BLU devices.
According to the complaint, BLU and Ohev-Zion failed to implement appropriate security procedures to oversee the security practices of their service providers, including failing to perform appropriate due diligence of service providers; failing to have written data security procedures regarding service providers; and failing to adequately assess the privacy and security risks of third-party software installed on BLU devices. As a result, ADUPS collected sensitive personal information via BLU devices without consumers’ knowledge and consent that it did not need to perform its contracted services. In addition, ADUPS software preinstalled on BLU devices contained common security vulnerabilities that could enable attackers to gain full access to the devices.
After reports about the unexpected collection and sharing by ADUPS became public in November 2016, BLU issued a statement informing consumers that ADUPS had updated its software and had stopped its unexpected data collection practices. Despite this, the FTC alleges that BLU continued to allow ADUPS to operate on its older devices without adequate oversight.
Under the proposed settlement with the FTC, BLU and Ohev-Zion are prohibited from misrepresenting the extent to which they protect the privacy and security of personal information and must implement and maintain a comprehensive security program that addresses security risks associated with new and existing mobile devices and protects consumer information. In addition, BLU will be subject to third-party assessments of its security program every two years for 20 years as well as record keeping and compliance monitoring requirements.
The Commission vote to issue the administrative complaint and to accept the proposed consent agreement was 2-0. The FTC will publish a description of the proposed consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through May 30, 2018, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $41,484.