BLU Products has “reached a settlement” with the Federal Trade Commission (FTC) over the alleged farming of user data by a third-party service, according to a press release from the government agency. The announcement does not make any reference to a financial liability as part of the agreement and instead highlights various behaviors the budget smartphone brand must adhere to going forward.
This largely stems back to 2016 when reports emerged suggesting the use of ADUPS on BLU mobile products was collecting more user data then it should. While the service was expected to be collecting some user data, the extent to the collection is alleged to have been to a point where it included location data, call and message logs, and in some cases “full content” of text messages. Following the reports, BLU denied knowledge of the issue beforehand and committed itself to ensuring its devices were free from ADUPS, regardless of whether it was collecting unnecessary levels of data or not. The complaint from the FTC specifically notes these two points as areas in which BLU failed to protect its users. Firstly, at the preemptive level by making sure user data was not being collected beyond what is natural, and secondly in terms of remedying the situation after the company became aware of it. The second point relates to the allegation by the FTC that while BLU looked to fix the issue via an update that removed the ADUPS software, older models were not protected in the same way with the suggestion these devices remained vulnerable. As a result, the FTC accused BLU of misrepresenting the situation.
Which is where the agreement comes in as the FTC states that going forward BLU will need to increase its ability to protect its users prior to an event through the use of “a comprehensive security program” that can mitigate against such issues. The second major caveat of the agreement is for BLU to refrain from misrepresenting how well-equipped the company is in dealing with matters of user privacy and security. A third, albeit, less BLU-initiated action is the company will for the next twenty years be subject to additional scrutiny through the use of third-party assessments, occuring every two years. Now that a settlement has been reached the issue has entered a ‘public comment’ period which is due to remain in effect up until to May 30, 2018. Following which, it is expected the FTC will issue a final ruling on the matter. It is worth noting BLU was not the only smartphone brand to have been linked to ADUPS.
