Smartphone maker BLUE has agreed to settle charges alleging that it let a partner based in China collect the personal data of customers despite making promises that the information would be kept private. The settlement was reached with the Federal Trade Commission and it requires the smartphone maker to enhance its data security program in order to prevent a repeat of the same in future.
Under the settlement the smartphone maker as well as president and co-owner of the firm, Samuel Ohev-Zion, are prevented from making misrepresentations with regards to what the company does to ensure the security and privacy of personal information. Every two years for a period of two decades the security program of BLU will be assessed by third parties and the smartphone maker will be required to ensure compliance regarding monitoring and record-keeping requirements.
The settlements comes more than one year since a research report compiled by Kryptowire, a security firm, revealed that smartphones made by BLU were sending massive amounts of data belonging to customers to a company based in Shanghai, China known as AdUps Technologies. The Chinese firm was at the time providing firmware that was used on BLU phones. According to Kryptowire the goal of AdUps Technologies was to obtain the customer data with a view to assisting carriers and manufacturers of smartphones to track user behavior and then serve targeted advertising messages.
Per regulators at the Federal Trade Commission AdUps Technologies offers various services including data mining, advertising as well as over-the-air updates of firmware to Internet of Things and mobile devices.
“BLU entered into a contract with AdUps to have the China-based company perform FOTA update services on their devices. Respondents did not ask ADUPS to perform any other services,” wrote the Federal Trade Commission attorneys.
Despite having a limited mandate, AdUps Technologies went on to collect vast amounts of personal data belonging to customers and this include full contents of SMS messages, location data provided by cellular towers, contact lists, apps installed on devices as well as SMS and call logs complete with phone numbers. Every 72 hours AdUps Technologies would transmit the data collected to the servers of the company. Location data was collected in real time and was transmitted to the servers of the company every 24 hours.
After the report by Kryptowire, customers were notified that the data collection activities of AdUps had been stopped. According to FTC attorneys the data collection continued in the older devices of BLU.