Blu has agreed to settle with the United States Federal Trade Commission (FTC) with regards to charges that it had permitted a third party’s servers in China to harvest private data from customers, including text messages, location information (even in real time), telephone numbers, lists of contacts, and downloaded mobile apps.
Under the terms of the agreement, Blu will be incorporating an extensive data security program that should stop similar privacy leaks from happening in the future. On top of that, both the phone maker and its president, Samuel Ohev-Zion, are banned from misrepresenting just how far they are willing to protect the privacy and safety of customers’ personal data. Lastly, Blu will have to undergo third party evaluations with regards to the effectiveness of its data security program every couple of years for the next two decades, and must meet all record keeping and compliance tracking requirements.
It was back in November of 2016 when security firm Kryptowire released a report indicating that a number of commercial firmware pre-installed on certain Android running smartphone devices already released in the US mobile market were actually sending private data to a third party. It was later found that Blu handsets were transmitting copious amounts of information containing personal data to AdUps Technologies, a firmware solutions provider based in the city of Shanghai in China.
According to Kryptowire’s report, it seemed that AdUps was collecting information in order to help phone makers and mobile operators monitor the practices and preferences of consumers for advertising purposes. As indicated in the complaint filed earlier this week, FTC regulators are claiming that AdUps is provides updates on advertising, data mining, and firmware over the air (FOTA) to handsets and Internet of Things (IoT) connected gadgets. It turned out that AdUps was harvesting texts and sent them back to company servers every three days, while collecting real time location information and sending them to servers once every day.
Another Kryptowire report released last year had stated that a trio of Blu devices were still harvesting private data and transmitting them to servers in China. Two of them -- the Grand M and the Life One X2 -- were transmitting telephone numbers, International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI), Wi-Fi MAC (Media Access Control) addresses, handset serial numbers, and lists of installed mobile apps, plus IDs of cellular towers and locations. A third device, the Blu Advance 5.0, possessed code execution and logging capabilities that could be leveraged by third party apps.
