50 Comments

Summary:

What happens if you install secret tracking software on the phones of tens of millions of people and sell their location to advertisers? Not much, if a new FTC order is anything to go by.

Brightest Flashlight

Even judging by the low standards of creepy data-mining apps, “Brightest Flashlight” did something pretty egregious. The free app, which was installed by at least 50 million Android users, transmitted users’ real-time locations to ad networks and other third parties. It was, in other words, a stalking device disguised as a flashlight.

In December, the Federal Trade Commission exposed the app’s antics and also announced a proposed settlement with the app maker, GoldenShores Technologies, a one-man operation based in Idaho. In doing so, the agency explained how Brightest Flashlight used legal flim-flam in a privacy policy and user license agreement to obscure what the app was up to.

The terms are now final, and they’re underwhelming, to put it mildly.

In a Wednesday announcement, the FTC confirmed that GoldenShores and owner Erik Geidl are not to collect app users’ geolocation without clearly explaining how and why they’re doing so and, in broad terms, say who is receiving that information. The flashlight app maker will also have to keep records for the FTC to inspect, and Geidl will have to tell the agency about any new businesses he decides to start in the next 10 years. He also has 10 days as of the order to delete all the data he collected.

On paper, the order looks like stern stuff but, in practice, it’s hard to see how this amounts to real punishment. Even though Geidl did something deeply unethical, compromising the privacy of tens of millions of people, he will not pay a cent for his misdeeds.

The FTC said earlier that it didn’t seek financial restitution because the app was free. The agency’s justification is unsatisfying, however, because it doesn’t acknowledge that Geidl must have earned earned income by selling users’ geolocation. A better approach would have been to strip him of any profits he made through the app, and also name-and-shame the advertisers who bought the information from him.

While it’s good that the FTC is helping to publicize the mischief of app makers, it’s unlikely that bad actors will take the agency seriously until it starts setting down real punishments on people like Geidl and the ecosystem that sustain them.

This story was updated at 8:45ET on Thursday to add that Geidl will have to delete the data collected prior to the order

You’re subscribed! If you like, you can update your settings

  1. Android users worried about privacy intrusions enabled by installed apps – Just root your device, install Android firewall and simply block such apps from communicating over the network. This works great for apps that have no business communicating over the network — such as flashlight apps and games for children.

    The other day, I downloaded an educational app on a spare Android tablet for my 1 yr old kid (basically pictures of fruits and vegetables with a pronunciation guide), and what do I see during the course of using the app, but an ad for a medical pot dispensary in my city — app went into the trash bin and I just ended up rooting the tablet and installing Android Firewall.

    It is known that Google mines data too, but, at least they give users options to turn the features on and off.

    1. Ganesh, I’m think that the vast majority of users who would blindly click “ok” when a flashlight app was requesting location data privileges have no clue what ‘rooting’ is, let alone how to do it.

      Regarding your kid’s app, would you have felt better if it were an ad for CVS? Same thing, really.

    2. Exactly why people buy iPhones… to avoid this silly crap.

      By silly crap I mean “Just root your device, install Android firewall”.

      1. Yeah, apple definitely doesn’t have any “silly crap” like this. Do some research before posting and looking like an idiot. Just to name one instance of “silly crap” on iPhones, where customers downloaded an app on their phones which basically did nothing, but were charged $999.00. http://en.wikipedia.org/wiki/I_Am_Rich

      2. Sound like every other Apple sheep. Every time you install an app on an android phone you are notified what services it is using. If you can’t figure out that a flashlight app shouldn’t have access to your GPS, maybe you should buy an iPhone.

        1. Except for the fact that so many apps request access to so many things, users just get used to giving every app the OK for them all. It’s not a matter of people being stupid. It’s a matter of Android being really badly designed.

      3. Funny. That was a good one. Iphones – lol. You’re a crackup.

        1. That’s not the same…

        2. You don’t really understand what the article says, do you?

      4. HAHAHAHAHAHAHA
        I have been working with you silly Mac users for years now and you’re never going to learn how to read the news, are you? Too blinded by your Retina screens, aren’t you?

    3. You lost me at “Just root your device…”

    4. Or install the XPosed Framework, and then the XPrivacy module and revoke the app’s privacy infringing permissions, such as it’s access to GPS data.

    5. What to do about devices that can’t be rooted?

    6. Google gives users an option to turn such features off? Not really… Having a rooted device I can tell you that there are hidden locations sync options (and more) which CAN’T be turned off – the option isn’t even shown on a normal device. Google is the worst of them all when it comes to illegal (after EU law) data mining. So someone who uses Google doesn’t really need to worry anymore about such Flashlight apps – but of course it’s always good to be careful.

  2. I’m not sure he should have received a stiffer penalty. Shame on him for trying to sneak something by the users, but that’s what new regulation is for, not financial punishment if there is no regulation.

    After all, every one of the affected users clicked “ok” when informed that a flashlight app was going to collect that data.

    People need to wake up and take personal responsibility for their digital environments. Ignore the install warnings and EULAs at your own risk.

    1. But that explanation of what the app will do with the user’s location may be buried on page 37 of the EULA. Too often the ‘terms’ broadly state what the app will access AND modify, but it appears trivial and users click ‘agree’ and ‘Install’ the app.

      1. Yes, and as I said, ignore the EULA and install warnings at your own peril. If app-makers provide 37-page EULAs that are a serious burden to get through, then people should either take the time to read them, or reject the app.

        Regulations designed to protect irresponsible people are usually an inconvenience for the rest of us.

      2. When I try to install Brightest Flashlight Free from the Android market, the install screen clearly shows all the permissions that app is requesting, including:

        Your location (approximate AND precise)

        Hit CANCEL

        1. Almost every app you download wants access to all kinds of things. After a while, users just tune it out. Stop blaming the users for Android’s crappy design.

          If anyone at Google had given Android any real thought in terms of user privacy and security, they’d just forbid giving every app access to whatever parts of the system it wants and lock down some of those things, then maybe people wouldn’t have to worry so much.

          But hey, that might get in the way of Google’s precious data-mining.

    2. There’s no sneaking involved. When you install an Android app if it will get your location, it lists that in the permissions for the app. That’s probably why he was not fined. You can’t help people that do nothing to help themselves.

  3. Open is better! Oh wait.

  4. Facebook collects your information in the exact same manner, and to a great degree. Their doing so is buried beneath a 10,000 word document designed to bore you into ignoring it.

    FTC?

  5. What’s the point? There is no such thing as a free lunch. You either pay with money or with data.

    The entire point of Android is that users pay with data instead of money.

  6. I’m thinking we need an app similar to Tinder, called “Muggr”. It shows you all the people nearby where the visibility is so poor they need a flashlight, making it super easy to sneak up on them. You could have the app automatically analyze selfies stored on the Flashlight users phone for bling value so you could swipe left if the person was too poor to rob, or swipe right to get walking directions and advice on types of weapons to use to threaten/attack them based on fears expressed in emails and twitter posts.

    1. It should give bank balance, salary, recent tax return info and credit rating, so I can better evaluate muggability. Also, resale value of the device they are running Flashlight on!

  7. Android users, always ready for more punishment.

    “Just root your device!”; “Read the EULA!”

    Sure thing.

    iOS at least has a built in flash light….

    1. Yeah, but this is the *brightest* flashlight:-)

    2. David Rae Phillips Ted T. Tuesday, April 15, 2014

      Galaxy had one to.. But it wasn’t great is I installed one just called “flashlight” works great. This guy also lured people in by calling it brightest… The phone has 1 light… How can a single app make it brighter than the others.. Idiots.

  8. Hamranhansenhansen Saturday, April 12, 2014

    The US government sees its citizens as ready victims for any business person. There are almost zero consumer protections here compared to the other G7 countries.

  9. Serg Aspidoff Sunday, April 13, 2014

    100% of apps with ads in them require your proximate and precise location for ad targeting, you agree to it when you install the app. What’s the problem here?

  10. Did the app break any laws or regulations?

    1. Or did the app maker commit any fraud?

Comments have been disabled for this post