“Brightest Flashlight” Android app disclosed location of 50 million people, but FTC imposes no fine


Even judging by the low standards of creepy data-mining apps, “Brightest Flashlight” did something pretty egregious. The free app, which was installed by at least 50 million Android(s goog) users, transmitted users’ real-time locations to ad networks and other third parties. It was, in other words, a stalking device disguised as a flashlight.

In December, the Federal Trade Commission exposed the app’s antics and also announced a proposed settlement with the app maker, GoldenShores Technologies, a one-man operation based in Idaho. In doing so, the agency explained how Brightest Flashlight used legal flim-flam in a privacy policy and user license agreement to obscure what the app was up to.

The terms are now final, and they’re underwhelming, to put it mildly.

In a Wednesday announcement, the FTC confirmed that GoldenShores and owner Erik Geidl are not to collect app users’ geolocation without clearly explaining how and why they’re doing so and, in broad terms, say who is receiving that information. The flashlight app maker will also have to keep records for the FTC to inspect, and Geidl will have to tell the agency about any new businesses he decides to start in the next 10 years. He also has 10 days as of the order to delete all the data he collected.

On paper, the order looks like stern stuff but, in practice, it’s hard to see how this amounts to real punishment. Even though Geidl did something deeply unethical, compromising the privacy of tens of millions of people, he will not pay a cent for his misdeeds.

The FTC said earlier that it didn’t seek financial restitution because the app was free. The agency’s justification is unsatisfying, however, because it doesn’t acknowledge that Geidl must have earned earned income by selling users’ geolocation. A better approach would have been to strip him of any profits he made through the app, and also name-and-shame the advertisers who bought the information from him.

While it’s good that the FTC is helping to publicize the mischief of app makers, it’s unlikely that bad actors will take the agency seriously until it starts setting down real punishments on people like Geidl and the ecosystem that sustain them.

This story was updated at 8:45ET on Thursday to add that Geidl will have to delete the data collected prior to the order


Roger Andreas

Why doesn’t Android just do what iOS does and tell the user a given app wants access to your location or contacts or whatnot when you first launch it, and then give you the option to deny the app access to that information. Why is it all or nothing? I install iOS apps all the time and deny access to my personal stuff and then go about my day. Android’s approach where you have to give the app access to those things or just not install it is so dumb.


Hello, all.
This discussion, while interesting, is really moot.
The whole problem is the ‘government’ is fraudulent, so the ‘protection’ for its ‘citizens’ is fraudulent too.
You think the ‘permissions’ on the apps give away the racket?
Read the labels on food packaging;
the ‘government’ will let manufacturers put ANYTHING in the ‘food’, except vitamins.
Too many healthy people mean the AMA, the hospitals, & big phama wouldn’t make the billions they do, & the ‘government’ wouldn’t get as big a cut.
Like cell phones; absolutely been proven to cause cancer, but at $340 BILLION + a year, the ‘government’ gets a percentage.
Same thing w/ gas prices; the tax is a percentage, the higher the price, the more the ‘government’ gets.
*IF* you want ‘protection’, you will have to provide for yourself; the ‘government’ is too busy looking out for itself to do anything for you.

Joseph Butewicz

After reading this story I decided to build my own Android flashlight that doesn’t send your data or have ads. Will release soon.


We as consumers need to charge for any data collected from us.

Mike Baggett

Read between the lines, it’s obvious he was selling the info to the government!


World seems full of deluded Android fanboys. Your OS is by it’s very nature full of adware, that’s what Google is, an advertising company. You have MUCH greater control over this, without rooting your device (itself a stupid move, frankly) on an iPhone. You can deny it all you want, but it’s the truth. You are on your own with Android, not the case with Apple.

Apple is not without problems, but it’s miles ahead of Google, and innovating all that Google can only COPY. Good luck with heart bleed, you will need it on the ‘Roids.

Roger Andreas

Exactly. I’m amazed that you can’t install apps on Android and deny the app access to that stuff. I’m laughing so hard at these guys who say, “Well, it tells you right up front what it accesses–don’t install it if you don’t agree.” Well, gee, maybe give the user control to cut the app’s access to that stuff off like… you know… iOS does. Android is so backward and its users are so deluded that they’re running the most advanced OS on the planet. LOL!

Alpha Bravo

I have yet to find malware on iOS. As for droid, the marketplace is humming with it.

Michau Kowalski

and so what? .95B. find book: ‘The.Most.Important.Knowledge.You.would.Ever.Read.Implement.and.Live.up.to.Forever’


Thomas Brookside

What did his privacy policy actually say?

Far from being a lenient settlement, I’m assuming this is one of those many, many, many times that the privacy policy said exactly what he would do, but the FTC is forcing him to stop, because they just don’t like it.

He should have told the FTC to go fuck themselves, but since they’ll just make up law to try to destroy him if he does that, I guess I can’t blame him.

Scott Bram

While the FTC washing their hands of this is unfortunate to say the least, it should come as no surprise.

While it certainly could have deleterious effects in the short term, inasmuch as it demonstrates future offenders will receive little more than a hand slap, there is the prospect that such clear betrayals of consumer trust will push App Store overlords, er, proprietors to take steps to better inform, if not outright protect, their customers.


google gets fined millions of dollars for wifi snooping and this guy gets to keep all his advertising revenue from his app?


Two Android apps can give you a nice overview of all permissions held on an app basis.

1. Android Assistant / Permissions


2. Zoner AntiVirus Free / Apps & Permissions

Roger Andreas

And iOS goes one step further and lets you deny the app access to those things. Unlike Android, the OS enforces this on behalf of the user. The problem with Android’s approach is that after a dozen app installs, users are going to tune those things out the same way people tune out EULAs and license agreements. It just becomes boilerplate so it’s ineffective.

On iOS, you install an app. On first launch, you get a message like “Awesome App wants access to your contacts. [ allow ] [ deny ]”. See, iOS forces app-makers into a user-friendly approach and forces the app to ask permission which gives you a fine-grained control and doesn’t predicate access on whether you install or not.

I’m just amazed that Android doesn’t do that. The attitude that you installed it so it gets access to whatever it said is so mind-blowingly backward.

Roger Andreas

It’s all right here (see the tuaw.com link below.) It’s so dumb that Android doesn’t have this. I have absolute control over what info any app accesses in iOS. I can install freely without worry and control this as I see fit. I can turn things on or off per app at will. It’s so insane that Android lacks this and forces you to accept all or nothing when installing an app. Pathetic. http://www.tuaw.com/2014/01/29/how-to-control-which-ios-apps-have-access-to-your-personal-data/

Serg Aspidoff

100% of apps with ads in them require your proximate and precise location for ad targeting, you agree to it when you install the app. What’s the problem here?


The US government sees its citizens as ready victims for any business person. There are almost zero consumer protections here compared to the other G7 countries.

Ted T.

Android users, always ready for more punishment.

“Just root your device!”; “Read the EULA!”

Sure thing.

iOS at least has a built in flash light….

David Rae Phillips

Galaxy had one to.. But it wasn’t great is I installed one just called “flashlight” works great. This guy also lured people in by calling it brightest… The phone has 1 light… How can a single app make it brighter than the others.. Idiots.


I’m thinking we need an app similar to Tinder, called “Muggr”. It shows you all the people nearby where the visibility is so poor they need a flashlight, making it super easy to sneak up on them. You could have the app automatically analyze selfies stored on the Flashlight users phone for bling value so you could swipe left if the person was too poor to rob, or swipe right to get walking directions and advice on types of weapons to use to threaten/attack them based on fears expressed in emails and twitter posts.

Fred Wize

It should give bank balance, salary, recent tax return info and credit rating, so I can better evaluate muggability. Also, resale value of the device they are running Flashlight on!


What’s the point? There is no such thing as a free lunch. You either pay with money or with data.

The entire point of Android is that users pay with data instead of money.


Facebook collects your information in the exact same manner, and to a great degree. Their doing so is buried beneath a 10,000 word document designed to bore you into ignoring it.



I’m not sure he should have received a stiffer penalty. Shame on him for trying to sneak something by the users, but that’s what new regulation is for, not financial punishment if there is no regulation.

After all, every one of the affected users clicked “ok” when informed that a flashlight app was going to collect that data.

People need to wake up and take personal responsibility for their digital environments. Ignore the install warnings and EULAs at your own risk.


But that explanation of what the app will do with the user’s location may be buried on page 37 of the EULA. Too often the ‘terms’ broadly state what the app will access AND modify, but it appears trivial and users click ‘agree’ and ‘Install’ the app.


Yes, and as I said, ignore the EULA and install warnings at your own peril. If app-makers provide 37-page EULAs that are a serious burden to get through, then people should either take the time to read them, or reject the app.

Regulations designed to protect irresponsible people are usually an inconvenience for the rest of us.

Telecom Dude

When I try to install Brightest Flashlight Free from the Android market, the install screen clearly shows all the permissions that app is requesting, including:

Your location (approximate AND precise)


Roger Andreas

Almost every app you download wants access to all kinds of things. After a while, users just tune it out. Stop blaming the users for Android’s crappy design.

If anyone at Google had given Android any real thought in terms of user privacy and security, they’d just forbid giving every app access to whatever parts of the system it wants and lock down some of those things, then maybe people wouldn’t have to worry so much.

But hey, that might get in the way of Google’s precious data-mining.


There’s no sneaking involved. When you install an Android app if it will get your location, it lists that in the permissions for the app. That’s probably why he was not fined. You can’t help people that do nothing to help themselves.


Android users worried about privacy intrusions enabled by installed apps – Just root your device, install Android firewall and simply block such apps from communicating over the network. This works great for apps that have no business communicating over the network — such as flashlight apps and games for children.

The other day, I downloaded an educational app on a spare Android tablet for my 1 yr old kid (basically pictures of fruits and vegetables with a pronunciation guide), and what do I see during the course of using the app, but an ad for a medical pot dispensary in my city — app went into the trash bin and I just ended up rooting the tablet and installing Android Firewall.

It is known that Google mines data too, but, at least they give users options to turn the features on and off.


Ganesh, I’m think that the vast majority of users who would blindly click “ok” when a flashlight app was requesting location data privileges have no clue what ‘rooting’ is, let alone how to do it.

Regarding your kid’s app, would you have felt better if it were an ad for CVS? Same thing, really.

Comment Zilla

Exactly why people buy iPhones… to avoid this silly crap.

By silly crap I mean “Just root your device, install Android firewall”.


Yeah, apple definitely doesn’t have any “silly crap” like this. Do some research before posting and looking like an idiot. Just to name one instance of “silly crap” on iPhones, where customers downloaded an app on their phones which basically did nothing, but were charged $999.00. http://en.wikipedia.org/wiki/I_Am_Rich

Comment Zillasheep

Sound like every other Apple sheep. Every time you install an app on an android phone you are notified what services it is using. If you can’t figure out that a flashlight app shouldn’t have access to your GPS, maybe you should buy an iPhone.

Roger Andreas

Except for the fact that so many apps request access to so many things, users just get used to giving every app the OK for them all. It’s not a matter of people being stupid. It’s a matter of Android being really badly designed.

Nigel P

Funny. That was a good one. Iphones – lol. You’re a crackup.

Roger Andreas

You don’t really understand what the article says, do you?

Jeremiah Jones

I have been working with you silly Mac users for years now and you’re never going to learn how to read the news, are you? Too blinded by your Retina screens, aren’t you?


Or install the XPosed Framework, and then the XPrivacy module and revoke the app’s privacy infringing permissions, such as it’s access to GPS data.


Google gives users an option to turn such features off? Not really… Having a rooted device I can tell you that there are hidden locations sync options (and more) which CAN’T be turned off – the option isn’t even shown on a normal device. Google is the worst of them all when it comes to illegal (after EU law) data mining. So someone who uses Google doesn’t really need to worry anymore about such Flashlight apps – but of course it’s always good to be careful.

Comments are closed.