Blog Post

“Brightest Flashlight” Android app disclosed location of 50 million people, but FTC imposes no fine

Even judging by the low standards of creepy data-mining apps, “Brightest Flashlight” did something pretty egregious. The free app, which was installed by at least 50 million Android(s goog) users, transmitted users’ real-time locations to ad networks and other third parties. It was, in other words, a stalking device disguised as a flashlight.

In December, the Federal Trade Commission exposed the app’s antics and also announced a proposed settlement with the app maker, GoldenShores Technologies, a one-man operation based in Idaho. In doing so, the agency explained how Brightest Flashlight used legal flim-flam in a privacy policy and user license agreement to obscure what the app was up to.

The terms are now final, and they’re underwhelming, to put it mildly.

In a Wednesday announcement, the FTC confirmed that GoldenShores and owner Erik Geidl are not to collect app users’ geolocation without clearly explaining how and why they’re doing so and, in broad terms, say who is receiving that information. The flashlight app maker will also have to keep records for the FTC to inspect, and Geidl will have to tell the agency about any new businesses he decides to start in the next 10 years. He also has 10 days as of the order to delete all the data he collected.

On paper, the order looks like stern stuff but, in practice, it’s hard to see how this amounts to real punishment. Even though Geidl did something deeply unethical, compromising the privacy of tens of millions of people, he will not pay a cent for his misdeeds.

The FTC said earlier that it didn’t seek financial restitution because the app was free. The agency’s justification is unsatisfying, however, because it doesn’t acknowledge that Geidl must have earned earned income by selling users’ geolocation. A better approach would have been to strip him of any profits he made through the app, and also name-and-shame the advertisers who bought the information from him.

While it’s good that the FTC is helping to publicize the mischief of app makers, it’s unlikely that bad actors will take the agency seriously until it starts setting down real punishments on people like Geidl and the ecosystem that sustain them.

This story was updated at 8:45ET on Thursday to add that Geidl will have to delete the data collected prior to the order

50 Responses to ““Brightest Flashlight” Android app disclosed location of 50 million people, but FTC imposes no fine”

  1. Roger Andreas

    Why doesn’t Android just do what iOS does and tell the user a given app wants access to your location or contacts or whatnot when you first launch it, and then give you the option to deny the app access to that information. Why is it all or nothing? I install iOS apps all the time and deny access to my personal stuff and then go about my day. Android’s approach where you have to give the app access to those things or just not install it is so dumb.

  2. Hello, all.
    This discussion, while interesting, is really moot.
    The whole problem is the ‘government’ is fraudulent, so the ‘protection’ for its ‘citizens’ is fraudulent too.
    You think the ‘permissions’ on the apps give away the racket?
    Read the labels on food packaging;
    the ‘government’ will let manufacturers put ANYTHING in the ‘food’, except vitamins.
    Too many healthy people mean the AMA, the hospitals, & big phama wouldn’t make the billions they do, & the ‘government’ wouldn’t get as big a cut.
    Like cell phones; absolutely been proven to cause cancer, but at $340 BILLION + a year, the ‘government’ gets a percentage.
    Same thing w/ gas prices; the tax is a percentage, the higher the price, the more the ‘government’ gets.
    *IF* you want ‘protection’, you will have to provide for yourself; the ‘government’ is too busy looking out for itself to do anything for you.

  3. World seems full of deluded Android fanboys. Your OS is by it’s very nature full of adware, that’s what Google is, an advertising company. You have MUCH greater control over this, without rooting your device (itself a stupid move, frankly) on an iPhone. You can deny it all you want, but it’s the truth. You are on your own with Android, not the case with Apple.

    Apple is not without problems, but it’s miles ahead of Google, and innovating all that Google can only COPY. Good luck with heart bleed, you will need it on the ‘Roids.

    • Roger Andreas

      Exactly. I’m amazed that you can’t install apps on Android and deny the app access to that stuff. I’m laughing so hard at these guys who say, “Well, it tells you right up front what it accesses–don’t install it if you don’t agree.” Well, gee, maybe give the user control to cut the app’s access to that stuff off like… you know… iOS does. Android is so backward and its users are so deluded that they’re running the most advanced OS on the planet. LOL!

  4. Michau Kowalski

    and so what? .95B. find book: ‘The.Most.Important.Knowledge.You.would.Ever.Read.Implement.and.Live.up.to.Forever’

    THIS WORK HAS BEEN BANNED EVERYWHERE/ SAVE IT – PRINT – SPREAD FOR YOUR SURVIVAL.
    PLEASE **SPREAD** THIS VERSION OF FILE.

  5. Thomas Brookside

    What did his privacy policy actually say?

    Far from being a lenient settlement, I’m assuming this is one of those many, many, many times that the privacy policy said exactly what he would do, but the FTC is forcing him to stop, because they just don’t like it.

    He should have told the FTC to go fuck themselves, but since they’ll just make up law to try to destroy him if he does that, I guess I can’t blame him.

  6. Scott Bram

    While the FTC washing their hands of this is unfortunate to say the least, it should come as no surprise.

    While it certainly could have deleterious effects in the short term, inasmuch as it demonstrates future offenders will receive little more than a hand slap, there is the prospect that such clear betrayals of consumer trust will push App Store overlords, er, proprietors to take steps to better inform, if not outright protect, their customers.

  7. Two Android apps can give you a nice overview of all permissions held on an app basis.

    1. Android Assistant / Permissions

    AND

    2. Zoner AntiVirus Free / Apps & Permissions

    • Roger Andreas

      And iOS goes one step further and lets you deny the app access to those things. Unlike Android, the OS enforces this on behalf of the user. The problem with Android’s approach is that after a dozen app installs, users are going to tune those things out the same way people tune out EULAs and license agreements. It just becomes boilerplate so it’s ineffective.

      On iOS, you install an app. On first launch, you get a message like “Awesome App wants access to your contacts. [ allow ] [ deny ]”. See, iOS forces app-makers into a user-friendly approach and forces the app to ask permission which gives you a fine-grained control and doesn’t predicate access on whether you install or not.

      I’m just amazed that Android doesn’t do that. The attitude that you installed it so it gets access to whatever it said is so mind-blowingly backward.

    • Roger Andreas

      It’s all right here (see the tuaw.com link below.) It’s so dumb that Android doesn’t have this. I have absolute control over what info any app accesses in iOS. I can install freely without worry and control this as I see fit. I can turn things on or off per app at will. It’s so insane that Android lacks this and forces you to accept all or nothing when installing an app. Pathetic. http://www.tuaw.com/2014/01/29/how-to-control-which-ios-apps-have-access-to-your-personal-data/

  8. Serg Aspidoff

    100% of apps with ads in them require your proximate and precise location for ad targeting, you agree to it when you install the app. What’s the problem here?

  9. Hamranhansenhansen

    The US government sees its citizens as ready victims for any business person. There are almost zero consumer protections here compared to the other G7 countries.

  10. Android users, always ready for more punishment.

    “Just root your device!”; “Read the EULA!”

    Sure thing.

    iOS at least has a built in flash light….

  11. Kendall

    I’m thinking we need an app similar to Tinder, called “Muggr”. It shows you all the people nearby where the visibility is so poor they need a flashlight, making it super easy to sneak up on them. You could have the app automatically analyze selfies stored on the Flashlight users phone for bling value so you could swipe left if the person was too poor to rob, or swipe right to get walking directions and advice on types of weapons to use to threaten/attack them based on fears expressed in emails and twitter posts.

    • Fred Wize

      It should give bank balance, salary, recent tax return info and credit rating, so I can better evaluate muggability. Also, resale value of the device they are running Flashlight on!

  12. What’s the point? There is no such thing as a free lunch. You either pay with money or with data.

    The entire point of Android is that users pay with data instead of money.

  13. Facebook collects your information in the exact same manner, and to a great degree. Their doing so is buried beneath a 10,000 word document designed to bore you into ignoring it.

    FTC?

  14. Mcbeese

    I’m not sure he should have received a stiffer penalty. Shame on him for trying to sneak something by the users, but that’s what new regulation is for, not financial punishment if there is no regulation.

    After all, every one of the affected users clicked “ok” when informed that a flashlight app was going to collect that data.

    People need to wake up and take personal responsibility for their digital environments. Ignore the install warnings and EULAs at your own risk.

    • But that explanation of what the app will do with the user’s location may be buried on page 37 of the EULA. Too often the ‘terms’ broadly state what the app will access AND modify, but it appears trivial and users click ‘agree’ and ‘Install’ the app.

      • Mcbeese

        Yes, and as I said, ignore the EULA and install warnings at your own peril. If app-makers provide 37-page EULAs that are a serious burden to get through, then people should either take the time to read them, or reject the app.

        Regulations designed to protect irresponsible people are usually an inconvenience for the rest of us.

      • Telecom Dude

        When I try to install Brightest Flashlight Free from the Android market, the install screen clearly shows all the permissions that app is requesting, including:

        Your location (approximate AND precise)

        Hit CANCEL

        • Roger Andreas

          Almost every app you download wants access to all kinds of things. After a while, users just tune it out. Stop blaming the users for Android’s crappy design.

          If anyone at Google had given Android any real thought in terms of user privacy and security, they’d just forbid giving every app access to whatever parts of the system it wants and lock down some of those things, then maybe people wouldn’t have to worry so much.

          But hey, that might get in the way of Google’s precious data-mining.

    • Kendall

      There’s no sneaking involved. When you install an Android app if it will get your location, it lists that in the permissions for the app. That’s probably why he was not fined. You can’t help people that do nothing to help themselves.

  15. Ganesh

    Android users worried about privacy intrusions enabled by installed apps – Just root your device, install Android firewall and simply block such apps from communicating over the network. This works great for apps that have no business communicating over the network — such as flashlight apps and games for children.

    The other day, I downloaded an educational app on a spare Android tablet for my 1 yr old kid (basically pictures of fruits and vegetables with a pronunciation guide), and what do I see during the course of using the app, but an ad for a medical pot dispensary in my city — app went into the trash bin and I just ended up rooting the tablet and installing Android Firewall.

    It is known that Google mines data too, but, at least they give users options to turn the features on and off.