American smartphone maker Blu settles data collection on phones with FTC

The American smartphone company Blu has reached a settlement with the regulator FTC. He had filed a complaint against the company because it allowed it to collect information from users, such as the content of messages, through a partner.

As a result of the settlement, Blu, a Florida company that sells phones through retailers such as Amazon, Walmart and Best Buy, must create a security program to protect consumer data. This program is monitored by a third party every two years for a period of 20 years. In addition, the company must not make false claims about the measures it takes to ensure privacy and security.

In its complaint, the FTC alleges that Blu partnered with Chinese company Adups, which provided security and OS updates for Blu’s phones. However, that company collected through its software “much more data than necessary for the performance of its task,” according to the regulator. This included data such as text message content, real-time location data, call and message logs with full phone numbers, contact lists, and lists of installed applications.

The regulator blames Blu that it has not taken appropriate security measures and that it has not exercised sufficient care when hiring third parties. In this way, Adups could obtain the data without the knowledge or consent of consumers. In addition, the Adups software would contain ‘common vulnerabilities’ that could give an attacker control of the device.

Adups’ practices were exposed in November of 2016 by the security firm Kryptowire. Shortly after, another company claimed the software could be found on even more devices from other manufacturers; in total there would be 43 manufacturers. After the information went public, Blu said that Adups modified its software. But according to the FTC, the American company also allowed the software to run unattended on its older devices.