Phone maker BLU is settling charges that it allowed a China-based partner to collect a mountain of customers’ personal data—including full content of text messages, real-time locations, telephone numbers, contacts, and installed apps—despite promises it would keep such details private.
Under a settlement with the US Federal Trade Commission announced Monday, BLU agreed to implement a “comprehensive data-security program” to prevent similar privacy leaks in the future. Both the company as a whole and co-owner and president Samuel Ohev-Zion are barred from misrepresenting the extent to which they protect the privacy and security of personal information. The company further will be subject to third-party assessments of its security program every two years for 20 years and must comply with record-keeping and compliance-monitoring requirements.
The settlement stems from research published in November 2016 by security firm Kryptowire. It found that BLU phones were transmitting a massive amount of private customer data to AdUps Technologies, a Shanghai-based provider of firmware that ran on the affected devices. Kryptowire said AdUps appeared to gather the data to help phone manufacturers and carriers track the behavior of their customers for advertising purposes.