Forgot your password?
typodupeerror
Privacy Android Government Software

FTC Drops the Hammer On Maker of Location-Sharing Flashlight App 187

Posted by Soulskill
from the permissions-permissions-permissions dept.
chicksdaddy writes "The Federal Trade Commission announced on Thursday that it settled with the maker of 'Brightest Flashlight Free,' a popular Android mobile application, over charges that the company used deceptive advertising to collect location and device information from Android owners. The FTC says the company failed to disclose wanton harvesting and sharing of customers' locations and mobile device identities with third parties. Brightest Flashlight Free, which allows Android owners to use their phone as a flashlight, is a top download from Google Play, the main Android marketplace. Statistics from the site indicate that it has been downloaded more than one million times with an overall rating of 4.8 out of 5 stars. The application, which is available for free, displays mobile advertisements on the devices it is installed on. However, the device also harvested a wide range of data from Android phones which was shared with advertisers, including what the FTC describes as 'precise geolocation along with persistent device identifiers.' As part of the settlement with the FTC, Goldenshores is ordered to change its advertisements and in-app disclosures to make explicit any collection of geolocation information, how it is or may be used, the reason for collecting location information and which third parties that data is shared with."
This discussion has been archived. No new comments can be posted.

FTC Drops the Hammer On Maker of Location-Sharing Flashlight App

Comments Filter:
  • by Imsdal (930595) on Friday December 06, 2013 @11:19AM (#45618679)
    But if the app doesn't know your location, how would it possibly know where to provide the light?
    • by iamhassi (659463) on Friday December 06, 2013 @01:06PM (#45619731) Journal
      Have to wonder how many other apps are doing this that have not been caught yet
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        Have to wonder how many other apps are doing this that have not been caught yet

        That's the big problem, the FTC is currently playing a losing game of whack-a-mole. The ultimate solution is to inform the developer community that there will be a three month grace period for them to come clean. After that start throwing offenders in prison until the problem goes away. Currently there are no enforced consequences, all the FTC was able to do is get Goldenshores Technologies, LLC, to agree to obey current laws on deceptive business practices and fraud. The scumbag owner is currently laughing

        • by mattack2 (1165421)

          That's the big problem, the FTC is currently playing a losing game of whack-a-mole.

          You could make that argument about all crime.

        • The FTC doesn't have the authority to immediately shutter any business. They can ask that they stop and issue a fine, or bring them to court, but it's not their decision which businesses can remain open.
      • by Mashiki (184564)

        Have to wonder how many other apps are doing this that have not been caught yet

        A lot, and I mean a damned lot. Even most basic QR readers do it now.

    • Droidlight has been around as long as Androids. Why is there need for competition in a free flashlight app?

      • I don't know why the guys developing the UI (both Google and manufacturers) don't just add the damn button present in half the mods out there. That just kills these guys completely.
  • Security model (Score:3, Interesting)

    by Anonymous Coward on Friday December 06, 2013 @11:26AM (#45618753)

    If someone still says that Android's (or IOS I suppose) security model isn't completely broken...

    Why can't the user choose to disable networking on a per-app level?

    • Re:Security model (Score:5, Informative)

      by MachineShedFred (621896) on Friday December 06, 2013 @11:32AM (#45618825) Journal

      On iOS, you do have granular permissions - if an app requests your location, you can say no, and the app can go fuck itself - the API doesn't give it shit. It's not all-or-nothing.

      Disabling data access per app is a different story though, so your point still stands.

      • "Disabling data access per app is a different story though, so your point still stands."

        On iOS 7 you can do this, but only if you're not using wifi. In the prefs you can turn off cellular data access on a per app basis. You can also see how much of your cellular data plan each app is eating.

    • For Android, AFWall+ is a good frontend for iptables, and makes it easy to create per-app rules. It includes its own iptables and busybox binaries if your rom doesn't have them.
  • Permissions? (Score:2, Insightful)

    by Anonymous Coward

    Who gives a flashlight app permissions to access location, internet, flash drive, etc?

    • Who gives a flashlight app permissions to access location, internet, flash drive, etc?

      Only some rooted android phones (or custom ROMs) allow fine-grained access to allow/deny explicit permissions for applications. Every 'droid I've had with T-Mobile and AT&T has not allowed such control by default. Only a select few actually look at the requested permissions before agreeing to install an app, even worse, the android permissions are incredibly vague. "Phone State" means idle/sleep/calling/etc..., but the wording sounds like any app can make calls on your behalf.

      • Only some rooted android phones (or custom ROMs) allow fine-grained access to allow/deny explicit permissions for applications

        Not true. Stock Android 4.3 has that functionality. It's just buried under a lot of menu choices.

    • Who gives a flashlight app permissions to access location, internet, flash drive, etc?

      users who have finally seen the light, that's who.

      • Who gives a flashlight app permissions to access location, internet, flash drive, etc?

        users who have finally seen the light, that's who.

        No, it would appear to be users who are left in the dark.

  • Some Hammer (Score:5, Insightful)

    by TubeSteak (669689) on Friday December 06, 2013 @11:32AM (#45618815) Journal

    No civil fines.
    No criminal penalties.
    No admission of guilt.

    • Re: (Score:2, Informative)

      That's because they are a corporation.

      A corporation under US law is a "Person" that is superior to humans and thus cannot be faulted for anything.

      • by Holi (250190)

        That's because judges are only human, and who are they to question the motives of a Corporation.

    • Nerf hammers *are* technically hammers.

    • by tippe (1136385)

      Yes, I've seen this type of hammer before. My son has one. It's a big blue inflatable thing that goes "Squeek!" when you hit stuff with it. The FTC must obviously have one much like it. Maybe they got theirs from a country fair as well...

    • What can we do? Pressure the FCC to take stronger action. Pressure our representatives to give the FCC more power to take stronger action in situations like this. Create a public database of companies and apps that are known to spy on users, and attack their bottom line.
  • Don't be Naive (Score:5, Insightful)

    by A10Mechanic (1056868) on Friday December 06, 2013 @11:33AM (#45618827)
    This is just the tip of the dirty iceberg here. Thousands of apps do this and far worse for your privacy. Caveat Emptor
  • by dingleberrie (545813) on Friday December 06, 2013 @11:42AM (#45618929)

    I have an iPhone 5 and a Nexus 7.
    When I download an app on the Nexus, I always feel an uneasiness as I look at all the access it wants to my contacts and other invasively unnecessary permissions. So each time I must make a decision to accept or reject using the app. I've rejected some that just seem overreaching, but I've become less strict over time... like I'm accepting to lose a battle. I assure myself, that my phone has all my real contacts, not my Nexus 7 and then begrudgingly accept the conditions. This is one reason I will not use an android phone and why I rarely download apps on android.
    http://yro.slashdot.org/story/13/12/06/1452241/ftc-drops-the-hammer-on-maker-of-location-sharing-flashlight-app# [slashdot.org]
    iOS, for those that don't know, will let me decline permissions to track my location or share my contacts on a per-app basis. Even if I enabled it before, I can go into the control center and disable it. I don't benefit from that aspect of the iOS app, but I'm fine with that. For all the control that Android is supposed to give the user, iOS shines here and I wish that is one thing that Android would copy.

    • by Anonymous Coward on Friday December 06, 2013 @12:20PM (#45619293)

      Oh you have a Nexus 7? Perfect, you can download App Ops to select permissions on a per-app basis.

      Any Android 4.3 or higher device supports it. And root is not required.

    • by ADRA (37398)

      1. Don't download apps that use permissions you wouldn't give them
      2. If you're using Android 4.3/4.4, look for 'App Ops' (The one that requires zero permissions) from the play store. It allows you to turn specific (though not all alas) permissions off per app: Notably SMS, reading contacts, keeping the phone on, polling your location, call log/making calls/clipboard/audio focus/camera/record audio/modifying system settings...

      The benefit of Android's App Ops is that it also tells you when the app last used

      • by Obfuscant (592200)

        2. If you're using Android 4.3/4.4, look for 'App Ops'

        Citation required. I did a google for "App Ops" and there are at least four different apps on the Play store called "App Ops", and two also-rans called "Permission Manager".

        • I found 3 of the ones called App Ops, and they're all the same as far as I can tell - they open a hidden panel baked in to Android, except one allows you to search apps by name. I can't see the permissions, though, as I'm on the website, so that may be a substantial difference.
        • by ADRA (37398)

          I used this one btw: https://play.google.com/store/apps/details?id=fr.slvn.appops [google.com]

          And I have verified that disabling a permission changes the behaviour of the apps (PvZ2 normally diables outside sound, but this change overrides that, so you can still listen to music while playing for example).

  • by Greyfox (87712) on Friday December 06, 2013 @11:46AM (#45618959) Homepage Journal
    Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?" And third, lazy developers have no incentive not to request every priv in the model.

    I'd heard Cyanogenmod was experimenting with a means to deny specific privs to an application rather than take the all-or-nothing approach of "You have to give me all this shit or you can't install it." That's a feature I'd really like to have for my Android phone.

    • by Mr_Silver (213637) on Friday December 06, 2013 @12:08PM (#45619135)

      Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?" And third, lazy developers have no incentive not to request every priv in the model.

      Not to mention that although for a very basic app (like a flashlight one) it is possible to spot a nefarious permission, once you start looking a much more feature-rich app then it gets very difficult for users to work out the validity of the permission requested.

      For example, a mobile banking app wants your location. Is this because:

      1. It's sending location data to a server to track you?
      2. It's sending it to third party companies for location based advertising?
      3. It wants that information so it can tell you where the nearest ATM or bank branch is?
    • by cdrudge (68377)

      Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?"

      How is the user to differentiate legitimate vs illegitimate use of GPS and network access?

      For instance, a restaurant review application wants GPS info to tell you what restaurants are near by, and needs network access to load data. Perfectly legitimate needs for those permissions and without those permissions being granted, the app is pretty useless

      • by jonbryce (703250)

        The restaurant app needs to phone home with the location data in order to get the list of nearby restaurants. Once it is on their server, what they do with it is outwith your control, but restaurants will probably pay a referral based commission so they will need to have details of where people use their apps for that purpose.

      • The answer is the user can't differentiate, unless we have access to the source code.

        So here's an open source flashlight app you should be using:
        MrWhite: https://fdroid.org/wiki/page/org.bc_bd.mrwhite [fdroid.org]

        Or Torch: https://fdroid.org/wiki/page/com.colinmcdonough.android.torch [fdroid.org]

        Install them by installing the F-Droid (FOSS for Android) package manager from Google Play.

        • by cdrudge (68377)

          But how do I know that F-Droid is clean? :)

          I wasn't looking for suggestions for a flashlight app. It was more of a specific example in an abstract discussion. My comment's parent asked the specific question why a flashlight app needs gps and network permissions to which I suggested legitimate reasons why such permissions would be requested. They may not be needed for the app to operate correctly, but they may be needed to support the developer's work.

    • by Sockatume (732728)

      Unfortunately app permissions on Android are currently "all-or-nothing" and, worse, they're requested all at once at installation, so users are conditioned to just click through it and make the app work. (See also: Windows UAC prompts.) It's a design issue, not a user intelligence issue.

    • by tlhIngan (30335)

      Their flashlight app was requesting network and GPS privs? There's obviously a fundamental problem with the Android security model, and I'm just going to go ahead and point my finger at people. First off, people assume that just because it's on the Play store, it's safe to install. Obviously not the case. Second, people obviously don't review the privs their apps request and say something like "Why the fuck does a flashlight app need access to my GPS and network?"

      The problem with the Android permissions mo

  • Only the NSA may track every phone on the planet [slashdot.org]!

    But in their defense, you at least got a free flashlight out of it and your tax money didn't have to pay for it, so...

  • by sinij (911942) on Friday December 06, 2013 @11:58AM (#45619037) Journal

    As someone that used to work with mobile security - this is tiny minority that got caught. If you carry your mobile phone with you, then you have no reasonable expectation of privacy. Treat your smartphone as a combination of public WiFi and a court-assigned GSP tracking ankle bracelet.

  • flAshlight app. With an 'a'. Had me worried for a bit.

  • Part of my job involves inspecting outbound network connections from android apps. Practically every ad network is sending your coordinates or location anyways. It seems a bit weird the FTC cared that the app was doing the same when it already had ads on it...
    • I'm assuming the ad networks only send IP location data (not very accurate, generally only gives the nearest big city and is often off by hundreds of miles) while the app sends GPS data.
  • This settlement meant that the company had to do NOTHING other than to go forth and sin no more. They did not have to pay a single solitary dime, consent to long-term monitoring, or do anything really, beyond promising they would not continue to do something they unambiguously should never have been doing in the first place.

    Yeah, that'll teach 'em!

  • When you install an app, Andorid tells you the permissions the app needs and asks you to confirm.

    If your'e dumb enough to not question why a flashlight app would need access to GPS and the internet, and you still install the app anyway, then you deserve all you get.

  • Great, the FCC told them not to do it. Let's just say that actually gets them to stop harvesting the data (hahahaha)... what about the data that's already been harvested? They've already stolen a valuable resource which they can continue to sell to 3rd parties.

    For that matter, what about the data already in the hands of the 3rd parties? They can do whatever they want with it with impunity.

    Maybe we need to hold 3rd party marketers liable, too. Pawn shops are on the hook if they buy stolen items. Let's
  • by efalk (935211) on Friday December 06, 2013 @12:55PM (#45619645)

    I have a couple of calculator apps on the Android market. Obviously, a calculator has zero need for any of your personal data, and that's how much I collect -- zero.

    I recently received an email from "Appayable.com". They provide me with a spyware module to add to my apps. The spyware module collects users' personal data and uploads it to Appayable.com. I get paid. Profit!

    They say they only sell anonymized data, but I still thought it was a pretty reprehensible business model. I suspect it's pretty common practice, though.

    The letter:

    I noticed that RpnCalc Financial -- HP 12C has seen a growing number of downloads in recent weeks. I wanted to reach out and discuss how my company, Appayable, offers developers the opportunity to monetize their app without placing ads or impacting user experience

    We pull the social profile of your users, anonymize the data, and identify the mobile device. Appayable's SDK does not take up screen real estate on your application, maintaining the great user experience, and providing more revenue for you. Plus, we do not rely on impressions - as we do not place ads within your app - thus, you generate revenue based on a single download and install. No need to retain the user - only have them open the application once.
    The revenue stream created is ongoing based on our data partnerships, regardless of continued use of the mobile application.

    We've worked hard to make it really simple for you to integrate our service into your app, and as a result have over 6,500 applications on our platform in only 6-months! Whe you have a few minutes, I'd love to talk to you or the appropriate person about working with us.

    • by tlhIngan (30335)

      I have a couple of calculator apps on the Android market. Obviously, a calculator has zero need for any of your personal data, and that's how much I collect -- zero.

      I recently received an email from "Appayable.com". They provide me with a spyware module to add to my apps. The spyware module collects users' personal data and uploads it to Appayable.com. I get paid. Profit!

      They say they only sell anonymized data, but I still thought it was a pretty reprehensible business model. I suspect it's pretty common pr

    • I get this too. Also get emails where people have uploaded my apps and created an account for me to some korean market.

      I think the ones I hate the most though are the emails asking if I want to buy fake ratings.

  • Simple LED Widget (Score:4, Informative)

    by slinches (1540051) on Friday December 06, 2013 @12:59PM (#45619687)

    I just recently got a Nexus 5 to replace my aging Nokia N9 and was amazed by the near complete lack of simple tools that don't want access to your data in return. For the N9, there were a ton of useful free open source tools provided by the community over at maemo.org [maemo.org]. That community was great. Every time I thought that there was something that was missing or new capability I wanted, I'd look there and find an app that already exists or a group of people in the process of building it.

    The contrast between that experience and the excessive commercialism of Android was startling. After looking around for a while I did find this Simple LED Widget [google.com] that is just what it says and doesn't require any unnecessary permissions, but I had to sift through dozens of apps like the one in the TFA.

    Is there anything even close to maemo.org for Android? I've heard some good things about F-Droid [f-droid.org], but I haven't looked into it enough yet to know if it's the best option.

    • by nblender (741424)

      Me too. I just switched from iphone to N5. I couldn't find the built-in flashlight app that I assumed would have been standard fare at this point. Go to the Play store and the first 10 or so flashlight apps all want access to your phone calls, sms, filesystem, and network.... I finally found one that wanted only Camera access and Network. I still don't know why an app to toggle a GPIO would want access to the network... Other things that are basic functionality on IOS are apps you have to download and m

  • the missing app (Score:4, Insightful)

    by Tom (822) on Friday December 06, 2013 @01:32PM (#45619983) Homepage Journal

    What's obviously missing is a Mock App - something that will satisfy all those requests and provide them with the data they want - fake data.

    Sadly, I don't expect Google - whose revenue stream is largely based on advertisement - would make that possible in Android.

  • You people have no idea what you're loading onto your phones or what it's doing with your data and your life!

    Why isn't there more comprehensive oversight of these apps before they're released to the public? Can't they require the source code be submitted to the 'app stores', and proofread to prevent this sort of thing from happening?
  • 1) Use DroidLight. It's by Motorola, but it works on non-motorola phones too. It requires no permissions.

    2) We are in a sad state of affairs.

    9 out of 10 flashlight apps in the Android store require unnecessary permissions. The Android store needs ONE flashlight app. Maybe 2. Unfortunately, idiots download apps that requires 100 permissions, then rank it a 5/5. This is such a trivial problem for Google to solve: one Google Play Store employee could ban 90% of those apps with a day of research and resol

    • 1) Use DroidLight. It's by Motorola, but it works on non-motorola phones too. It requires no permissions.

      The ability to control the flashlight is a permission.

      It also, perhaps for non-nefarious reasons, requires the "Take pictures and videos" permission.

      My Samsung Galaxy SIII Mini, for what it's worth, came with a home screen widget called "Assistive Light" which turns on the flash instantly, unlike every single app I tried, all of which took seconds.

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...