Security

Android flashlight app tracks users via GPS, FTC says hold on

Buried deep in the Brightest Flashlight Free app's EULA is language that let's the maker collect and resell user location data. An FTC complaint leads to better user notification and deletion of all exiting data.

Flashlightapp121213.png
 An article I wrote in April of 2012 started out mentioning how my neighbor came over asking me why in the world (his language was more colorful) an Android flashlight app would need to know the physical location of the phone (see the slide to the left).

I remember trying to humor my neighbor by mentioning, "In case it gets lost." Needless to say, he did not appreciate my attempt at levity. Remembering my extolling the virtues of Android permissions only a few days earlier, he made me promise that I would get to the bottom of this issue.

The answer

I didn't expect it to take this long to learn why, but now that I know, it is understandable. The company, GoldenShores Technologies, LLC, is using the onboard GPS to make money on a free app by selling the anonymized user data it collects. And, the amount is not trivial; over one million people have downloaded the flashlight app.

The reason this information finally surfaced was because the Federal Trade Commission (FTC) became involved, eventually issuing an official complaint against Goldenshores Technologies (PDF). The complaint can be boiled down into the following counts.

Count 1: Goldenshores Technologies did mention in the EULA that it would be collecting data for various reasons. The FTC was bothered by:

"[R]espondents have failed to disclose or failed to adequately disclose that, when users run the Brightest Flashlight App, the application transmits, or allows the transmission of, their devices’ precise geolocation along with persistent device identifiers to various third parties, including third party advertising networks."

The FTC felt the lack of disclosing this practice in an understandable fashion wrongly influenced individuals who were deciding whether to install the application.

Count 2: The FTC claims the EULA was not clear in pointing out the flashlight app started collecting data before the EULA was agreed to:

"Regardless of whether consumers accept or refuse the terms of the EULA, the Brightest Flashlight App transmits, or causes the transmission of, device data as soon as the consumer launches the application and before they have chosen to accept or refuse the terms of the Brightest Flashlight EULA."

The FTC complaint then concludes both counts constitute unfair or deceptive practices that affect commerce and are in violation of Section 5(a) of the Federal Trade Commission Act (PDF).

Good news

It seems the system worked. Goldenshores Technologies and the FTC came to an agreement (PDF). Jessica Rich, Director of the FTC's Bureau of Consumer Protection, had this to say in the FTC press release:

"When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used."

The settlement reads that Goldenshores Technologies must disclose in a clear and prominent fashion what information it intends to collect. The agreement also requires the app to be configured so the consumer agrees to the collection before it starts. Goldenshores Technologies is also required to delete any personal information already in its database.

Clearly and prominently

The FTC agreement used 230 words just to describe "Clearly and prominently." To see if Goldenshores Technologies figured out what clearly and prominently meant, I started working my way through the company's EULA and Privacy Policy -- no small task, considering 2,965 words were required. I did a search, and was unable to find GPS mentioned in either document. I did find the word location used once, but not related to the FTC complaint.

Here's my problem: Isn't it a bit much to ask people to wade through almost 3,000 words of complicated legalese just for a simple flashlight app, and then still be unclear as to why the app asks for permission to use the mobile device's GPS?

Final thoughts

One could become easily dissuaded that anything good came from all the effort. The intent to help appeared to be in place, but that was quickly lost in the process. It’s as if two warring factions lobbed volleys back and forth until they were satisfied.

My advice: If you see a free app asking for permission to use the onboard GPS system, and the app does not need to know where the phone is to work properly, I'd look elsewhere.

 

About

Information is my field...Writing is my passion...Coupling the two is my mission.

33 comments
techrepublic
techrepublic

Buy a windows phone, it tells you ahead of time  what resources the publisher uses. The rule of thumb is simply anything free uses some form of advertising unless its provided for training. People don't make this stuff for free. There has to be some upside for the publisher. With that said, disclosure, which is what the article is about is important. If the publisher doesn't put right on the top  of the agreement or publishers AD, what most people would object to using, its probably embedded somewhere in the EULA. Pass on the install. I'm in the advertising industry and I'm happy that the FTC is pushing for strict disclosure. Chances are you have another application that is transmitting your location and even if its not the publisher can use GEO fencing when they acquire your phone number.  

bcraigie
bcraigie

Is the data really "exiting" or is this a typo?  "existing" would make more sense in the context.


Cannot get the proof-readers these days! Lol


Gisabun
Gisabun

It is time for Google to get tough on these apps that want access to services they should have no business in getting access. Don't care how long it takes. Google should hire summer students [they are cheaper] to start combing every application and see which want access to unneeded services. Anything that goes overboard should be pulled immediately and the app recalled. If they are a paid app, bill the developer and refund the user.

IndianaTux
IndianaTux

"...this flashlight app left them in the dark ..." Really?  Someone at the FTC actually said this?  What has happened to the level of professionalism in this country's government that we would reduce ourselves to using puns in official statements?  It's no surprise companies have little regard for privacy regulations, and no wonder most of the world doesn't take us seriously anymore.  

Stratocaster
Stratocaster

Oh, come on, people.  You do this for a living.  There are two typos in the headline.

medfordmel
medfordmel

I was looking for a flashlight app, and this was one of the more popular ones.  As soon as I saw the requested permissions, I was pretty sure a flashlight didn't need to know my location, so I stopped installation right then and there.


Google could place a prominent warning to novice Play Store consumers, reminding them to carefully review each app's requested permissions and use common sense before installing.


It's not Google's responsibility, and asking them to screen apps more closely would probably be decried as censorship, but they could educate their consumers.

Flawless Cowboy
Flawless Cowboy

To be honest I thought this sort of thing was commonplace now, though to find it in a flashlight app does seem a little cheeky (and a sad indictment on a million+ users who blindly tapped 'ok' to get rid of the annoying box that was delaying their shiny new flashlight experience).


In the same vein I was baffled to see a recent Dropbox update is now demanding some form of camera access, and also the ability to read contact data. Oh no doubt there's some vaguely-plausible reasoning behind it, with a carefully-worded company response floating around out there somewhere repeatedly using the word 'feature', but the overall trend seems to be that devs are testing the boundaries of the average user, and haven't yet found the limit where they begin to push back.

clengfelder
clengfelder

Folks,

This goes beyond just the flashlight app mentioned.  Look at the permissions on any free app in the Play Store.  Nearly everyone asks for elevated permissions.  This is the same thing that malware does, the only difference being that they are asking permission first.

clengfelder
clengfelder

Folks,

This goes way beyond just a flashlight app.  Look at the permissions from any free app in the Play Store.  Nearly every one asks for elevated permissions.  These apps do the same thing as malware, the only difference is they are just asking for your permission first!

SecureAntiVirus
SecureAntiVirus

Always check the permissions requested when downloading a new app...and for reasons far more sinister than the one in this article. A lot of malware can be caught because it asks for access to your contacts or to be able to send texts, for example. A flashlight app or game wouldn't need to do that. It's also a good idea to install an anti-virus app on your Android device to protect yourself from malware you don't recognize before downloading.

Snak
Snak

In my mind, the ONLY 2 applications that should ever need your location etc are mapping applications, like a GPS navigation application (eg: HERE Drive (W8)), or a Find My Phone application. I cannot see any other reason anyone should need to know where I am.  


I too hate parasites.

PhilippeV
PhilippeV

In fact it is a defect of the permission system used in Android to allow an application to run.


These permissions should be maintainable by users, EVEN if the applications was installed and permissions accepted. We should be able to remove ALL such permissions from any apps, meaning that the applications would still continue running, but would no longer be permitted BY THE ANDROID OS itself, to use these permissions.


This means that those applications would receive a "permission denied" exception/error when they attemtp to use the Android API that allows them to collect these data. The application would have to work without it. It would still display ads downloaded from the Internet, but without the user profiling and targetting data (which are in fact completely not useful given the king of deceptive ads that these apps are still displaying, which are clearly extremely badly targetted !)


We shoud also be able to remove the permissions of these apps to connect to the Internet to download ads. These apps would then only display the ads they have in their own local cache, but nothing more. We really have too many apps in Android (also in iOS, or Windows Phone...) that constantly connect to the Internet to make various updates, or send data too often. These apps consume too much bandwidth, too frequently.


We should be able to turn off these unnecesssary connections. Even if these means that these apps will refuse to run and will become unusable. Great ! We'll uninstall them. Most of these apps (not just free ones, because many payed apps are also doing the same thing without good reason) will stop being marketed on the app stores.


Mobile OSes neeed better control of permissions requested by apps, to allow users to manage them fairly. For this reason, all commercial mobile OSes are no longer trustable. Neither are their online app stores.


If Android OS developers refuses to make such update to their OS, we'll need a better source for this OS, from more reliable open-source developers. Bye bye Google Android (or iOS, or Windows Phone...), wellcome to Mobile Linux and a new fresh app store that will be more trustable.


Craig_B
Craig_B

It seems some companies don't want to do what is right for the customer, only what is legally right for the company.  This ultimately forces the government to create laws to force companies to lean a little more toward the customer. 


Perhaps we need a simple label for applications:

AppName:  Flashlight

Description:  Turns camera flash on full time to be used as a flashlight.

Data Collected: App version, Time used, How long app is used, GPS data when app is used.

Privacy: No PID information collected.


Then give the legal statement that they still provide, which basically says:  We collect computer data which we use to improve our service and give to 3rd parties to provide services for you (that is, sell you stuff to make your life wonderful).



sikkerhed
sikkerhed

Using App Permissions from F-Secure on my Android put a lot of things in perspective. And it's free.

mark
mark

I totally agree and have not installed two flashlight apps because they have NO REASON TO TURN ON MY GPS!


I hate a parasite.

edmcguire
edmcguire

@Gisabun

 Are you SERIOUS, GOOGLE is the biggest DEALER in Privacy Violations and POLICIES Encouraging Information WHORING by any means. Anything GOOGLE Related (GOOGLE, GMAIL, GOOGLE CHROME, ANDROID, CHROME BOOK,YOUTUBE,Etc...) Takes/STEALS your Information and SELLS it to BIG CORPORATIONS and also GIVES it to the NSA,CIA,FBI,ATF,TSA,DHS,Etc...  WITH NO WARRANT OR PROBABLE CAUSE NEEDED. ( They got to be BILLIONAIRES by making a PROFIT on your Personal details).

PEOPLE need to get tough on GOOGLE. Its hard but we need to switch from The GOOGLE PIRATES.

Jaytmoon
Jaytmoon

@IndianaTux

What do you expect from the FTC? It, like most of our government, is crippled by corporate corruption, incompetence in staffing and a total disregard for individual rights!

Michael Kassner
Michael Kassner

@Snak


Many people like the shopping app that use GPS to locate nearby stores that supply what they are looking for. That seems like a viable app. 

medfordmel
medfordmel

@PhilippeV Allowing users to manage permissions on a per-app basis - similar to Windows-based firewall / anti-malware software - is an excellent idea.  A developer could code their app such that it wouldn't run without the excessive permissions, as that's their call, but if I don't want an app to make use of those permissions, that's my decision.


If an app won't run without excessive permissions, I don't want it anyway.

frylock
frylock

@PhilippeV I'd like to see this too, but I don't think it's in line with Google's motivations. Users' needs are a distant second (third? fourth?...) to data collection.

boomchuck1
boomchuck1

@PhilippeV- We are too used to getting apps for free.  These folks that build the apps, for the most part, aren't doing it out of the kindness of their hearts, they actually expect to earn a living, or at least some money, out of the work.  Ads are one way they do that, and just displaying ads available at the time you download the app is not going to work.  They need to be able to refresh them and draw in new customers.  Many apps offer a version where you pay for the app and after that there are no more ads.  If you don't want ads then pay for the app so the developer gets something for the work they put into it.


As for GPS tracking like the flashlight program, I'm with you on that.  Don't like it, don't want it.

PhilippeV
PhilippeV

I hope that the FTC will investigate further on all these app stores, instead of just focusing on a single app. This is may be the first issue it has to decide on, but there will soon be many other apps with similar issues and the solutions must be found more generally in ALL moble OSes, ALL app stores, ALL internet browsers, ALL applications more generally (including those you have bought, including games for your console or PC).


For now, all we can do is to install a security suite and antivirus that will inspect the sets of permissions requested unfairly by these apps, and will blocl/blacklist these deceptive troyan apps so that users will be informed and will drop them or block their installation. Help from antivirus suites are welcome !

t_a_ray_cissp
t_a_ray_cissp

@Craig_B Agree!

The EULA must have a banner no bigger than a single screen with this information.  If not, GooglePlay, Amazon Marketplace, Apple's AppStore, etc.  ought to be investigated and fined by the FTC as accomplices in the finding -- namely: unfair and deceptive trade practice. 

Allowing the EULA to be so vague AFTER such a finding is abysmal.

Michael Kassner
Michael Kassner

@Craig_B


Their justification is that they are supplying a free application. I guess I can see that, but there is no real visibility as to what they do with the information. And, the big deal to the FTC was this particular app collected information whether you agreed to the EULA or not. 

cforlife
cforlife

@edmcguire Why would Google sell information to its competitors when their strength relies on knowing information that there competitors don't. It's their biggest perk when using there services and their entire business is built on this core principle. Stop and think for a moment and stop spreading fake bullshit. 


https://www.google.com/policies/technologies/


"We don’t sell users’ personal information."

Flawless Cowboy
Flawless Cowboy

@PhilippeV I have no experience with the FTC, but most of these "regulators" seem to follow a complaint-driven model these days, unless there's some sort of scandal/public outrage/sustained media interest etc.


I guess it's just easier that way :(

Michael Kassner
Michael Kassner

@PhilippeV


I am not sure of the process, or how the FTC gets involved. Someone told me they act upon complaints, but I have not been able to verify that.

cpguru21
cpguru21

@Michael Kassner @sikkerhed The F-Secure app does nothing to fix it, however it lists your apps by how many permissions it has.  You can then look deeper into what has access to what.  It is just a helpful tool to look at the current apps on your device and what they have access to.  Sadly, most of the built in apps rank pretty high.


One of my favorite explanations on the f-secure app:

CALL_PHONE

Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being place. ~SERIOUSLY???


I agree that this is a bigger problem and like the idea of being able to block access from the OS as stated above.

Editor's Picks