An article I wrote in
April of 2012 started out mentioning how my neighbor came over asking me why in
the world (his language was more colorful) an Android flashlight app would need to know the physical location of the phone (see the slide to the left).

I remember trying to humor my neighbor by mentioning, “In
case it gets lost.” Needless to say, he did not appreciate my attempt at
levity. Remembering my extolling the virtues of Android permissions only a few
days earlier, he made me promise that I would get to the bottom of this issue.

The
answer

I didn’t expect it to take this long to learn why, but now
that I know, it is understandable. The company, GoldenShores Technologies, LLC, is
using the onboard GPS to make money on a free app by selling the anonymized
user data it collects. And, the amount is not trivial; over one million people
have downloaded the flashlight app.

The reason this information finally surfaced was because the
Federal Trade Commission (FTC) became involved, eventually issuing an official complaint against Goldenshores Technologies (PDF). The complaint can be boiled down into the
following counts.

Count 1: Goldenshores
Technologies did mention in the EULA that it would be collecting data for
various reasons. The FTC was bothered by:

“[R]espondents have failed to
disclose or failed to adequately disclose that, when users run the Brightest
Flashlight App, the application transmits, or allows the transmission of, their
devices’ precise geolocation along with persistent device identifiers to
various third parties, including third party advertising networks.”

The FTC felt the lack of disclosing this practice in an
understandable fashion wrongly influenced individuals who were deciding whether
to install the application.

Count 2: The FTC
claims the EULA was not clear in pointing out the flashlight app started
collecting data before the EULA was agreed to:

“Regardless of whether consumers
accept or refuse the terms of the EULA, the Brightest Flashlight App transmits,
or causes the transmission of, device data as soon as the consumer launches the
application and before they have chosen to accept or refuse the terms of the
Brightest Flashlight EULA.”

The FTC complaint then concludes both counts constitute
unfair or deceptive practices that affect commerce and are in violation of Section 5(a) of the Federal Trade Commission Act (PDF).

Good
news

It seems the system worked. Goldenshores Technologies and the FTC came to an agreement (PDF). Jessica
Rich, Director of the FTC’s Bureau of Consumer Protection, had this to say in
the FTC press release:

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used.”

The settlement reads that Goldenshores Technologies must
disclose in a clear and prominent fashion what information it intends to
collect. The agreement also requires the app to be configured so the consumer agrees
to the collection before it starts. Goldenshores Technologies is also required
to delete any personal information already in its database.

Clearly
and prominently

The FTC agreement used 230 words just to describe “Clearly
and prominently.” To see if Goldenshores Technologies figured out what clearly
and prominently meant, I started working my way through the company’s EULA and Privacy Policy — no small task, considering 2,965 words were required. I did
a search, and was unable to find GPS mentioned in either document. I did find
the word location used once, but not related to the FTC complaint.

Here’s my problem: Isn’t it a bit much to ask people to wade
through almost 3,000 words of complicated legalese just for a simple
flashlight app, and then still be unclear as to why the app asks for permission
to use the mobile device’s GPS?

Final
thoughts

One could become easily dissuaded that anything good came
from all the effort. The intent to help appeared to be in place, but that was
quickly lost in the process. It’s as if two warring factions lobbed volleys
back and forth until they were satisfied.

My advice: If you see a free app asking for permission to
use the onboard GPS system, and the app does not need to know where the phone
is to work properly, I’d look elsewhere.