Android flashlight app tracks users via GPS, FTC says hold on

Buried deep in the Brightest Flashlight Free app's EULA is language that let's the maker collect and resell user location data. An FTC complaint leads to better user notification and deletion of all exiting data.

 An article I wrote in April of 2012 started out mentioning how my neighbor came over asking me why in the world (his language was more colorful) an Android flashlight app would need to know the physical location of the phone (see the slide to the left).

I remember trying to humor my neighbor by mentioning, "In case it gets lost." Needless to say, he did not appreciate my attempt at levity. Remembering my extolling the virtues of Android permissions only a few days earlier, he made me promise that I would get to the bottom of this issue.

The answer

I didn't expect it to take this long to learn why, but now that I know, it is understandable. The company, GoldenShores Technologies, LLC, is using the onboard GPS to make money on a free app by selling the anonymized user data it collects. And, the amount is not trivial; over one million people have downloaded the flashlight app.

The reason this information finally surfaced was because the Federal Trade Commission (FTC) became involved, eventually issuing an official complaint against Goldenshores Technologies (PDF). The complaint can be boiled down into the following counts.

Count 1: Goldenshores Technologies did mention in the EULA that it would be collecting data for various reasons. The FTC was bothered by:

"[R]espondents have failed to disclose or failed to adequately disclose that, when users run the Brightest Flashlight App, the application transmits, or allows the transmission of, their devices’ precise geolocation along with persistent device identifiers to various third parties, including third party advertising networks."

The FTC felt the lack of disclosing this practice in an understandable fashion wrongly influenced individuals who were deciding whether to install the application.

Count 2: The FTC claims the EULA was not clear in pointing out the flashlight app started collecting data before the EULA was agreed to:

"Regardless of whether consumers accept or refuse the terms of the EULA, the Brightest Flashlight App transmits, or causes the transmission of, device data as soon as the consumer launches the application and before they have chosen to accept or refuse the terms of the Brightest Flashlight EULA."

The FTC complaint then concludes both counts constitute unfair or deceptive practices that affect commerce and are in violation of Section 5(a) of the Federal Trade Commission Act (PDF).

Good news

It seems the system worked. Goldenshores Technologies and the FTC came to an agreement (PDF). Jessica Rich, Director of the FTC's Bureau of Consumer Protection, had this to say in the FTC press release:

"When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used."

The settlement reads that Goldenshores Technologies must disclose in a clear and prominent fashion what information it intends to collect. The agreement also requires the app to be configured so the consumer agrees to the collection before it starts. Goldenshores Technologies is also required to delete any personal information already in its database.

Clearly and prominently

The FTC agreement used 230 words just to describe "Clearly and prominently." To see if Goldenshores Technologies figured out what clearly and prominently meant, I started working my way through the company's EULA and Privacy Policy -- no small task, considering 2,965 words were required. I did a search, and was unable to find GPS mentioned in either document. I did find the word location used once, but not related to the FTC complaint.

Here's my problem: Isn't it a bit much to ask people to wade through almost 3,000 words of complicated legalese just for a simple flashlight app, and then still be unclear as to why the app asks for permission to use the mobile device's GPS?

Final thoughts

One could become easily dissuaded that anything good came from all the effort. The intent to help appeared to be in place, but that was quickly lost in the process. It’s as if two warring factions lobbed volleys back and forth until they were satisfied.

My advice: If you see a free app asking for permission to use the onboard GPS system, and the app does not need to know where the phone is to work properly, I'd look elsewhere.