Buried deep in the Brightest Flashlight Free app's EULA is language that let's the maker collect and resell user location data. An FTC complaint leads to better user notification and deletion of all exiting data.
I remember trying to humor my neighbor by mentioning, "In case it gets lost." Needless to say, he did not appreciate my attempt at levity. Remembering my extolling the virtues of Android permissions only a few days earlier, he made me promise that I would get to the bottom of this issue.
I didn't expect it to take this long to learn why, but now that I know, it is understandable. The company, GoldenShores Technologies, LLC, is using the onboard GPS to make money on a free app by selling the anonymized user data it collects. And, the amount is not trivial; over one million people have downloaded the flashlight app.
The reason this information finally surfaced was because the Federal Trade Commission (FTC) became involved, eventually issuing an official complaint against Goldenshores Technologies (PDF). The complaint can be boiled down into the following counts.
Count 1: Goldenshores Technologies did mention in the EULA that it would be collecting data for various reasons. The FTC was bothered by:
"[R]espondents have failed to disclose or failed to adequately disclose that, when users run the Brightest Flashlight App, the application transmits, or allows the transmission of, their devices’ precise geolocation along with persistent device identifiers to various third parties, including third party advertising networks."
The FTC felt the lack of disclosing this practice in an understandable fashion wrongly influenced individuals who were deciding whether to install the application.
Count 2: The FTC claims the EULA was not clear in pointing out the flashlight app started collecting data before the EULA was agreed to:
"Regardless of whether consumers accept or refuse the terms of the EULA, the Brightest Flashlight App transmits, or causes the transmission of, device data as soon as the consumer launches the application and before they have chosen to accept or refuse the terms of the Brightest Flashlight EULA."
The FTC complaint then concludes both counts constitute unfair or deceptive practices that affect commerce and are in violation of Section 5(a) of the Federal Trade Commission Act (PDF).
It seems the system worked. Goldenshores Technologies and the FTC came to an agreement (PDF). Jessica Rich, Director of the FTC's Bureau of Consumer Protection, had this to say in the FTC press release:
"When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it. But this flashlight app left them in the dark about how their information was going to be used."
The settlement reads that Goldenshores Technologies must disclose in a clear and prominent fashion what information it intends to collect. The agreement also requires the app to be configured so the consumer agrees to the collection before it starts. Goldenshores Technologies is also required to delete any personal information already in its database.
Clearly and prominently
Here's my problem: Isn't it a bit much to ask people to wade through almost 3,000 words of complicated legalese just for a simple flashlight app, and then still be unclear as to why the app asks for permission to use the mobile device's GPS?
One could become easily dissuaded that anything good came from all the effort. The intent to help appeared to be in place, but that was quickly lost in the process. It’s as if two warring factions lobbed volleys back and forth until they were satisfied.
My advice: If you see a free app asking for permission to use the onboard GPS system, and the app does not need to know where the phone is to work properly, I'd look elsewhere.