Android torch app with over 50m downloads silently sent user location and device data to advertisers

An innocuous-looking torch app for Android that has been downloaded more than 50m times silently shared users' locations and device IDs with advertisers, the company has admitted.

In a settlement with the US Federal Trade Commission (FTC), the maker of Brightest Flashlight Free admitted that the app's privacy policy "deceptively failed to disclose" that it was passing on location and device ID data to networks of advertisers.

The privacy policy said that "any" information collected by the app would be used by the company. But it didn't say that it would also send it to third parties.

Since its release in February 2011, the app has been downloaded between 50m and 100m times, according to data on the Google Play app store.

"When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,' said Jessica Rich, director of the FTC's consumer protection bureau. "But this flashlight left them in the dark about how their information was going to be used."

The FTC also said that the app gave users a false choice: "At the bottom of the license agreement, consumers could click to 'Accept' or 'Refuse' the terms of the agreement. Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties – including location and the unique device identifier."

That meant that advertisers could in effect have tracked users through their device ID and location to see what adverts they were clicking on - and even identified people through related information.

Under the settlement, the app will have to tell users how, where and when their data is about to be shared, and get their express permission to do so.

The case is the first where the FTC has zeroed in on unwanted sharing of geolocation data as part of its requirement to protect US consumer privacy.

Android apps tell users what information they will collect from users before they are installed - but do not give any explanation of what or how the information will be used, or why it is necessary to collect it. There is also no standard way to veto the collection of data or access to a machine function by an app.

The Play Store app, which has generally received good reviews - an average of 4.8 out of 5 - turns on all the lights on the device to create a torch. It also says that it offers "unobtrusive ads".

The developer, GoldenShores Technologies, also offers another app for choosing colours, which is also ad-supported. It has had far fewer downloads, totalling around 50,000. The FTC didn't say whether it is investigating that app.

Erik Geidl, who runs GoldenShores Technologies, has been ordered to delete any personal information that the app has collected. He is also required to tell the FTC if he changes his employment over the next ten years.

Powered by article was written by Charles Arthur, for on Friday 6th December 2013 08.00 Europe/London © Guardian News and Media Limited 2010


image: © Zawezome