Home > News > Content
Phone Maker Settles Charges It Let Partner Collect Customers’ Text Messages
- May 11, 2018 -

Phone maker BLU is settling charges that it allowed a China-based partner to collect a mountain of customers' personal data—including full content of text messages, real-time locations, telephone numbers, contacts, and installed apps—despite promises it would keep such details private.

Under a settlement with the US Federal Trade Commission announced Monday, BLU agreed to implement a "comprehensive data-security program" to prevent similar privacy leaks in the future. Both the company as a whole and co-owner and President Samuel Ohev-Zion are barred from misrepresenting the extent to which they protect the privacy and security of personal information. The company further will be subject to third-party assessments of its security program every two years for 20 years and must comply with record-keeping and compliance-monitoring requirements.

  • full contents of text messages

  • real-time cellular-tower location data

  • call and text message logs with full telephone numbers

  • contact lists

  • lists of applications used and installed on each device

AdUps collected text messages and transmitted them back to company servers every 72 hours while collecting location data in real time and transmitting it to servers every 24 hours, the FTC's complaint said.

Following the 2016 Kryptowire report, BLU notified customers that AdUps ceased its data collection activities. Even then, however, BLU "continued to allow AdUps to operate on its older devices without adequate oversight," FTC attorneys wrote.

The FTC action made no mention of a follow-up report from Kryptowire in 2017. It said three models of BLU phones continued to collect a more limited set of users' personal information and sent them to servers located in China. For instance, Kryptowire said that two models—the Grand M and Life One X2—sent phone numbers, IMEIs, IMSIs, Wi-Fi MAC addresses, device serial numbers, and lists of installed applications, as well as cell-tower IDs and locations. The security firm said the BLU Advance 5.0 contained code-execution and logging capabilities that could be used by third-party apps.

A BLU executive responded to the Kryptowire update at the time by saying the data collection was standard for over-the-air functions. "This is in line with every other smartphone device manufacturer in the world," BLU Marketing Director Carmen Gonzalez wrote in the response. "There is nothing out of the ordinary that is being collected," she wrote, and she also asserted that BLU "certainly does not affect any user's privacy or security."

At the time of the Kryptowire update, Amazon said it was suspending sales of BLU phones. Aquick search on Monday showed a variety of BLU phones available from the online retailer.