FTC Response to Privacy-Violating Flashlight App May Signal Big Changes

The FTC's settlement with the maker of the Brightest Flashlight Free app may hint at a new direction for the mobile industry.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

The Federal Trade Commission (FTC) is said to have a sent a message to the wireless industry in its handling of a settlement with Goldenshores Technologies, an app development company run by someone named Erik M. Geidl, who sold tens of millions of people a privacy-violating Android app.

The "Brightest Flashlight Free" app wasn't just performing the helpful function its name suggests, but it was sending precise location information about users, as well as the unique identifier number of their phones, to third parties, including advertising networks.

The app disclosed that it collected user information, though it didn't say that it shared the information with third parties. Further, when people went to download the app, it presented them with a "false choice," the FTC said in a Dec. 5 press release.

"At the bottom of the license agreement, consumers could click to 'Accept' or 'Refuse' the terms of the agreement. Even before a consumer had a chance to accept those terms, though, the application was already collecting and sending information to third parties—including location and the unique device identifier," the FTC explained.

Goldenshores' settlement with the FTC prohibits it from misrepresenting how consumers' information is collected and shared and the control they have over their information. It also requires Goldenshores to provide a just-in-time disclosure that informs consumers "when, how and why their geolocation information is being collected, used and shared, and requires defendants to obtain consumers' affirmative express consent before doing so," said the statement.

While the settlement may seem "run-of-the-mill," it's actually "particularly noteworthy," wrote D. Reed Freeman Jr., a partner with legal firm Morrison Foerster, and Adam Fleisher, an associate with the firm, in a Dec. 16 post on the law-meets-social-media blog SociallyAware.

It's noteworthy, they say, because the company's alleged violation of Section 5 resulted not from the app being deceptive but "from an alleged material omission, and from an allegation that whatever disclosures there were did not rise to the required level of prominence because they were in the privacy policy and [end user license agreement] only."

Such allegations and policy determinations have until now been limited to spyware, and crept into online behavioral advertising, but otherwise haven't been a part of the FTC's enforcement actions.

They continued:

"This case represents the FTC's signal to the industry that material facts, especially those involving sensitive data, and especially where the facts involve collection, use or disclosure of data that may surprise ordinary users because it is out of context of the use of the service, must be disclosed not only in a privacy policy, but also outside the privacy policy, clearly and conspicuously, prior to collection of the data."

The pair added that the FTC gave Goldenshores "very specific and detailed instructions" about how it needs to conduct the business of selling apps, "which could perhaps be an indication of where the FTC expects the entire industry to go in the near future."