BLU claims innocence and this is why

The whole situation with AdUps, the Chinese company that provides affordable firmware update software to countless budget Android phones, has somewhat turned into an ugly mess. Although less dramatic than last year's knee jerk reaction, the latest report coming from Kryptowire, who broke the news last year, has resulted in BLU's smartphones being suspended by Amazon once again. BLU already made its defense, which seems to have fallen on deaf ears. So it is now trying again to make it painfully clear that they are, in fact, free of any wrongdoing.

AdUps is not spyware and not even Kryptowire called it that, insists BLU. To be fair, Kryptowire really didn't. In its 2016 report, it simply described AdUps' OTA software as "FIRMWARE THAT TRANSMITTED PERSONALLY IDENTIFIABLE INFORMATION (PII) WITHOUT USER CONSENT OR DISCLOSURE". Curiously, that is more or less how the FTC defines spyware (PDF). In its 2017 follow-up, it did drop the second part of that phrase and simply reported on "mobile devices for Personally Identifiable Information (PII) collection and transmission to third parties". While BLU, and a few other OEMs, was caught unaware by the first report, it insisting on its innocence in this second instance.

Its defense stems from the argument that it is doing nothing that violates its Privacy Policy and, therefore, doesn't constitute any wrongdoing. Yes, that privacy policy that barely anyone reads, which can't legally be blamed on manufacturers anyway. That policy has this to say regarding Personally Identifiable Information (PII) and Third Parties:

"Personal Identifiable Information Storage

BLU will retain any personal identifiable information ("PII") that it collects through our software while you have an active BLU device. By using BLU devices, you are allowing your information associated with your device to be moved from your country of residence to the United States or any country where this data is stored.

BLU uses industry standard security methods and procedures to protect the information that it collects, but you acknowledge that, like all Internet-connected systems, BLU will not be responsible for the failure of its security except in cases of gross negligence or intentional wrongdoing.

Third Parties

BLU limits the disclosure of your PII to only the third parties used to fulfill obligations or services for BLU users. These companies have access to personal information needed to perform their services or functions, but may not use it for other purposes without the sole permission of the user."

In other words, when you agreed to use BLU's devices, you basically agreed that such PII could possibly be transmitted to a third party outside the US. In this particular case, that does apply to the situation with AdUps. Interestingly, the policy's copyright dates back to 2016, when the AdUps issue first came up. The Internet Archives doesn't seem to have any version of that page before April this year.

And so we come to BLU's second arguments: everybody's doing it. The data that AdUps collects is the same or even just a fraction of what other OEMs are collecting. Google is hardly the bastion of privacy and other OEMs are also collecting such data and sending it to servers in China, as is the case with Huawei and ZTE. It should be noted that both companies are not exactly in the clear as far as the US government is concerned.

Finally, BLU says that Kryptowire's new report really only identifies the Cubot X16S, from a Chinese OEM, as the only smartphone really spying on its users. This is the data that it collects and sends to third parties, primarily AdUps:

"Browser history, call log, text message metadata (phone number with timestamp), IMEI, IMSI, Wi-Fi MAC Address, list of installed applications, and the list of applications used with timestamps."

In contrast, the BLU Grand M and Life One X2 only collected and sent these data:

"Cell tower ID (location), phone number, IMEI, IMSI, Wi-Fi MAC Address, device serial number, list of installed applications, and the list of applications used with timestamps."

Noticeably missing are "Browser history, call log, text message metadata (phone number with timestamp)". In short, BLU's phones only send more or less generic PIIs, leaving out potentially incriminating information like messages and browsing history.

This might be all moot anyway, save for a few older phones. Moving forward, BLU will be switching to using Google's OTA software instead of AdUps, but, again, BLU reminds that Google is really no different other than the fact that it's based in the US. And even then, it is also collecting other pieces of data, perhaps more than what the AdUps OTA does.

In a nutshell, BLU Products isn't doing anything illegal even with its continued use of AdUps on some of its remaining smartphones. In that sense, it does have reason to insist that Amazon's suspension and the ensuing coverage is "non-news". But whether there is nothing wrong with what it collects, or whether AdUps itself doesn't sell that information to others, or whether the industry practice is acceptable in the first place, is perhaps a discussion for another day.