BLU settles privacy violations probe with FTC, won't pay a fine

Phone maker BLU has struck a settlement with the FTC over the Commission's privacy violations accusation. According to the agency, BLU had a contract with ADUPS Technology Co. to provide software and security updates to its products. However, that contractor allegedly gathered user data and transferred it to the company servers, acquiring "far more information than needed to do its job," according to the FTC.

The FTC claims that ADUPS gathered highly personal data, including complete text message content, logs of both the messages and calls, real-time location info, full contact lists and full numbers, app usage info, and more. The Commission puts the burden on BLU and its co-owner Samuel Ohev-Zion, according to its settlement announcement, stating that both "failed to implement appropriate security procedures to oversee the security practices of their service providers..."

In explaining the consequences of BLU's alleged actions, the FTC says that...

...ADUPS collected sensitive personal information via BLU devices without consumers' knowledge and consent that it did not need to perform its contracted services. In addition, ADUPS software preinstalled on BLU devices contained common security vulnerabilities that could enable attackers to gain full access to the devices.

News of the security issues surfaced in November 2016, after which point BLU announced that a software update on ADUPS part had put an end to the data collection. However, the FTC claims that ADUPS was allowed to continue operating on older BLU devices "without adequate oversight."

As a result of it all, BLU and Ohev-Zion have settled with the FTC. The terms require the two to avoid any misrepresentation of "the extent to which they protect the privacy and security of personal information..." As well, the duo are required to establish a "comprehensive security program" involving both current and new devices. BLU itself will have to undergo third-party reviews every two years to assess its security program. That requirement will run for 20 years.

No fine will be paid as part of the settlement.