When your own flashlight is spying on you, something is wrong. That, at any rate, is the Federal Trade Commission’s thinking in a case that illustrates how, in today’s electronic world, privacy concerns can lurk in the most unlikely contexts.
The case involved a simple flashlight app used on Android cell phones. The app, called “Brightest Flashlight Free,” has been downloaded by Android users tens of millions of times. It works by activating all the device’s lights, including the screen and LED camera flash, to provide illumination.
But behind the scenes, there was more to the app than light. There was data -- data about the place where it was used (“geolocation”), tied to data about the device (“persistent device identifiers”). And after being collected, that data was transmitted to third parties including advertising networks.
To the app provider, it may have seemed like a fair bargain. The user gets a free app, permitting a mere tap on the screen to turn a cell phone into a flashlight. In return, the developer gets data about users, which can be sold to advertising networks, which then can make better ad placements, with knowledge of where the phone is being used.
But our law generally expects that when private information is collected, users should be given notice of the collection, and a choice about whether to allow it. And that’s where the FTC found an absence of illuminating disclosure in this flashlight app.
The developer’s privacy policy simply stated that the developer collected information for software updates, product support, and the like. And the end-user license agreement, which users had to affirmatively “Accept” or “Refuse,” repeated that disclosure. Neither, however, said anything about collecting geolocation information or sending it, tied to the device identifier, to advertising networks. In the FTC’s view, that omission was a blatant deception.
And the FTC liked it even less that geolocation information was collected and transmitted even before the user clicked “Accept” on the license agreement terms. Indeed, even when users clicked on “Reject,” information including “the device’s precise geolocation and persistent identifier” was already being collected. Apparently the developer and its advertising partners were never in the dark about their users and potential users.
The developer, Goldenshores Technologies, LLC, agreed in a consent order to rewrite its privacy policy and license agreement, fully disclose its data collection and use practices, and obtain express consent from customers before that information is transmitted to anyone else.
After this settlement, your Brightest Flashlight may not be spying on you any longer. But the FTC used the settlement to caution that mobile device users need to consider, for every app they download and use, “how they’re paid for, what information they may gather from your device, [and] who gets that information.”
Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns. You can find Mark on Twitter, and reach him at (314) 552-6103 or msableman@thompsoncoburn.com.