Maker of wildly popular flashlight app failed to tell users it was sharing their location info

by Chris Morran, Consumerist

androidflashlightMost of us have had the bright idea to use our smartphones as flashlights when searching underneath the couch or in the backseat of a dark car. And many millions of people have downloaded flashlight apps that maximize the light coming out of their devices. Most of those people probably never even considered that a flashlight app would be doing anything other than turning on the phone’s lights, and certainly not transmitting location data to third parties.

The Brightest Flashlight Free app for Android has been downloaded at least 50 million times since first becoming available in 2011, and has an impressive 4.8/5 star rating from more than 1 million users. But according to the Federal Trade Commission, the makers of the app deceived consumers by not fully disclosing how the app collected and shared geolocation data.

“While running… the application also transmits, or allows the transmission of, data from the mobile device to various third parties, including advertising networks,” reads the original FTC complaint [PDF]. “The types of data transmitted include, among other things, the device’s precise geolocation along with persistent device identifiers that can be used to track a user’s location
over time.”

And though the app’s permissions screen does say give it the ability to access the device’s precise location (when GPS is turned on) or approximate location (over the wireless network), the FTC alleges that nothing in the company’s privacy policy or End User License Agreement (EULA) made it clear that this information was being shared with third parties.

The privacy policy for the app states that the developer “may collect, maintain, process and use diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you.”

This policy is restated in the EULA (to which the user must agree). According to the FTC, these statements fail to “adequately disclose to consumers that the Brightest Flashlight App transmits or allows the transmission of device data, including precise geolocation along with persistent device identifiers, to third parties, including advertising networks.”

What’s more, the FTC claims that whether or not the user accepted the terms of the EULA, the app transmitted location data for the device:

While the “Refuse” button, described in Paragraph 11, appears to give consumers the option to refuse the terms of the Brightest Flashlight EULA, including the terms relating to the collection and use of device data, that choice is illusory. Based upon the statements made in the EULA… consumers would not expect the application to operate on their mobile devices, including collecting and using their device data, until after they have accepted the terms of the EULA. In fact, while consumers are viewing the Brightest Flashlight EULA, the application transmits or causes the transmission of their device data, including the device’s precise geolocation and persistent identifier, even before they accept or refuse the terms of the EULA.

The FTC alleges that failing to disclose the sharing of location info with third parties and the app’s collection and sharing of data regardless of whether the user had agreed to the EULA is deceptive marketing, as this is information that consumers should have been made aware of before installing the app.

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “But this flashlight app left them in the dark about how their information was going to be used.”

The app developer has reached a settlement deal [PDF] with the FTC that prohibits them from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used. Any personal information collected from users up until this point must also be deleted.

The settlement requires the developer to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used and shared, and will not be able to do so without users’ affirmative express consent.