$59.99 for a smartphone sounds like a great deal.  But what if your text messages, call histories, and physical location would be sent to servers in China?

On November 15, 2016, U.S. security firm Kryptowire reported that firmware on certain Blu Products phones was transmitting users’ personal data to servers in China. The transmitted data included full text messages, contact lists, call histories, phone numbers, and even data about users’ physical locations, all collected and transmitted without the users’ knowledge or consent.  It is not clear whether this was secretive data mining for advertising purposes or an attempt at intelligence collection by the Chinese government.

To its credit, Blu Products has now self-updated its software and verified the removal of the information-collecting and transmitting functions. The company also claims it has deleted the collected information and that none of the information was disclosed to any other party.   Still, these responses were not enough to prevent a lawsuit by Alabama citizen Aaron Bonds, one of the many affected phone users.

Bonds filed his suit against Miami-based Blu Products Inc., the phone manufacturer, and against China-based Shanghai Adups Technology Co. Ltd. and its U.S. subsidiary, developer of the firmware. Carmen Gonzalez, senior marketing director for Blu Products, responded to the lawsuit, stating, “This is a non issue and there is no wrong doing from BLU to warrant any such claim. There were no damages that anyone suffered, and this is a typical knee jerk ambulance chaser who dismisses details and is uneducated on the subject.”

According to the filed complaint, neither Blu Products nor Adups, the creators of the firmware, disclosed to users that this spyware came standard on some of their low-priced phones.  Even more insidiously, the spyware was undetectable by antivirus software because anti-virus programs assumed that factory-installed firmware was clean.

Given that over 120,000 phones were affected, these possible violations of multiple federal laws are shaping up to be a robust class action suit.  There are several potential violations of law at issue in this pending action.  By capturing and sharing users’ data without consent, the defendants might have violated the Wiretap Act, which prohibits the intentional interception, disclosure, and use of electronic communication.  The same facts could also be a violation of the Electronic Communications Privacy Act, which prohibits intentional, unauthorized interception, disclosure, or use of electronic communications in which there is an expectation of privacy.

Lastly, Adups’ firmware could have violated the Magnuson-Moss Warranty Act.  Generally speaking, the Act requires an implied warranty which includes a promise that the goods sold will do what they are meant to do and that there is nothing significantly wrong with them.  Assuming that the ordinary purpose of a phone is to transmit private, confidential data in a secure manner, it is possible that a phone which fails to perform this function violates the implied warranty.

Brent D. Kapper

 

Comments are closed.