“Brightest Flashlight” Android app disclosed location of 50 million people, but FTC imposes no fine

Even judging by the low standards of creepy data-mining apps, “Brightest Flashlight” did something pretty egregious. The free app, which was installed by at least 50 million Android(s goog) users, transmitted users’ real-time locations to ad networks and other third parties. It was, in other words, a stalking device disguised as a flashlight.
In December, the Federal Trade Commission exposed the app’s antics and also announced a proposed settlement with the app maker, GoldenShores Technologies, a one-man operation based in Idaho. In doing so, the agency explained how Brightest Flashlight used legal flim-flam in a privacy policy and user license agreement to obscure what the app was up to.
The terms are now final, and they’re underwhelming, to put it mildly.
In a Wednesday announcement, the FTC confirmed that GoldenShores and owner Erik Geidl are not to collect app users’ geolocation without clearly explaining how and why they’re doing so and, in broad terms, say who is receiving that information. The flashlight app maker will also have to keep records for the FTC to inspect, and Geidl will have to tell the agency about any new businesses he decides to start in the next 10 years. He also has 10 days as of the order to delete all the data he collected.
On paper, the order looks like stern stuff but, in practice, it’s hard to see how this amounts to real punishment. Even though Geidl did something deeply unethical, compromising the privacy of tens of millions of people, he will not pay a cent for his misdeeds.
The FTC said earlier that it didn’t seek financial restitution because the app was free. The agency’s justification is unsatisfying, however, because it doesn’t acknowledge that Geidl must have earned earned income by selling users’ geolocation. A better approach would have been to strip him of any profits he made through the app, and also name-and-shame the advertisers who bought the information from him.
While it’s good that the FTC is helping to publicize the mischief of app makers, it’s unlikely that bad actors will take the agency seriously until it starts setting down real punishments on people like Geidl and the ecosystem that sustain them.
This story was updated at 8:45ET on Thursday to add that Geidl will have to delete the data collected prior to the order