Recently some questions have been raised concerning a recent report about the collection of certain user data under a particular ADUPS software used oncertain BLU phone devices.Information reported by some news organizations has been misleading and inaccurate about this matter. Given the importance of informing consumers about this matter and protecting consumer privacy, ADUPS provides responses to several frequently asked questions. Further updates, as needed, will be added to this page. [Last Update: December 5, 2016]
Q1: What happened?
A: ADUPS provides professional Firmware Over-The-Air (FOTA) update services for mobile telephone devices. A version of ADUPS’ FOTA software (FOTA 5.0) that was inadvertently applied to certain BLU mobile devices (as noted in Q8 below) contained a functionality that collected certain user data(as noted in Q2) from phones running this version of the FOTA software.
On October 28, 2016, BLU Products contacted ADUPS regarding this data collection functionality. ADUPS promptly took a number of steps to mitigate the impact on consumers that were affected by this issue, including deleting user data that has been collected using this functionality from the ADUPS servers, and issuing an updated version (v. 5.5) that removed this data collection functionality.
Q2: What information was involved?
A: The FOTA 5.0 software that was applied to the BLU devices collected (1) device information (e.g., International Mobile Equipment Identity (IMEIs), (2) cell tower ID, and (3) application data that enable and facilitate the provision of FOTA services and customer support to the device manufacturer. The software also collected (4) call and Short Message Service (SMS) frequency data, and (5) SMS messages and phone numbers (but not users’ names) associated with the SMS messages. The IMEI, is a unique number used to identify mobile devices.
The collected data does not individually identify a specific user and cannot be combined with any information that ADUPS already has to individually identify a specific user. The software was not designed to collect the names, telephone numbers, physical addresses, email addresses, or passwords of the users of the affected devices. The software also was not designed to collect any financial information, social security information, or health information of the users of the affected devices. The users’ contact list was also not part of the collected data.
Q3: What safeguards does ADUPS have to protect the customer data it collected?
A: A number of safeguards were used for the collected data. For example, all data transmission to the ADUPS server was carried out via secure HTTPS channels. Cell tower IDs were encrypted before transmission. All user data (e.g., application data, call log, and SMS data) were compressed prior to transmission and there was no clear text available during the transmission. Sensitive data such as SMS messages was further encrypted before the compression. After data transmission to the ADUPS server, local copies of the data were deleted from the phone. After data arrived at the ADUPS web server, the data was transferred to an internal secure server which cannot be accessed remotely by any third-party. Specifically, the data storage server is located in a Tier 4 data center and is physically isolated from external contact. All ADUPS data storage servers are located within the ADUPS internal network that is protected by a firewall. Only other servers within the internal network are permitted to access the data storage servers. The only servers that are externally accessible are proxy servers that accepted the collected data and the proxy servers require public key authentication for access which is a more secure form of authentication than typical username/password authentication.
Q4: Did anyone, other than ADUPS, have access to the information?
A: ADUPS has not shared the collected user data with any third party, including any government agencies or private parties. Only limited device information was shared with the device manufacturer in connection with the provision of FOTA services and customer support. The collected data was also protected from unauthorized external access by a secure data center within ADUPS’ internal network which is protected by a firewall.
Q5: What has ADUPS done with the collected information?
A: After ADUPS was contacted by BLU Products regarding the data collection issue on October 28, 2016, ADUPS promptly wiped all cell tower ID data, and call and SMS data from its server. This included deleting all compressed data files that included the collected text messages from its server, and deleting the cell tower ID data and the call and SMS frequency data from its internal database. Prior to their deletion, the SMS messages data remained encrypted within the compressed data files and was never decompressed, decrypted, or accessed by anyone for any purpose. At no time was content of the collected SMS messages visible to anyone for any reason before they were deleted from the ADUPS server. The only information that still remains on the ADUPS servers are the device information and application data that were collected, which ADUPS uses to provide FOTA update services and product distribution information to the device manufacturer.
Q6: What safeguards have been taken after this information surfaced on October 28, 2016 to protect the customers?
A: Since being contact about this incident on October 28th, ADUPS has taken a number of steps to protect consumers. This includes (1) suspending collection of data on the server side, (2) deleting and ensuring the security of previously collected data, (3) developing and providing an updated software version which did not collect user data, (4) working with BLU on providing the new version to users, (5) providing notice and information updates on its website; and (6) developing internal processes and procedures to avoid similar incidents.
Q7: What is ADUPS doing to advise and assist individuals who may have been impacted?
A: ADUPS is taking a number of steps to alert consumers. ADUPS has been working with BLU to update its FOTA software to the new version 5.5. ADUPS will provide further updates as warranted on its website including on this FAQ Page and ADUPS’ Privacy Notice Page concerning new version 5.5.
What does this mean to me?
Q8: How do I know if my phone device was impacted?
A: Only certain devises using a particular version of FOTA 5.0 software were affected by this issue. Based on our knowledge, the following BLU models are affected: R1 HD, Energy X Plus 2, Studio Touch, Advance 4.0 L2, Neo XL, and Energy Diamond. BLU has published instructions (click here [bluproducts.com/security/]) for users to determine if their BLU devices are affected.
Q9: What risks are there for consumer identity?
A: ADUPS does not believe consumer identity is at risk due to this incident. None of the collected data identified any particular user. ADUPS has not shared the collected user data with any third party as noted in Q3. ADUPS has not used the collected data in any way to uncover the identities of individual consumers. The collected text messages were encrypted and remain encrypted at all times during its collection, transmission and storage, and was deleted prior to any access to its content is made. All user data was compressed before transmission to the ADUPS server and the compressed data was transmitted over a secure HTTPS channel to an ADUPS web server. After the data was accepted by the ADUPS web server, the data was promptly transferred to a secure internal server that is securely insulated from external access. There has been no evidence of breach or compromise to the data during transmission and storage.
Q10: Should I purchase a new phone?
A: Purchasing a new phone is not necessary since this matter concerns FOTA software version 5.0. ADUPS has issued an updated version 5.5 that has remedied the situation. Specifically, version 5.5 has permanently removed the data collecting functionality of version 5.0., and only collects the most basic device information for the purpose of providing firmware update services and customer support. Therefore, your phone is no longer vulnerable to the collection of your data through version 5.0.
What is ADUPS doing?
Q11: What steps has ADUPS taken to address the issue?
A: Upon learning of the issue, ADUPS immediately took multiple steps to address the situation and delete sensitive user data, including phone and SMS frequency data and text messages. ADUPS developed an updated version 5.5 that resolved the issue such that it only collects basic device information and no longer collects user data. ADUPS also immediately deleted user data from its servers and confirmed that such data was no longer accessible. ADUPS also confirmed that the data it had collected was never accessed by any third party.
Q12: What is ADUPS doing to prevent this from happening again?
A: ADUPS developed an updated version 5.5 that permanently removed the data collecting functionality of version 5.0. No one can re-enable the removed data collection features in version 5.5. Therefore, phones with the updated software are no longer vulnerable to the collection of your personal data through version 5.0.
ADUPS has also developed a Privacy Notice concerning version 5.5 that is availablehere.Finally, ADUPS will continue to reassess its privacy safeguards and policies.