In a landmark move, the Federal Trade Commission has settled charges it brought against the maker of a P2P file-sharing application that the commission alleged included unfair default settings that caused users to unknowingly share photos, videos and other personal data. The settlement with FrostWire LLC may well be an indication that the federal government is going to be taking a hard look at the way developers set up their apps and what users know about the data they collect and share.
The action by the FTC represents an interesting shift in the way that the federal government handles allegedly injurious practices by software developers. The FTC in the past often has gone after companies for what it terms deceptive practices, but in this case, the commission says that the way that FrostWire LLC set up the default settings and installation process of its eponymous file-sharing app was unfair to consumers. The FrostWire app is available for both desktop PCs and Android phones and in its complaint, the FTC says that both versions of the software made it difficult for consumers to know which files they were sharing with other users.
The FTC filed the complaint Oct. 7 and on Tuesday the commission announced that FrostWire had agreed to settle the complaint. The settlement, which is subject to approval by the court, bars FrostWire from using unfair default settings on its apps and also requires that the company provide users with a free upgrade to change the settings. Privacy advocates see this as a major change in the FTC’s attitude toward such potential violations.
“This seems like a very new approach for the FTC. It is a clear message to the industry, and a shot across the bow to many firms that are using sneaky default settings to try and get users to expose more of their personal data than they would otherwise,” said Chris Soghoian, a privacy and security researcher and former staff technologist at the FTC. “I highly doubt this is a one-off. Bravo to the FTC.”
But it’s the FTC’s move with regard to the Android app that is especially significant, given the proliferation of mobile apps and the speed with which consumers download and install them and the minimal attention many pay to the default settings.
“FrostWire for Android, as configured by the Defendants, was likely to cause a significant number of consumers installing and running it on their mobile computing devices to unwittingly share files stored on those devices. The Defendants had configured the application’s default settings so that, immediately upon installation and set-up, many pre-existing files on the mobile device were designated for sharing. These files could be shared through the Internet, and through any given wireless (“WiFi”) local area network (e.g., a “hotspot” within a specific café or public library), with other FrostWire for Android users,” the FTC complaint says.
“They could also be shared with many FrostWire Desktop users through a WiFi network. These shared files thus were available to other people in the consumer’s immediate vicinity and throughout the world to download and share further. Nothing in the installation and set-up process, described below, adequately informed consumers of the immediate consequences of installing FrostWire for Android; nor could consumers be expected to know these consequences from any prior experience with other software. Moreover, once FrostWire for Android was installed, consumers who wished to use it to share only specific files on their mobile devices first needed to share all the files within the relevant categories and then laboriously unshare individual files in those categories, one at a time with little or no instruction in the application’s user interface about how to accomplish this.”
FrostWire is a P2P file-sharing application developed by FrostWire LLC, a Miami company, and it enables users to share all kinds of files with users across the Internet, including pictures, videos, documents and music files. In its default configuration on Android devices, the app will share videos, pictures, music, ringtones and other files. In order to prevent that from happening, users have to manually change those settings. Any files from one of those categories that the user later adds to the device will be shared automatically, and if the user wants to prevent this from happening, she has to manually uncheck individual files from those categories.
“Thus, for example, a consumer with 200 photos on her mobile device who installed the application with the intent of sharing only ten of those photos first had to designate all 200 photos in the “Picture” category as shared, and then affirmatively unshare each of the 190 photos that she wished to keep private. She also needed to remember, when next running the application, to unshare the category or individually unshare any new photos she might have taken in the meantime in order to keep the new photos private. Nothing in the FrostWire for Android installation and set-up process, or the application’s user interface, adequately informed consumers that the application operated in this manner,” the FTC says in the complaint.
“In light of the application’s routine installation process, its default sharing settings, the presentation and wording of the “Before you get started” screen, the steps consumers needed to take to share only select files within a category, and the application’s
failure to provide adequate instructions on how to unshare files, a significant number of consumers using Frostwire for Android could not reasonably avoid the unwitting public sharing of their private files.”
In the FTC complaint against FrostWire, the commission also alleges that the company’s desktop app unfairly leads consumers to believe that files downloaded and placed in certain folders would not be shared by default, which the FTC alleges that they are. The commission asked the United States Court for the Southern District of Florida to grant a permanent injunction against FrostWire, as well as award unspecified financial damages to consumers harmed by the apps. The proposed consent order announced Tuesday does not include any mention of damages.