On February 5, 2016, app-making company General Holdings Inc., also doing business as Vulcun, agreed with the Federal Trade Commission (“FTC”) to stop installing its apps on consumers’ mobile devices without their permission and plaguing them with advertisements on their desktop computers. ((Agreement Containing Consent Order, In the Matter of General Workings, Inc., Federal Trade Commission (F.T.C.) (2016), https://www.ftc.gov/system/files/documents/cases/160205vulcunorder.pdf.))
The scandal started with Vulcun’s sneaky replacement of a popular browser-based game called Running Fred with another app. Google’s web browser, Chrome, lets users install extensions, which are software programs that can modify and extend Chrome’s functionality. ((Complaint at 2, In the Matter of General Workings, Inc., Federal Trade Commission (F.T.C.), https://www.ftc.gov/system/files/documents/cases/160205vulcuncmpt.pdf.)) Running Fred is a popular fast-paced arcade Chrome-extension game developed by Dedalord, LLC, which also offers variants of the Running Fred theme, including Falling Fred and Skiing Fred. Leading up to the acquisition of Running Fred by Vulcun from Dedalord on or around September 9, 2014, the game had more than 200,000 users, an average star rating of 4.5 stars (out of 5 possible stars) and approximately 2,300 reviews. Through a so-called extension update, Vulcun unilaterally replaced Running Fred with another Chrome-extension called Weekly Android Apps on users’ browsers without any notification or request for permission ((Id. at 2-3.)) This extension replacement caused three major problems for consumers.
Firstly, the desktop-installed extension Weekly Android Apps forcefully installed other apps on to users’ mobile devices that were synced up through users’ multiple-device single login. Weekly Android Apps redirected desktop browsers to the Google Play Store webpage and autonomously clicked the “Buy” button to download mobile apps to users’ synced devices. A malicious code within Weekly Android Apps also prevented users from reviewing permissions that outline what information or device functionality the apps could access. The code then automatically approved the default permission settings without the users’ knowledge. Among the force-installed apps were a solitaire game and an app called myphoneemails. ((Id. at 4.)) Essentially, Vulcun pushed out an app-downloader to consumers. The hiding and accepting of the default permissions request is particularly alarming for consumer privacy because these mobile apps could have given Vulcun immediate access to users’ address books, photos, locations, persistent device identifiers, and potentially other sensitive information such as financial and health information. ((Id.))
Secondly, Weekly Android Apps significantly disrupted consumers’ use of their desktop computers. Weekly Android Apps opened additional browser tabs and windows unnecessarily, and reset home pages. When consumers closed such tabs or windows, others opened up in their stead. The persistent tabs and windows featured advertisements of poker games and other Chrome Web Store items. Once clicked, the Chrome-extensions were installed discreetly just as the mobile apps were unknowingly installed.
Lastly, Vulcun falsely advertised Weekly Android Apps. In the Chrome Web Store, Weekly Android Apps was advertised as providing impartial selection of apps and having been featured on prominent technology websites, including MacRumors, Engadget and Lifehacker. What particularly misled consumers is the number of users and positive reviews Weekly Android Apps purportedly had. The more than 200,000 users and 2,300 reviews Weekly Android Apps was portrayed to have were all credentials simply carried over from Running Fred and not actually reflective of Weekly Android Apps at all. ((Id. at 5-6.))
All of this led the FTC to charge Vulcun for violating Section 5(a) of the Federal Trade Commission Act of 1914. ((Id.)) Section 5(a)(1) of the Act declares unlawful any “unfair or deceptive acts or practices in or affecting commerce”. ((15 U.S.C. § 45(a)(1).)) There are no regulations that define exactly what “unfair” practices are, but considerable weight is given to the interpretations of the FTC and the courts. In 1964, the FTC set forth a “Cigarette Rule” for determining what is unfair: the rule looks at i) whether a practice offends public policy; ii) whether it is immoral, unethical, oppressive, or unscrupulous; and 3) whether it causes substantial injury to consumers. ((J. Howard Beales, The FTC’s Use of Unfairness Authority: Its Rise, Fall, and Resurrection, Fed. Trade Comm’n (2003), https://www.ftc.gov/public-statements/2003/05/ftcs-use-unfairness-authority-its-rise-fall-and-resurrection.)) The rule is widely upheld and used by courts today. ((See, e.g., Smith v. Wells Fargo Bank, N.A., No. 3:15-CV-89, 2016 WL 370697, at *5 (D. Conn. Jan. 29, 2016).)) The FTC issues an administrative complaint when it has reason to believe that the law has been or is being violated, and it appears to the FTC that a proceeding is in the public interest. When the FTC issues a consent order on a final basis (in this case, the agreement contains the order not yet final), it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000. ((Fed. Trade Comm’n, Tech Company Settles FTC Charges It Unfairly Installed Apps on Android Mobile Devices Without Users’ Permission, Fed. Trade Comm’n (Feb. 5, 2016), https://www.ftc.gov/news-events/press-releases/2016/02/tech-company-settles-ftc-charges-it-unfairly-installed-apps.)) Vulcun does not admit any wrongdoing in the settlement agreement, but just the fact that it settled insinuates that it is not confident of its actions. Vulcun has further agreed to not misrepresent in its advertising, not forcefully install or modify any apps without consumers’ explicit permission, and delete any customer information they have in possession. ((Agreement Containing Consent Order, supra note 1.))
So what does this mean for other app-makers? They must advertise truthfully. More important would be to clearly disclose material information, particularly those relating to accessing private information on devices, and get explicit permission before app installment. The biggest lesson from Vulcun’s scandal would be to not push out any app updates with code that bypasses consumer disclosure and approval. Any interested party should refer to the guidelines published by the FTC. ((Fed. Trade Comm’n, Marketing Your Mobile App: Get It Right from the Start, Fed. Trade Comm’n (2013), https://www.ftc.gov/system/files/documents/plain-language/pdf-0140_marketing-your-mobile-app.pdf.))
Latest posts by Ann Choi (see all)
- $1.35 million “Supercookie” Slap to Verizon Wireless - April 12, 2016
- FTC Charges Vulcun for Replacing a Game with Its Own App - March 15, 2016
- The Sound of Music: One Music Giant’s Fall into Bankruptcy - February 22, 2016