‘Stalkerware app’ maker ordered to delete secretly stolen user data

FTC

On Wednesday,
the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman
from the surveillance business over allegations that the stalkerware
app company secretly harvested and shared data on people’s physical
movements, phone use, and online activities through a hidden device
hack. The company’s apps sold real-time access to their secret
surveillance, allowing stalkers and domestic abusers to stealthily track
the potential targets of their violence. SpyFone’s lack of basic
security also exposed device owners to hackers, identity thieves, and
other cyber threats. In addition to imposing the surveillance-business
ban, the FTC’s order requires SpyFone to delete the illegally harvested
information and notify device owners that the app had been secretly
installed.

 “SpyFone is a brazen brand name for a
surveillance business that helped stalkers steal private information,”
said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer
Protection. “The stalkerware was hidden from device owners, but was
fully exposed to hackers who exploited the company’s slipshod security.
This case is an important reminder that surveillance-based businesses
pose a significant threat to our safety and security. We will be
aggressive about seeking surveillance bans when companies and their
executives egregiously invade our privacy.”

This is the second case the FTC has brought against stalkerware apps, and the first where the FTC is obtaining a ban. In a complaint,
the FTC alleged that Support King, LLC, which did business as
SpyFone.com, and its CEO sold stalkerware apps that allowed purchasers
to surreptitiously monitor photos, text messages, web histories, GPS
locations, and other personal information of the phone on which the app
was installed without the device owner’s knowledge.  

To install
its software, SpyFone required purchasers who used the apps on Android
devices to bypass many of the phone’s restrictions. The stalkerware
company also provided instructions on how to hide the app so that the
device user was unaware the device was being monitored, the FTC alleged.
In order to use some functions, such as monitoring email, purchasers
had to “root” a phone on which the app is installed, which also could
void warranties and expose the device to security risks.

The
illegal secret surveillance provided by the apps made it easy for
stalkers and abusers to monitor their potential targets and steal
sensitive information about their physical movements, phone use, and
online activities. For example, some of the products allowed a purchaser
to see the device’s live location and view the device user’s emails and
video chats. 

The stalkerware app company not only illegally
harvested and shared people’s private information, it also failed to
keep it secure. The FTC alleges that SpyFone did not put in place basic
security measures despite promising that it took “reasonable precautions
to safeguard” the information it illegally harvested. The stalkerware
apps’ security deficiencies include not encrypting personal information
it stored, including photos and text messages; failing to ensure that
only authorized users could access personal information; and
transmitting purchasers’ passwords in plain text.

Moreover, after a
hacker accessed the company’s server and obtained personal data of
about 2,200 consumers in August 2018, the company promised purchasers
that it would work with an outside data security firm and law
enforcement authorities to investigate the incident. The FTC, however,
alleges that the company failed to follow through on this promise.

In
addition to banning Support King and Zuckerman from offering,
promoting, selling, or advertising any surveillance app, service, or
business, the proposed settlement requires
them to delete any information illegally collected from their
stalkerware apps. It also orders them to notify owners of devices on
which SpyFone’s apps were installed that their devices might have been
monitored and the devices might not be secure.

The Commission
voted 5-0 to issue the proposed administrative complaint and to accept
the consent order with the company. Commissioner Rohit Chopra issued a
separate statement.

The
FTC will publish a description of the package in the Federal Register
soon. The proposed order will be subject to public comment for 30 days
after publication in the Federal Register after which the Commission
will decide whether to make the proposal final. Instructions for filing
comments will appear in the published notice. Once processed, comments
will be posted on Regulations.gov.

NOTE: The
Commission issues an administrative complaint when it has “reason to
believe” that the law has been or is being violated, and it appears to
the Commission that a proceeding is in the public interest. When the
Commission issues a consent order on a final basis, it carries the force
of law with respect to future actions. Each violation of such an order
may result in a civil penalty of up to $43,280.