The US Federal Trade Commission (FTC) has banned a spyware developer and its CEO from operating in the surveillance market in a landmark decision hailed by anti-stalkerware campaigners.
The FTC alleges that the SpyFone app, which is marketed by Support King, allows “stalkers and domestic abusers to stealthily track the potential targets of their violence”, reads an FTC press release issued yesterday (September 1).
The app can be used to “surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge”, added the regulator.
The FTC also cited in its decision a “lack of basic security” that put victims’ data at further risk.
Support King and its CEO, Scott Zuckerman, will be barred from “offering, promoting, selling, or advertising any surveillance app, service, or business” under the proposed settlement (PDF).
The FTC has also ordered Support King “to delete the illegally harvested information and notify device owners that the app had been secretly installed”.
Oblivious victims
The SpyFone website pitches the app as a means to “watch over your children and family” and says that users “can only install Spy Phone App on phones you own or you have been given permission by the owner of the phone”.
However, the FTC says the company “provided instructions on how to hide the app so that the device user was unaware the device was being monitored”.
Moreover, some features necessitated giving snoopers ‘root’ access that “could void warranties and expose the device to security risks”.
The FTC also alleges Support King failed to encrypt victims’ personal information and transmitted purchasers’ passwords in plaintext.
Data leak
The FTC referenced a 2018 data leak in which an unprotected Amazon S3 bucket reportedly exposed several terabytes of unencrypted camera photos, among other data harvested from SpyFone installations.
Support King failed to fulfil a promise to investigate the incident with the help of law enforcement and external cybersecurity experts, said the consumer rights watchdog.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection.
“The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
Aggressive approach
The FTC sanctions against SpyFone mark “a significant change from the agency’s past approach,” said FTC Commissioner Rohit Chopra.
Issued in 2019, its previous, and only, stalkerware-related decision allowed spyware vendor Retina-X Studios and its owner to continue selling such applications, providing they introduced certain security and privacy safeguards.
However, Samuel Levine has now promised that the FTC “will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy”.
The Electronic Frontier Foundation (EFF), which helped to launch the Coalition Against Stalkerware in 2019, welcomed the decision.
“Victims of stalkerware can begin to find solace in the fact that regulators are beginning to take their concerns seriously,” the digital privacy non-profit said in a statement.
Security firm Kaspersky has previously revealed that 53,870 of its worldwide customers were affected by stalkerware in 2020.
Google banned all forms of stalkerware from its app store in October 2020.