By installing an app called SpyFone onto the device of an unsuspecting person, a user could stealthily track their target’s email, photos, contacts, calendars, web history, and even location. Support King, LLC, and CEO Scott Zuckerman marketed SpyFone as a way to monitor the activities of children and employees, neglecting to take action to prevent stalkers and domestic abusers from using the illegal secret surveillance effectuated by the company’s products.
Now according to a proposed FTC settlement, Support King and its CEO will be banned from the surveillance or stalkerware – the colloquial name for products and services of this ilk – app business. Sold on a subscription basis, SpyFone for Android Premium went for $119.95 for three months or $199.95 a year and was marketed as allowing users to monitor a person’s sent and received messages, posts made on social media, video chats, live location, and other personal information. Selling for $179.95 for three months or $299.95 a year, the “Xtreme” version lived up to its name. In addition to the premium functions, that app included a key logger and live screen viewing. It also allowed the user to take pictures remotely and to secretly activate the microphone on the device to record conversations and phone calls.
To install the SpyFone app, users needed brief access to the unsuspecting person’s device. Once it was installed, SpyFone – unlike other apps – didn’t appear with an icon. In fact, during the installation process, the company gave users step-by-step instructions on how to hide the app so that device owners wouldn’t know they were being monitored. Installing the app also meant that users bypassed some of the device’s built-in privacy and security features. For example, the company instructed users to “disable the verification of applications,” a security setting that scans and identifies the apps on a mobile device. The FTC alleges that through the sale of their SpyFone apps, the proposed respondents failed to ensure they were used for lawful purposes.
The stalkerware app company not only illegally harvested and shared people’s private information without consent, it also failed to secure that data from hackers. According to the complaint, the company promised that it took “reasonable precautions to safeguard customer information,” but failed to put reasonable measures in place to secure the data it collected. For example, it didn’t encrypt the personal information stored by the app, failed to ensure that only authorized users could access personal information, and transmitted passwords in plain text. The upshot: A hacker accessed SpyFone’s server and was able to grab personal information on about 2,200 consumers. Although the company pledged to work with law enforcement authorities and an outside data security firm to investigate the incident, the complaint alleges that SpyFone didn’t live up to its promise.
The proposed order bans the company and its CEO Scott Zuckerman from advertising, promoting, or selling any monitoring app or service. In addition, they’ll have to delete all information collected from their stalkerware apps. In an important provision to alert people who have been victimized by its products, the company must notify owners of devices on which SpyFone’s apps were installed about the monitoring and that their devices might not be secure. Once the proposed settlement appears in the Federal Register, the FTC will receive public comments for 30 days.
The case underscores the FTC’s commitment to challenging illegal practices related to consumer privacy and data security. Companies found selling similar apps that blatantly disregard privacy and can be weaponized by abusers and manipulated by hackers will be treated with the same aggressive response the FTC has taken with SpyFone.
Also, the National Domestic Violence Hotline, 800-799-SAFE, offers trained operators and live chat 24/7 to help people connect to a local advocate and create a safety plan. You never know who might need that information right now, so mention the Hotline in a staff newsletter and post the number on a bulletin board in the break room of your business.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.