FTC takes action against stalking apps

You know that eerie feeling that someone is following your every move? If someone secretly installed a “stalking app” or “stalkerware” sold by Retina-X Studios, LLC, onto your mobile device, that strange sensation could be way more than a feeling. A complaint against the developer and marketer alleges violations of the FTC Act and the Children’s Online Privacy Protection Act Rule.

Florida-based Retina-X and James N. Jones, Jr., marketed three apps as ways to monitor children or employees. MobileSpy captured and logged GPS location, text messages, photos, call history, browser history, etc. People who bought the premium version also could view the unsuspecting user’s screen in real time. PhoneSheriff monitored much of the same data, plus email history and screenshots of activity using Snapchat. As part of the iOS registration process for TeenShield, Retina-X collected the dates of birth of users being monitored–roughly a third of whom were under 13. Once installed, TeenShield captured GPS location, text messages, call history, browser history, email, and the like.

To install the products, the buyer needed physical access to the device and often had to jailbreak or root it. In other words, they had to bypass restrictions built into the operating system on the device. Once the software was in place, buyers could remotely monitor the user’s activities from an online dashboard. By default, an icon appeared on the device. However, Retina-X instructed the person who installed the software on how to hide it and have the app run surreptitiously without the user’s knowledge. Although Retina-X claimed in its privacy policies that the products were designed to be used only to monitor a parent’s underage child or employee, the company didn’t take any steps to ensure that was how their apps were used. What’s more, why would parents or employers jailbreak or root phones to install Retina-X software when other monitoring apps on the market didn’t require jailbreaking or rooting?

The complaint alleges several forms of consumer injury. One particular concern is that stalkers – for example, perpetrators of domestic violence – could use the apps to keep tabs on their victims’ location and online activity, information they could use to inflict emotional or even physical harm. Stalkers also could also use software like this to commandeer victims’ financial accounts. At the very least, people who installed Retina-X’s apps on the devices of unsuspecting users likely voided their devices’ warranties and exposed the users to increased security risks common when a device has been jailbroken.

Furthermore, the FTC alleges Retina-X failed to take basic steps to protect the sensitive data its apps collected, especially information collected from children being monitored. For example, the company didn’t have written security standards in place and didn’t conduct security testing for known vulnerabilities. In addition, while touting its products’ ability to monitor others, the complaint alleges that Retina-X didn’t take appropriate steps to monitor its own service provider – the company that developed Retina-X’s apps, managed its servers, handled its payment processing, and provided marketing and customer support services.

The privacy policies for MobileSpy, PhoneSheriff, and TeenShield included the same soothing language: “It is company policy that our customer databases remain confidential and private. . . . Your private information is safe with us.” But no one told that to the hacker who in 2017 found unencrypted credentials for the company’s cloud storage account in the TeenShield Android Package Kit. Once logged in, the hacker found the username and password for Retina-X’s server. That was the “Open Sesame!” the hacker needed to access sensitive data collected through PhoneSheriff and TeenShield and then erase it entirely. Retina-X didn’t learn about the hack until two months later when a journalist contacted the company after having received evidence from the hacker.

Fast forward a year and a hacker again found the credentials for the company’s cloud storage account, this time in the PhoneSheriff Android Package Kit. The credentials were–to use the company’s terminology – “obfuscated,” but the hacker was still able to decrypt them. This time the hacker erased all photos in the cloud storage account.

The complaint includes one count of unfair acts or practices and three counts of deception. In addition, the FTC alleges Retina-X knowingly collected personal information from children under the age of 13 through the TeenShield product, but failed to honor the COPPA Rule’s requirement to maintain reasonable procedures to protect the confidentiality, security, and integrity of that data.

To settle the case, Retina-X and James N. Johns, Jr., have agreed to delete the data they collected and not sell any product that requires jailbreaking or rooting. In addition, in the future, they’ll have to get statements from buyers that they’ll use the app only to monitor their child or an employee, or an adult who has consented in writing. They also must include an icon with the name of the app that can only be removed by parents who have installed it on their kids’ phones. In keeping with other recent data security settlements, they must get third-party assessments of their information security program every two years.

Once the proposed settlement appears in the Federal Register, the FTC will accept public comments for 30 days. In the meantime, here are tips other companies can take from the case.

• Exercise heightened caution if you sell monitoring products. Take reasonable steps to ensure your product is used only for lawful purposes. For example, you can’t require the circumvention of built-in operating system or device security protections and then claim ignorance about how your product is used.
• If you collect it, protect it. Collecting any form of sensitive data carries with it the obligation to protect it when it’s in your possession. If it’s information covered by COPPA, Section 312.8 of the Rule puts special data protections in place.
• Take steps to avoid a third-degree burn. When working with third-party service providers, spell out your data security expectations in your contracts and build in monitoring mechanisms to make sure they’re following through. When COPPA-covered information is involved, Section 312.8 of the COPPA Rule underscores that requirement: “[T]ake reasonable steps to release children’s personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.”