FTC action against stalkerware app SpyFone and CEO Scott Zuckerman underscores threats of surveillance businesses

Share This Page

By installing an app called SpyFone onto the device of an unsuspecting person, a user could stealthily track their target’s email, photos, contacts, calendars, web history, and even location. Support King, LLC, and CEO Scott Zuckerman marketed SpyFone as a way to monitor the activities of children and employees, neglecting to take action to prevent stalkers and domestic abusers from using the illegal secret surveillance effectuated by the company’s products.

Now according to a proposed FTC settlement, Support King and its CEO will be banned from the surveillance or stalkerware – the colloquial name for products and services of this ilk – app business. Sold on a subscription basis, SpyFone for Android Premium went for $119.95 for three months or $199.95 a year and was marketed as allowing users to monitor a person’s sent and received messages, posts made on social media, video chats, live location, and other personal information. Selling for $179.95 for three months or $299.95 a year, the “Xtreme” version lived up to its name. In addition to the premium functions, that app included a key logger and live screen viewing. It also allowed the user to take pictures remotely and to secretly activate the microphone on the device to record conversations and phone calls.

To install the SpyFone app, users needed brief access to the unsuspecting person’s device. Once it was installed, SpyFone – unlike other apps – didn’t appear with an icon. In fact, during the installation process, the company gave users step-by-step instructions on how to hide the app so that device owners wouldn’t know they were being monitored. Installing the app also meant that users bypassed some of the device’s built-in privacy and security features. For example, the company instructed users to “disable[] the verification of applications,” a security setting that scans and identifies the apps on a mobile device. The FTC alleges that through the sale of their SpyFone apps, the proposed respondents failed to ensure they were used for lawful purposes.

The stalkerware app company not only illegally harvested and shared people’s private information without consent, it also failed to secure that data from hackers. According to the complaint, the company promised that it took “reasonable precautions to safeguard customer information,” but failed to put reasonable measures in place to secure the data it collected. For example, it didn’t encrypt the personal information stored by the app, failed to ensure that only authorized users could access personal information, and transmitted passwords in plain text. The upshot: A hacker accessed SpyFone’s server and was able to grab personal information on about 2,200 consumers. Although the company pledged to work with law enforcement authorities and an outside data security firm to investigate the incident, the complaint alleges that SpyFone didn’t live up to its promise.

The proposed order bans the company and its CEO Scott Zuckerman from advertising, promoting, or selling any monitoring app or service. In addition, they’ll have to delete all information collected from their stalkerware apps. In an important provision to alert people who have been victimized by its products, the company must notify owners of devices on which SpyFone’s apps were installed about the monitoring and that their devices might not be secure. Once the proposed settlement appears in the Federal Register, the FTC will receive public comments for 30 days.

The case underscores the FTC’s commitment to challenging illegal practices related to consumer privacy and data security. Companies found selling similar apps that blatantly disregard privacy and can be weaponized by abusers and manipulated by hackers will be treated with the same aggressive response the FTC has taken with SpyFone.

Stalking app infographicAlso, the National Domestic Violence Hotline, 800-799-SAFE, offers trained operators and live chat 24/7 to help people connect to a local advocate and create a safety plan. You never know who might need that information right now, so mention the Hotline in a staff newsletter and post the number on a bulletin board in the break room of your business.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.