Apps surveilled physical movements, phone use, online activity through hidden hack that exposed device owners to stalkers, abusers, hackers, and other threats
Today, the Federal Trade Commission banned SpyFone and its CEO Scott Zuckerman from the surveillance business over allegations that the stalkerware app company secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack. The company’s apps sold real-time access to their secret surveillance, allowing stalkers and domestic abusers to stealthily track the potential targets of their violence. SpyFone’s lack of basic security also exposed device owners to hackers, identity thieves, and other cyber threats. In addition to imposing the surveillance-business ban, the FTC’s order requires SpyFone to delete the illegally harvested information and notify device owners that the app had been secretly installed.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”
This is the second case the FTC has brought against stalkerware apps, and the first where the FTC is obtaining a ban. In a complaint, the FTC alleged that Support King, LLC, which did business as SpyFone.com, and its CEO sold stalkerware apps that allowed purchasers to surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge.
To install its software, SpyFone required purchasers who used the apps on Android devices to bypass many of the phone’s restrictions. The stalkerware company also provided instructions on how to hide the app so that the device user was unaware the device was being monitored, the FTC alleged. In order to use some functions, such as monitoring email, purchasers had to “root” a phone on which the app is installed, which also could void warranties and expose the device to security risks.
The illegal secret surveillance provided by the apps made it easy for stalkers and abusers to monitor their potential targets and steal sensitive information about their physical movements, phone use, and online activities. For example, some of the products allowed a purchaser to see the device’s live location and view the device user’s emails and video chats.
The stalkerware app company not only illegally harvested and shared people’s private information, it also failed to keep it secure. The FTC alleges that SpyFone did not put in place basic security measures despite promising that it took “reasonable precautions to safeguard” the information it illegally harvested. The stalkerware apps’ security deficiencies include not encrypting personal information it stored, including photos and text messages; failing to ensure that only authorized users could access personal information; and transmitting purchasers’ passwords in plain text.
Moreover, after a hacker accessed the company’s server and obtained personal data of about 2,200 consumers in August 2018, the company promised purchasers that it would work with an outside data security firm and law enforcement authorities to investigate the incident. The FTC, however, alleges that the company failed to follow through on this promise.
In addition to banning Support King and Zuckerman from offering, promoting, selling, or advertising any surveillance app, service, or business, the proposed settlement requires them to delete any information illegally collected from their stalkerware apps. It also orders them to notify owners of devices on which SpyFone’s apps were installed that their devices might have been monitored and the devices might not be secure.
The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent order with the company. Commissioner Rohit Chopra issued a separate statement.
The FTC will publish a description of the package in the Federal Register soon. The proposed order will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposal final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $43,280.
The Federal Trade Commission works to promote competition, stop deceptive and unfair business practices and scams, and educate consumers. Report fraud, scams, or bad business practices at ReportFraud.ftc.gov. Get consumer advice at consumer.ftc.gov. Also, follow the FTC on social media, subscribe to press releases, and read the FTC’s blogs.