The Federal Trade Commission unanimously voted to ban spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leave them on the open Internet.
The agency said SpyFone “secretly collects and shares data on people’s physical movements, phone use and online activities through hidden device hacking,” allowing the spyware buyer to ” view the live location of the device and view the device user’s emails and video chats.
SpyFone is one of the many so-called “stalkerware” applications that are marketed under the guise of parental controls but are often used by spouses to spy on their partners. Spyware works by being installed on someone’s phone surreptitiously, often without their permission, to steal their messages, photos, web browsing history, and real-time location data. The FTC has also accused the spyware maker of exposing victims to additional security risks because the spyware runs at the ‘root’ level of the phone, allowing the spyware to access prohibited parts. of the device’s operating system. A premium version of the app included a keylogger and a “live screen display,” according to the FTC.
But the FTC said SpyFone’s “basic lack of security” exposed the data of these victims, due to an unsecured Amazon cloud storage server that spilled data its spyware collected on the phones of more than 2,000 victims. SpyFone said it partnered with a cybersecurity company and law enforcement to investigate, but the FTC says it never did.
In practice, the ban means that SpyFone and its CEO Zuckerman are prohibited from “offering, promoting, selling or advertising any monitoring application, service or business,” which makes it harder for the business to operate. But FTC Commissioner Rohit Chopra said in a separate statement that malware makers would also face criminal penalties under U.S. hacking and wiretapping laws.
The FTC also ordered the company to delete all data it had “illegally” collected and, also for the first time, to notify victims that the app had been secretly installed on their devices.
In A declarationFTC Consumer Protection Chief Samuel Levine said, “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. “
The EFF, which two years ago launched the Coalition Against Stalkerware, a coalition of companies that detects, combats and educates stalkerware, has welcomed the FTC’s order. “With the FTC now focusing on this industry, victims of stalkerware can begin to find comfort in the fact that regulators are starting to take their concerns seriously,” EFF’s Eva Galperin and Bill Budington said in a blog post.
This is the second order by the FTC against a stalkerware maker. In 2019, the FTC settled with Retina-X after the company was repeatedly hacked and ultimately to close.
Over the years, several other stalkerware makers have either been hacked or inadvertently exposed their own systems, including mSpy, Mobistealth, and Flexispy. Another stalkerware maker, ClevGuard, left thousands of phone data of hacked victims on an exposed cloud server.
Read more:
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides free, confidential 24/7 assistance to victims of domestic violence. If you are in an emergency, dial 911.
Got a notification and want to tell your story? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.
