FTC Orders Spyware Vendor to Stop Business

The FTC has banned a stalkerware vendor called SpyFone and its CEO Scott Zuckerman from working in the surveillance business, the agency said in an announcement on Wednesday. Often companies in this space market their products, which can siphon a target's emails, text messages, and social media data, to abusive partners to spy on their spouses without their consent.

The move is just the second enforcement action the FTC has made against a stalkerware vendor. The first was against Retina-X, and came after Motherboard reported on multiple data breaches from the firm that exposed victims and users' details. In this new case, the FTC also pointed to the exposure of data in their announcement.

"SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information," Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection, said in a statement published with the FTC's announcement. "The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security. This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."

Spyfone's website describes the company as the "World's Leading Spy Phone App," and claims millions of installations. The site says its malware can collect a target's contacts and monitor their GPS location once installed on a target's device. Typically this sort of commercial spyware requires physical access to the phone to install; access that may be relatively easy for an abusive partner living in the same house as their victim. SpyFone's homepage markets its spyware to people who want to monitor their family. The company is based in Puerto Rico, according to the FTC complaint.

"SpyFone, unlike most other mobile applications, does not appear as an application with an icon on the mobile device. During the installation process for SpyFone Android products, SpyFone gives the purchaser instructions on further steps he or she can take to hide the product on the device so that the device user will be unaware the device is being monitored," the FTC's complaint reads.

The FTC's announcement said that a proposed settlement also requires SpyFone to delete any information illegally collected from its stalkerware apps, and also to notify people who had SpyFone software installed on their phone. The announcement also pointed to an August 2018 data breach in which personal data of about 2,200 consumers was exposed as a reason for the enforcement.

"I like winning," Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation, who has worked to apply pressure on the stalkerware industry, told Motherboard in a phone call. "I'm actually very excited that this is something that the FTC is doing. They're building on their work they really started with their action against Retina-X."

"They have prioritized the stalkerware companies that in addition to making stalkerware, are also making stalkerware so poorly that they've leaked the data to the public," Galperin added. Galperin said she hoped that the FTC would eventually target stalkerware companies simply in virtue of the product they are selling rather than the exposure of data, "but I understand why they would prioritize the ones that don't even do it well." The reason being that there are clearer mechanisms to follow against companies that do expose data.

Those companies are "doing an even broader harm," Galperin said.

Galprin pointed to the Coalition Against Stalkware, Operation Safe Escape, the National Network to End Domestic Violence, and the EFF's Surveillance Self-Defense guide as resources that victims may turn to if they suspect they've been targeted with stalkerware.