This morning the Federal Trade Commission (FTC) announced it has barred a company behind three pieces of so-called stalkerware from selling any more apps that monitor mobile devices unless they take steps to ensure their software is only used for legitimate purposes.
Stalkerware is malicious software that is installed on phones or computers. Depending on the particular app, stalkerware can intercept text messages and calls, track GPS locations, and much more. Stalkerware is often used in abusive relationships, even if companies selling the software claim it is only to be used for legally monitoring children or employees. In this case, the FTC case is against a company called Retina-X and its owner James N. Johns Jr.
"This is our first action against a so-called 'stalking app,'" Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”
Do you know about any other breaches of stalkerware companies? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
As Motherboard reported, a hacker targeted Retina-X multiple times. The first hack in 2017 involved customer data such as the GPS locations of infected phones, as well as photos, text messages, emails, and contacts obtained by Retina-X's own stalkerware.
"For the customers, realize that when you use spyware like this, you're trusting one company or another to hold the data. For people who have been spied on, I can only say that I'm sorry their privacy has been invaded on so many levels," the hacker behind the Retina-X breach told Motherboard at the time. Retina-X's products include apps such as PhoneSheriff, MobileSpy, and TeenShield.
The following year, the hacker breached the company and wiped its servers again.
Pointing to these breaches, the FTC announcement alleges that Retina-X did not properly secure the data collected by its software.
"Despite these failures, the legal policies for all three apps claimed that, 'Your private information is safe with us,'" the announcement added.
Specifically, the FTC alleges that Retina-X and Johns violated the FTC Act's prohibition against unfair and deceptive practices, as well as the Children's Online Privacy Protection Act (COPPA). COPPA requires operators to secure the information they collect from children under 13, the announcement notes.
The FTC writes Johns and Retina-X must obtain third-party assessments of their information security program every two years. The vote from the FTC Commissioners to issue the complaint to Retina-X was 5-0, the announcement reads.
"I’m happy to see the FTC taking action against stalkerware, but the devil is in the details. I will be watching closely to see what steps Retina-X takes to make sure their apps are only being used for 'legitimate purposes,'" Eva Galperin, director of cybersecurity at activist group the Electronic Frontier Foundation, and who has researched stalkerware extensively, told Motherboard in an online chat. "Depending on the ways in which these apps are used and the jurisdictions involved, using these apps to monitor children or employees is not necessarily legal either."
Retina-X may not have a product to audit, though. After the second hack, Retina-X announced it was shutting down indefinitely.
Richard Newman, a lawyer handling the case for Retina-X, told Motherboard in an email, "While the firm’s clients were the unfortunate victims of a skilled hacker, they would like to thank the FTC for its professionalism during the course of the investigation."
Updated: This piece has been updated with comment from Retina-X's lawyer.
Subscribe to our new cybersecurity podcast, CYBER.