FTC Bans Spyfone: Spyware Maker Ordered to Notify Victims

FTC Issues Landmark Ban on SpyFone and CEO for Surveillance Practices

The Federal Trade Commission has issued a unanimous ruling to prohibit SpyFone, alongside its CEO Scott Zuckerman, from participating in the surveillance industry. This represents the first order of its kind from the agency.

The FTC alleges that SpyFone engaged in the clandestine collection and dissemination of data pertaining to the physical locations, phone usage, and online activities of thousands of individuals. This information was reportedly left accessible on the public internet.

Details of SpyFone’s Data Harvesting

According to the agency, SpyFone employed a hidden device hack to secretly gather and share sensitive data. Purchasers of the spyware were granted the ability to monitor a device’s real-time location and access private communications like emails and video chats.

SpyFone falls into a category of applications often referred to as “stalkerware.” These apps are frequently marketed as parental control tools, but are often misused by individuals to secretly monitor their partners.

The spyware operates by being installed on a device without the owner’s knowledge, enabling the theft of messages, photos, browsing history, and location data. Security risks were also heightened due to the spyware’s operation at the “root” level of the phone’s operating system.

Data Exposure and Security Concerns

A premium version of the app included features such as a keylogger and “live screen viewing,” as detailed by the FTC. However, the agency asserts that SpyFone’s inadequate security measures led to data exposure.

Specifically, an unsecured Amazon cloud storage server resulted in the leakage of data collected from over 2,000 victims’ phones. Despite claims of investigation with a cybersecurity firm and law enforcement, the FTC contends that SpyFone did not take appropriate action.

Impact of the FTC Ban and Future Considerations

The ban prevents SpyFone and Zuckerman from offering, promoting, selling, or advertising any surveillance-related apps, services, or businesses. This action significantly restricts the company’s operational capabilities.

FTC Commissioner Rohit Chopra has suggested that stalkerware manufacturers should also be subject to criminal penalties under existing U.S. computer hacking and wiretap laws.

The FTC has mandated that the company delete all illegally obtained data and, for the first time, notify individuals whose devices were secretly compromised by the app.

Industry Response and Previous Actions

Samuel Levine, the FTC’s consumer protection chief, emphasized that surveillance-based businesses present a substantial threat to safety and security.

The Electronic Frontier Foundation (EFF), which established the Coalition Against Stalkerware, lauded the FTC’s order. The EFF stated that the action provides hope to victims of stalkerware, signaling a growing regulatory focus on their concerns.

This marks the FTC’s second enforcement action against a stalkerware developer, following a 2019 settlement with Retina-X after multiple security breaches led to the company’s closure.

Numerous other stalkerware companies, including mSpy, Mobistealth, Flexispy, and ClevGuard, have experienced data breaches or inadvertently exposed user data through unsecured systems.

Further Reading

• A ‘stalkerware’ app leaked phone data from thousands of victims
• How to identify and remove KidsGuard ‘stalkerware’ from your phone
• ‘Stalkerware’ phone spying apps have escaped Google’s ad ban
• A powerful spyware app now targets iPhone owners
• A domestic violence prevention app exposed distress recordings
• U.S. privacy and civil rights groups urge ban on ‘surveillance advertising’

If you or someone you know requires assistance, the National Domestic Violence Hotline (1-800-799-7233) offers 24/7 confidential support to those affected by domestic abuse and violence. In emergency situations, please call 911.

If you have received a notification and wish to share your experience, you can reach this reporter via Signal and WhatsApp at +1 646-755-8849 or by email at zack.whittaker@techcrunch.com.