FTC Upholds Ban on Stalkerware Founder Scott Zuckerman

FTC Maintains Ban on Stalkerware Vendor Scott Zuckerman

The U.S. Federal Trade Commission has affirmed its prohibition against a creator of stalkerware, preventing a return to the surveillance software market. This decision follows a significant data breach that compromised the personal data of both customers and those subjected to surveillance.

Denial of Petition to Lift Ban

The FTC recently rejected a plea from Scott Zuckerman, founder of Support King and its subsidiaries SpyFone and OneClickMonitor, to revoke the existing ban. Zuckerman had submitted a request in July seeking to either cancel or modify the order.

In 2021, the FTC issued a comprehensive ban, barring Zuckerman from any involvement in the “offering, promotion, sale, or advertising of surveillance apps, services, or businesses.”

Previous Violations and Security Concerns

The agency’s initial order also mandated the deletion of all data gathered by SpyFone and required ongoing security audits and the implementation of robust cybersecurity protocols for Zuckerman’s ventures.

Samuel Levine, formerly the acting director of the FTC’s Bureau of Consumer Protection, stated that SpyFone represented a concerning practice, facilitating the theft of private information by individuals engaged in stalking.

Zuckerman’s Claims and Current Activities

Zuckerman argued in his petition that the security stipulations imposed by the FTC presented financial burdens, hindering his ability to operate other businesses. He currently manages a restaurant and is developing tourism-related projects in Puerto Rico, according to the petition.

Attempts to reach Zuckerman for comment via email were unsuccessful, with inquiries directed to his legal counsel.

The 2018 Data Breach

The FTC’s original ban stemmed from a 2018 security incident. A researcher discovered an exposed Amazon S3 bucket associated with SpyFone, revealing highly sensitive data to public access.

Exposed Data Details

This exposed data encompassed a wide range of personal information, including selfies, text messages, chat logs, audio recordings, contact details, hashed passwords, and login credentials.

The breach affected 44,109 unique email addresses and contained data from 3,666 phones with SpyFone installed, including “at least 2,208 current ‘customers’” and numerous photos and audio files.

Circumvention Attempts and Continued Activity

Despite the 2021 FTC order, reports surfaced less than a year later suggesting Zuckerman was involved in another stalkerware venture. TechCrunch received breached data from the SpyTrac app in 2022.

Investigations revealed that SpyTrac was operated by developers with direct links to Support King, indicating an effort to bypass the FTC’s ban.

The compromised data also included records from SpyFone – which Zuckerman was ordered to delete – and access keys for OneClickMonitor, another of his stalkerware applications.

Expert Reaction and Concerns

Eva Galperin, a leading stalkerware expert, welcomed the FTC’s decision. She noted that Zuckerman appeared to have anticipated that a period of inactivity would lead to the ban being forgotten.

Galperin, director of cybersecurity at the Electronic Frontier Foundation, added that the 2022 revelations suggested Zuckerman had not addressed the issues that led to the initial ban.

The Risks of Stalkerware

Stalkerware applications enable surreptitious monitoring of individuals’ phones and devices. Beyond facilitating potentially illegal actions, these companies have repeatedly demonstrated an inability to safeguard the privacy of both their customers and those being monitored.

Over the past eight years, at least 26 stalkerware companies have experienced data breaches or left sensitive information exposed online, highlighting a consistent pattern of security failures.