The Federal Trade Commission (FTC) recently proposed an order banning SpyFone and its CEO Scott Zuckerman from the surveillance business and ordered the organization to delete all stolen data.
The decision stemmed from allegations that the stalkerware app secretly collected and shared data and failed to implement basic cybersecurity measures in violation of the law.
A hidden device hack allowed the app to record people's physical movements, phone use, and online activity.
The company then sold real-time access to their secret surveillance, which allowed stalkers and domestic abusers to secretly track their victim, according to the FTC. Some of SpyFone's products allowed purchasers to see the device's live location and view user's emails and video chats.
Those who purchased the app received instructions on how to hide the app so that device owners did not know they were being monitored. Purchasers had to bypass many of the restrictions on Android devices to install the app. To use certain functions such as email monitoring, purchasers also had to "root" the phone, which further exposed the device to security threats and could invalidate the warrantee.
The FTC also alleged that SpyFone's lack of basic cybersecurity exposed the owners of devices being tracked to hackers, identity thieves, and other cyber threats. Despite claiming to take "reasonable precautions to safeguard" data, the app failed to encrypt stored personal information, including photos and text messages, or ensure that only authorized users could access personal data. It also transmitted purchasers' passwords in plain text.
After a hacker stole the personal data of around 2,200 individuals in Aug. 2018, SpyFone allegedly promised to work with an outside data security firm and law enforcement to investigate the incident. However, according to the FTC, it never did so.
The FTC voted 5-0 to issue a proposed administrative complaint and accept a consent order banning Support King, LLC, doing business as SpyFone.com, and Zuckerman from offering, promoting, selling, or advertising any surveillance app, service, or business.
The proposed settlement also ordered SpyFone to delete any obtained data from their stalkerware apps. SpyFone must notify device owners that the app has been secretly installed on their device, that they may have been monitored, and that the device may not be secure.
The proposed order will be published in the Federal Register and subject to public comment for 30 days. The FTC will then decide on making the proposal final. "FTC Bans SpyFone and CEO from Surveillance Business and Orders Company to Delete All Secretly Stolen Data" www.ftc.gov (Sep. 01, 2021).