The FTC wants to ban a stalkerware app maker and make it notify victims. Is that enough?
IMAGE: Rodion Kutsaev
Andrea Peterson September 2, 2021

The FTC wants to ban a stalkerware app maker and make it notify victims. Is that enough?

Andrea Peterson

September 2, 2021

The FTC wants to ban a stalkerware app maker and make it notify victims. Is that enough?

The Federal Trade Commission announced Wednesday a proposed settlement with Support King, the company behind alleged Android stalkerware app SpyFone, and its CEO Scott Zuckerman that will ban the company and Zuckerman from the surveillance business, delete data it harvested, and seek to notify victims. 

“This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security,” Samuel Levine, Acting Director of the FTC’s Bureau of Consumer Protection, said in a press statement.  

The FTC “will be aggressive” about seeking bans of companies and executives that “egregiously invade our privacy,” he added — signalling an escalation in the agency’s crackdown on stalkerware apps, which began with a case brought against developers of similar tools in 2019. 

Although stalkerware apps are often ostensibly marketed as a way to monitor children or employees, their capabilities and surreptitious nature have made them a popular tool among abusers. The apps have been on the rise for years—and can have a devastating effect on victims, in part because such surveillance can out their attempts to leave abusive situations. 

FTC Commissioners voted unanimously in favor of the settlement, which they will make a final decision on after a 30 day public comment period. 

However, Commissioner Rohit Chopra released a separate statement arguing the agency’s action wasn’t enough. Victims also deserved financial compensation and law enforcement should consider criminal action, he suggested:

While this action was worthwhile, I am concerned that the FTCwill be unable to meaningfully crack down on the underworld of stalking apps using our civil enforcement authorities. I hope that federal and state enforcers examine the applicability of criminal laws, including the Computer Fraud and Abuse Act, the Wiretap Act, and other criminal laws, to combat illegal surveillance, including the use of stalkerware.

SpyFone allowed customers to secretly monitor the devices of their victims—including their real-time locations, texts, and online activities—as a subscription service, the FTC’s complaint alleges, with prices starting at just $99.95 a year. The “Extreme” version of the app could also remotely take pictures, record audio via the device microphone, record calls, and force the device to vibrate or ring on command, according to the advertising copy in the complaint. 

The company provided users with instructions for how to install and hide the app from victims. For those less technically inclined, it also offered an “Xpress” option for $495 where people could buy a year subscription and a device with the malware already installed, according to the complaint. 

Installing the app required bypassing security measures and, in some cases, rooting the phone—which could leave it more vulnerable to other security risks, the FTC noted. But the company didn’t just allow customers to spy on victims, its systems left data collected about them unsecured. 

In 2018, a researcher discovered terabytes of data from SpyFone including photos, audio, texts, browsing histories, and location information leaked online due to a misconfigured Amazon S3 bucket, Motherboard reported. The company didn’t follow through on promises to investigate the data breach with an outside security firm and law enforcement, according to the FTC. 

In a report released by ESET earlier this year, researchers found “more than 150 security issues in 58 Android stalkerware apps.“ They also observed “almost five times more Android stalkerware detections” in 2019 versus 2018—and 48% more of such detected between 2019 and 2020. 

Support King did not respond to a request for comment. 

The company and Zuckerman “neither admit nor deny any of the allegations” in the complaint as part of the proposed consent order. However, both will be “permanently restrained” from work related to “Monitoring Products or Services.” The company must also delete all the data it collected, as well as seek to inform both its customers and their victims about the FTC action, among other requirements. 

People who used the services will receive an email notifying them about the FTC settlement and reminding them “that it is against the law to monitor other adults without their permission.”

Victims are set to receive a “Clear and Conspicuous” notification on their mobile devices that reads, in part: 

Someone may have secretly monitored your phone. 

The Federal Trade Commission has alleged that Support King sold illegal monitoring products, which may have been installed on this phone. 

The software has been disabled. This phone may still not be secure. Photos, emails, texts, and location were collected from this phone. 

The device notification will also include a link to the FTC’s blog and the number for the National Domestic Abuse Hotline—1-800−799−7233.

Andrea (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy ThinkProgress (RIP), then The Washington Post from 2013 through 2016, before doing deep dive public records investigations at the Project on Government Oversight and American Oversight. Their work has also been published at Slate, Politico, The Daily Beast, Ars Technica, Protocol, and other outlets. Peterson also produces independent creative projects under their Plain Great Productions brand and can generally be found online as kansasalps.