In context: Surrvelience apps have been around for a while, but you rarely see developers prosecuted, sued, or otherwise punished when someone discovers it on their device. This is because it is not illegal to make such software. It is only unlawful for an end-user to install it on someone else's phone without their knowledge.
On Wednesday, the Federal Trade Commission (FTC) announced a ban against spyware developer Support King and CEO Scott Zuckerman from operating in the surveillance industry. The FTC claims that Support King's SpyFone app secretly collected and shared personal information from devices "through a hidden device hack." The Commission said that the company sold this data to stalkers and domestic abusers.
In addition to forbidding the company from operating as a surveillance business, the FTC ordered Support King to clear its servers of all illegally collected data and inform device owners that SpyFone had been secretly installed on their devices.
"The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company's slipshod security," said Acting Director of the FTC's Bureau of Consumer Protection Samuel Levine. "This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy."
The FTC also said that the company provided customers with instructions on how to root Android devices to open up the app's full functionality, which included archiving email, video chats, phone use, online activity, and live GPS positioning. Bypassing the phone's restrictions in this manner opened the device up to exploits from unrelated malicious parties such as identity thieves.
SpyFone also stored the illegally collected data without encryption and transmitted passwords in plain text. This lax security led to a cyberattack in August 2018 that exposed the data of 2,200 consumers. SpyFone promised to work with a third-party security firm to shore up its defenses but never did.
The Commission approved the sanctions in a 5-0 vote and will post the complaint to the Federal Register soon. The public will be allowed to comment on the order for 30 days, after which the FTC will vote to finalize the proposal.
"The Commission is seeking public comment on banning Support King and Scott Zuckerman from licensing, marketing, or offering for sale surveillance products," said Commissioner Rohit Chopra in a separate statement. "This is a significant change from the agency’s past approach. For example, in a 2019 stalkerware settlement, the Commission allowed the violators to continue developing and marketing monitoring products."