The Federal Trade Commission is seeking its first ban of a “stalkerware” company, signaling an intent to crack down on surveillance technologies that expose individuals’ real-time activities to snoops, hackers and dangerous people.
A complaint released by the agency Wednesday alleges that SpyFone, an app that markets itself as a tool to monitor loved ones’ internet activity, and its CEO Scott Zuckerman sold real-time access to illegally harvested phone data including location and email, enabling surveillance by stalkers and domestic abusers.
The FTC also accused SpyFone of failing to enact basic security measures to safeguard the data it collects, leading to a 2018 data breach that exposed the personal data of roughly 2,200 customers. The FTC alleges that the company failed to follow through on promises to customers that it would upgrade its security after the incident.
In addition to a ban on any future sales or marketing of surveillance technology, the FTC is seeking to require the company to delete illegally harvested information and notify owners of devices that had been tracked.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection, said in a statement. “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”
SpyFone did not immediately respond to a request for comment.
Technologies used to track and intimidate victims of domestic abuse and harassment, known as “stalkerware,” have existed for years. Like SpyFone, they are often installed in secret and require users to disable phone security protections. Use of stalkerware became even more ubiquitous during the COVID-19 pandemic, antivirus companies report.
Companies have taken some steps to limit sales of the technology in recent years due to push back from privacy experts. However, the continued allowance of stalkerware marketed as a parental control leaves a big loophole for abusers to exploit, experts say.
Moreover, many of those apps share the same apparently shoddy security practices as SpyFone. ESET researchers found earlier this year that dozens of stalkerware apps failed to protect data they collect.
FTC Commissioner Rohit Chopra called the complaint, which passed 5-0, “a significant change from the agency’s past approach.” In its first-ever stalkerware complaint in 2019, the agency reached a settlement requiring the app maker to commit to improving its privacy protections and requiring customers to confirm it was only using the app on children, employees or consenting adults.
Still, Chopra noted that the agency’s power alone won’t be enough to bring down the stalkerware industry.
“While this action was worthwhile, I am concerned that the FTC will be unable to meaningfully crack down on the underworld of stalking apps using our civil enforcement authorities,” he wrote. “I hope that federal and state enforcers examine the applicability of criminal laws.. to combat illegal surveillance, including the use of stalkerware.”
Still, advocates see the step as a win.
“High five to the FTC, which just banned stalkerware maker Spyfone and its CEO from the surveillance business,” Electronic Frontier Foundation cybersecurity director and stalkware expert Eva Galperin tweeted.
The order will be subject to public comment for 30 days before the Commisson decides whether to reach a final order, which could include financial penalties.