FTC bans spyware maker SpyFone, and orders it to notify hacked victims

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history, and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their devices.

In a statement, the FTC’s consumer protection chief Samuel Levine said: “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security.”

The EFF, which launched the Coalition Against Stalkerware two years ago, a coalition of companies that detects, combats and raises awareness of stalkerware, praised the FTC’s order. “With the FTC now turning its focus to this industry, victims of stalkerware can begin to find solace in the fact that regulators are beginning to take their concerns seriously,” said EFF’s Eva Galperin and Bill Budington in a blog post.

This is the FTC’s second order against a stalkerware maker. In 2019, the FTC settled with Retina-X after the company was hacked several times and eventually shut down.

Over the years, several other stalkerware makers were either hacked or inadvertently exposed their own systems, including mSpy, Mobistealth, and Flexispy. Another stalkerware maker, ClevGuard, left thousands of hacked victims’ phone data on an exposed cloud server.

Read more:

A ‘stalkerware’ app leaked phone data from thousands of victims
How to identify and remove KidsGuard ‘stalkerware’ from your phone
‘Stalkerware’ phone spying apps have escaped Google’s ad ban
A powerful spyware app now targets iPhone owners
A domestic violence prevention app exposed distress recordings
U.S. privacy and civil rights groups urge ban on ‘surveillance advertising’

If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.

Did you receive a notification and want to tell your story? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.