Endpoint Security , Governance & Risk Management , Open XDR
FTC Bans SpyFone Company, CEO From Surveillance BusinessCompany Directed to Delete All Secretly Stolen Data
The U.S. Federal Trade Commission has, for the first time ever, banned a company and its CEO from the surveillance business in the U.S. Stalkerware service provider company SpyFone and its CEO, Scott Zuckerman, were banned for allegedly harvesting and sharing data through a hidden backdoor.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” says Samuel Levine, acting director of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
The FTC approved the ban after it had lodged an administrative complaint against Support King LLC, a Puerto Rico-based limited liability company that formerly did business as SpyFone.com.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
“This is a significant change from the agency’s past approach," says Commissioner Rohit Chopra. "For example, in a 2019 stalkerware settlement, the commission allowed the violators to continue developing and marketing monitoring products.”
Referring to the SpyFone case, Levine says: “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security. We will be aggressive about seeking surveillance bans when companies and their executives egregiously invade our privacy.”
The Spy in Your Phone
On its official website, SpyFone claims to be the “world's leading spy phone app” that's available for free. The company describes its offerings as a helpful means to “watch over your children and family members.”
The company markets its product as providing spying features, such as GPS monitoring, phone contact list scanning, an emergency panic button, lost phone tracking and a soon-to-be-released geofencing feature. It also boasts of having a corporate version of the app that it claims employers can use to “protect [their] company from inappropriate usage.”
The SpyFone app, however, requires its purchasers to bypass many of the targeted phone’s restrictions, according to the FTC. “The stalkerware company provided instructions on how to hide the app so that the device user was unaware the device was being monitored,” its statement says.
To use some functions, such as monitoring email, purchasers have to “root” a phone on when which the app is installed, which could void warranties and expose the device to security risks, the FTC adds.
2018 SpyFone Data Leak
Apart from the privacy intrusion concerns, the FTC also referenced an August 2018 incident in which the company allegedly failed to protect its customers’ data.
SpyFone was found to be leaking data through a poorly maintained Amazon S3 bucket. The leak reportedly affected 2,200 consumers and "several terabytes of data," including photos, audio recordings, text messages and web history, an anonymous security researcher told the publication Motherboard.
Motherboard reported that the researcher had been able to create privileged administrator accounts and view customers’ data due to a misconfigured Amazon S3 bucket.
The researcher, who declined to be identified fearing governmental sanctions, told Motherboard that SpyFone left an API unprotected, which allowed anyone who was able to guess the URL viewing rights to an up-to-date list of its customers.
The FTC statement about its SpyFone ruling says: "The stalkerware apps’ security deficiencies include not encrypting personal information it stored, including photos and text messages; failing to ensure that only authorized users could access personal information; and transmitting purchasers’ passwords in plain text."
Other Directives for SpyFone
The FTC has proposed a settlement in which Support King LLC would be required to notify the owners of all the devices on which the stalkerware apps were installed that their devices were surveilled and are likely no longer secure.
The FTC also directed Spyfone and its CEO, Scott Zuckerman, to delete any information and data illegally collected using the stalkerware apps.
Talking about the possibility of criminal law enforcement charges, Commissioner Chopra stated: “The FTC’s proposed order in no way releases or absolves Support King or Scott Zuckerman of any potential criminal liability. I hope that federal and state enforcers examine the applicability of criminal laws, including the Computer Fraud and Abuse Act, the Wiretap Act, and other criminal laws, to combat illegal surveillance, including the use of stalkerware.”
The move comes shortly after an outcry in July against Israel's NSO Group following revelations about its Pegasus government surveillance tool being used to spy on human rights activists, lawyers, journalists and politicians.