Stalkerware market faces rare federal penalty

24 October 2019 5:48pm
digital stalker

24 October 2019. By Dave Perera.

A stalkerware app developer received a rare federal rebuke today at the hands of the US Federal Trade Commission. Companies behind mobile trackers almost never face penalties despite their high rate of usage by abusers, a state of affairs that may be slow to change even after today’s action by the consumer protection agency.

The FTC barred developer Retina-X Studios and owner James Johns from selling three stalking apps “absent reasonable steps to ensure that the app is being used for legitimate purposes.” The company's three apps, MobileSpy, PhoneSheriff and TeenShield, haven't been available to customers to since April 2018.

The case should be taken as a warning to the spyware industry at large, FTC officials say. “You cannot turn a blind eye” to how users deploy spyware, Democratic Commissioner Rebecca Slaughter told reporters this morning. “If you suspect someone wants to use your product for illegitimate purposes, don’t sell the subscription.”

FTC officials nonetheless acknowledged several times the loophole that lets most spyware app developers evade punishment for selling their wares to abusive partners and stalkers: “legitimate purposes.”

In a statement touting the action, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, repeated the loophole: “Although there may be 'legitimate reasons' to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” he said.

Once secretly installed on a device, so-called stalkerware allows a perpetrator to turn on a victim’s camera, track location and eavesdrop on text messages and calls. Survey data suggests a majority of domestic violence survivors had their location tracked through cell phones or another GPS device. Tracking via mobile app is legal in some circumstances when deployed by parents or employers.

Stalkerware app companies are careful to wrap themselves in a cloak of legitimacy. A Danish citizen’s 2014 criminal guilty plea in federal court on stalkerware charges led to an industrywide revamp, said Danielle Citron, a law professor at Boston University who researches privacy.

“They changed their ads from basically acknowledging that they’re stalker apps for disgruntled lovers. All of sudden, the advertising pitch was ‘We’re helpful to parents,’” she said.

That veneer typically stymies the Department of Justice from going after stalkerware developers, especially because federal law doesn’t prohibit surveillance tools from secretly collecting location data, Citron added. Intercepting electronic communications without consent is illegal, but federal attorneys must show enabling devices’ “principal use” is wiretapping or eavesdropping.

In all, criminal prosecutions are extremely rare.

The FTC has difficulties of its own in pursuing stalkerware developers — difficulties notably and unusually absent in Retina-X. Any time the agency encounters “unfair or deceptive” practices, it can go after the companies that perpetuate them.

In practice, it leans heavily on the latter and almost never uses "unfair" as the only reason for enforcement in a privacy case. MLex analysis earlier this year found that only once in the last decade has the FTC relied solely on its power to police unfair practices to take an enforcement action in a privacy case.

Retina-X fits that pattern: A hacker twice penetrated Retina-X servers to access data uploaded by users, incidents that played out in public after the hacker notified journalists. The hack figures prominently in the FTC complaint, serving as the basis of three of five counts.

The agency alleges just one count of an unfair practice.

Even so, agency officials are adamant that today's action will act as a deterrent. The most important count of the Retina-X complaint is the 'unfairness' count,” said Jacqueline Connor, an FTC attorney who worked on the case. A hacked server isn't a prerequisite for the FTC to investigate, she added.

“It can be extremely terrifying when someone knows every activity you have done and is able to follow your location and know exactly where you are at any time,” she said.