The Federal Trade Commission charged the developer of three stalking apps with violating consumer privacy and warned that developers need to make sure their apps are being used legally.
Stalkerware apps allows one person—the owner of the software—to install the software onto a device and monitor the activities of the person using that device. Depending on the particular app, the software can intercept text messages and calls, track GPS locations, and see what photos have been taken, among other things. Monitoring tools serve a legitimate purpose, as employers may use them to track employee activity on company equipment, or parents to monitor their children's whereabouts as well as online activity. Stalking apps, however, go beyond just monitoring, as they are designed to be installed in a way that the person being monitored does not know the app is on the device. In the hands of abusive partners or ex-partners, stalkerware becomes a dangerous tool.
"These apps are not just creepy--they can put victims of stalking and domestic violence at profound risk," FTC commissioner Rebecca Slaughter said on a call with journalists.
The FTC action was against Retina-X Studios and its founder James Johns, Jr, the maker of MobileSpy, PhoneSheriff, and TeenShield. There were three violations of the law: mishandling information on children, failing to safeguard information, and allowing users to use its products to spy on others without consent, the FTC said. Retina-X is required to destroy all data collected by the apps and make changes to their security programs to properly protect the data they hold. The settlement states that future Retina-X apps will not require the device to be jailbroken or rooted.
Retina-X ceased selling the apps in 2018 and has shuttered operations indefinitely, so there may not be a new Retina-X app anytime soon, but the FTC complaint and statement is relevant for other developers because it emphasizes user consent.
Consent Matters
The FTC complaint found that the company used the "soothing language" in the privacy policy that the data was properly stored, that was not the case, as an attacker managed to steal the credentials to the company servers twice to access and erase sensitive data. The company also collected information about minors, so it ran afoul of the Children's Online Privacy Protection Act.
"Retina-X knowingly collected personal information from children under the age of 13 through the TeenShield product, but failed to honor the COPPA Rule’s requirement to maintain reasonable procedures to protect the confidentiality, security, and integrity of that data," the FTC said.
However, the biggest part of the FTC complaint centered around the fact that the owners of the devices didn't know the stalkerware apps have been installed. The app made sure there were no icons on the device screen indicating its presense.
The owners of the app—the ones who bought the app from Retina-X—are the ones who are seeing the data being collected, but the ones actually using the device are not aware that information about themselves—the text messages, the names and phone numbers of the people they are in touch with, and details of their physical whereabouts—is no longer under their control.
It is the hidden nature of the app that the FTC said violated the law. This wasn't the case of an employer enforcing its stated policy that employees will be monitored, or parents telling their kids they will be keeping tabs on them. These apps were used to turn the victim's devices into spying devices against them.
"Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background, and are uniquely suited to illegal and dangerious uses," Andrew Smith, director of the FTC's Consumer of Protection, said in a statement.
Retina-X's apps were not available through Apple's App Store or Google Play, but through its website. The fact that the purchasers had to jailbreak or root the devices in order to install the apps, which voided the device warranty and weakened the device's security protections, was another thing the FTC found troubling. The user didn't know their device was jailbroken—which could have potentially exposed them to other security issues.
Arbiters of Legitimacy
The FTC went beyond just stating that consent (and awareness) of the person using the device was necessary. It also said developers needed to think about how their software could be used, and make sure customers were using them legitimately. If the app requires rooting or jailbreaking when similar apps on the market don't require doing so, it's a pretty good indicator that the app can be used in a negative way, the FTC said. The developer can't "claim ignorance" about how the product is being used.
"Take reasonable steps to ensure your product is used only for lawful purposes," the FTC said.
If the company suspects the customer will be using the app in a way that will be harmful or illegal, then the company "should not sell the subscription," Slaughter said on the call. Retina-X is believed to have sold about 15,000 subscriptions across its three apps.
The settlement with the FTC respects the fact that you shouldn't throw out the baby (parents monitoring their young kids' activity) with the bathwater (installing Retina-X apps without the device owner's consent)," said Karen Maxim, head of legal at Keybase.io. "At the end of the day, the FTC asks only that companies take 'reasonable steps' to ensure that their products are used lawfully, That's all a company is able to do, anyways.
The FTC maks clear with this enforcement action that the data belongs to the person who is generating the information, not the one paying for the information to be collected.