Last week, the US Federal Trade Commission (FTC) interpreted its broad consumer protection mandate to file a first-of-its-kind enforcement action against the developer of three mobile stalkerware applications. The developer was banned from further selling the apps unless significant changes were made in design and functionality.
The FTCâs required changes address notification procedures and language, built-in mobile device security, written consent, and proper cybersecurity documentation and policies.
Together, the requirements potentially create the first set of âstandardsâ for what an app must include if it has features that can monitor another userâs device. However, the potential impact of those requirementsâwhich do not apply to any other current stalkerware developersâremains in question.
Two anti-stalker advocatesâErica Olsen, who leads the National Network to End Domestic Violenceâs Safety Net program, and Eva Galperin, cybersecurity director at Electronic Frontier Foundationâwelcomed news of the FTC case, though to varying degrees.
âI absolutely think this is exciting, and itâs needed, and itâs an important precedent to set,â Olsen said, adding that the FTCâs case is just a first step, and that extra work is needed to hold stalkerware makers and abusers fully accountable.
In speaking with Business Insider, Galperin worried about what the FTC actually targeted.
âIâll take what I can get,â Galperin said. âThe basis of the [FTCâs] action is not that [the stalkerware developer] is making stalkerware, itâs that theyâre not making secure stalkerware.â
On October 22, the FTC announced that an investigation into the Florida-based company Retina-X Studios LLC and its owner, James N. Johns Jr., produced several alleged violations of both the Childrenâs Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act (FTCA), which prohibits companies from deceiving their customers.
In comments at a media briefing the same day, FTC Bureau of Consumer Protection Director Andrew Smith said that Retina-Xâs three appsâMobileSpy, Phone Sheriff, and TeenSafeâ âallowed purchasers to surreptitiously monitor almost everything on the mobile devices on which they were installed, all without the knowledge or permission of the mobile deviceâs user.â
The three apps, which have been featured in Motherboardâs series âWhen Spies Come Homeâ and in Malwarebytes Labsâ own reporting, allowed users to spy on another userâs device, granting them access to text messages, emails, phone calls and logs, GPS location data, and web browser activity. These apps, and others with similar features, have become a prominent hallmark in domestic abuse relationships. They are a serious threat to users everywhere.
According to an FTC spokesperson, the Commission recognized this threat.
âThe FTC is always looking to protect consumers, and most especially vulnerable populations,â the spokesperson said. âWe understand that consumers have a growing reliance on technology, and its misuse can cause new forms of abuse and be used as a tool to amplify harms, including in domestic violence situations.â
The FTC alleged that Retina-X and Johns Jr. failed users in several ways.
Retina-X allegedly failed to protect the data it was collecting, which included âGPS locations, text messages and other personal information from children.â Retina-X also allegedly allowed app purchasers to âaccess sensitive information about device users, including the userâs physical movements and online activities.â
The FTC also criticized Retina-X because, for its apps to be installed on a device, that device first had to be jailbroken or rooted, a process which the FTC said âexposed the devices to security vulnerabilities and likely invalidated manufacturer warranties.â
Further, the FTC called out Retina-X for its supposed privacy promise to users. Though the company told app purchasers that their âprivate information is safe with us,â Retina-X actually suffered two data breaches. Worse, the FTC said that Retina-X did not learn about the 2017 breach until a journalist with Vice contacted the company, having received a tip from the hacker themselves.
In 2018, nearly the exact same scenario happened again. Following the second breach, Retina-X shut down its apps âindefinitely.â
According to the FTC and Vice, the hacker accessed login names, encrypted login passwords, text messages, GPS locations, contacts, and photos.
In recent years, the FTC has shown large interest in trying to protect consumers harmed by company data breaches.
In 2017, the FTC reached a settlement with Uber, after an investigation found that the ride-hailing company failed to prevent unauthorized access to a cloud server storing sensitive consumer data. This year, the Commission reached a settlement with Equifax over the credit reporting agencyâs 2017 data breach that affected 147 million Americans.
Along the way, the FTC has also provided guidance to consumers affected by the Marriot data breach and the more recent Capital One data breach.
An FTC spokesperson declined to comment on the origins of the investigation.
âFTC investigations are nonpublic so we donât discuss why we started a particular investigation,â the spokesperson said.
Though the FTC cannot issue monetary fees for first-time offenders of the Federal Trade Commission Act, it can try to curb deceptive and dangerous behavior by getting companies and individuals to sign âconsent orders.â If any party that has signed a consent order then violates that order in the future, the FTC can then issue monetary penalties.
The consent order presented to Retina-X and Johns Jr. has already been signed. It includes permanent rules that Retina-X and Johns Jr. must comply with should they ever try to engage in âpromoting, selling, or distributingâ any software application, program, or code that can be installed by one users onto another userâs device to track their activity.
To start, Retina-X and Johns Jr. cannot work on any monitoring app that would require a user to jailbreak or root or otherwise circumvent the built-in security of an end-userâs device. Retina-X and Johns Jr. also must ensure that any monitoring app they work on requires âwritten attestationâ from its users that they will use the app for âlegitimate and lawfulâ purposes.
According to the FTC, âlegitimate and lawfulâ purposes for a monitoring app includes only the following:
Further, any app that Retina-X and Johns Jr. work on cannot give users the option to hide the appâs icon from an end-userâs device screen.
The FTC further stated that end-users should be able to âclickâ an app icon to reach a page that clearly and conspicuously tells the user the name of the app, its functions, that it is present and running on the end-userâs device, and information on how to contact the appsâ representatives in case of wrongful installation.
NNEDVâs Olsen spoke positively about the new notification requirements.
âWeâre big on notifications,â Olsen said. âItâs not that thereâs not a time and a place and use for certain types of monitoring apps, but the way these (MobileSpy, Phone Sheriff, TeenSafe) were obviously developed were clearly for a misuse, so, I think this is a great precedent.â
Olsen said that the FTC contacted NNEDV weeks before its public announcement, and that the commission and the organization worked together to develop shared images and language.
Olsen also said that, following communication with the FTC, NNEDV updated its own pages on stalkerware and spyware, including one resource on âPhone Surveillance & Safety for Survivors,â and another on âComputer Surveillance & Safety for Survivors.â
âThis space is always changing a bit,â Olsen said, âso we tried to make sure that, when weâre connecting with people, weâre verifying and understanding the tech as much as possible.â
The majority of the FTCâs remaining rules in its consent order focus on data collection, cybersecurity, and reporting protocols.
Should any monitoring app that Retina-X and Johns Jr. work on have an associated website, that website must have a home page that clearly states that the app can only be used for âlegitimate and lawfulâ purposes. An additional, similar notice must be provided on any âpurchase pageâ for users who buy any such monitoring app, otherwise the purchase cannot be allowed.
Further, Retina-X and Johns Jr. must, within 120 days, âdestroy all Personal Information collected from a Monitoring Product or Service prior to entryâ of the consent order.
Retina-X and Johns Jr. must also implement an information security program and obtain third party assessments every two years of that information security program. Retina-X and Johns Jr. must also provide annual certifications to the FTC that show whatever monitoring product they work on is in compliance with the consent order. Also, the two must report to the FTC âcovered incidents,â like data breaches that already have notification requirements for every state, within 10 days of discovery.
Finally, if Retina-X and Johns Jr. decide to continue their business, or start a new one, a âcompliance reportâ must be submitted to the FTC in one year detailing the primary physical, postal, and email addresses, and telephone numbers, of any business operations. For the next 10 years, Retina-X and Johns Jr. must report to the FTC, within 14 days, any changes to business names and residence address, any creation, merger, or sale of the business or its subsidiaries, and, for Johns Jr. specifically, any changes to his title or role.
Not since 2014 has a stalkerware developer faced federal enforcement against their actions. That year, the FBI indicted a man for allegedly conspiring to sell and advertise the stalkerware app âStealth Genie.â Months later, a US District judge ordered the permanent stop to the advertising, marketing, or sale of the app.
At last weekâs media briefing, FTC Bureau of Consumer Protection Director Smith said that, though the Commissionâs actions against Retina-X were the first against a stalking app developer, they may not be the last.
âAlthough there may be legitimate reasons to track a phone, [Retina-Xâs] apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,â Smith said. âUnder these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.â
Olsen said that the FTCâs work in this area is just one piece of a much larger puzzle.
âWhat needs to happen is, there needs to be continued conversation on whether there are gaps in federal law and state law that would prevent these apps from being developed in the first place, or to hold people accountable after,â Olsen said. âThere is still a lack of civil remedies for people to go after companies on these things.â
More so, Olsen explained that a multi-pronged approach is required in better stopping stalkerware. That includes better educating and equipping local law enforcement to find and detect stalkerware on mobile devices, she said.
Overall, the FTCâs new front appears to be a welcome one. However, the effort against stalkerware continues.
âItâs three apps, and there are hundreds more,â Olsen said. âThereâs still a lot of work that needs to be done.â
If you or a loved one are the victim of domestic abuse, remember that you can call the National Domestic Violence Hotline at 1-800-799-7233, or can visit their website from a safe device at thehotline.org.
The post Stalkerware developer dealt new blow by FTC appeared first on Malwarebytes Labs.