En español | In a first-ever case, the Federal Trade Commission took legal action Tuesday against a Florida firm that sold “stalkerware” to let people spy secretly on other people's smartphones and devices and track their calls, texts, photos, physical movements and browser history.
"These apps are not just creepy, they can put victims of stalking and domestic violence at profound risk,” FTC Commissioner Rebecca Slaughter told reporters.
She spoke as the consumer protection agency announced a court agreement with James N. Johns Jr. and his firm, Retina-X Studios LLC, of Jacksonville, Florida.
Parents use stalker apps to monitor their children's online behavior. Employers use them to track what their employees are doing on company-owned mobile devices.
Retina-X ran afoul of the consumer protection agency because it let app purchasers surreptitiously monitor almost everything on the mobile devices on which they were installed without the knowledge or permission of the device's users.
According to the FTC, Retina-X also did not make sure purchasers were using the apps for legitimate purposes.
Additionally, once purchasers installed the app on your phone, they could remove its icon so you would be unaware you were being monitored. And even with respect to legitimate users, the company failed to keep data — including children's information — confidential and safe.
Retina-X sold a total of more than 15,000 subscriptions to stalking apps called Mobile Spy, PhoneSheriff and TeenShield, the FTC said. The apps cost in the range of $89 to $100 a year, according to the firm's website.
"Stalking apps like the ones offered by Retina-X can be extremely dangerous; today's action makes clear that they are also illegal,” Slaughter said.
Tech can aid stalkers, harm victims
Slaughter addressed reporters, accompanied by members of the National Network to End Domestic Violence, and heralded the group as an “important partner” in educating consumers on the risks technology poses in intimate-partner abuse cases.
Slaughter cited a 2014 survey by National Public Radio showing 85 percent of 72 domestic violence shelters in the U.S. it contacted had assisted victims whose abusers had tracked them through the Global Positioning System (GPS), a satellite-based navigation system.
How common is stalkerware?
Cybersecurity firm Kaspersky said during the first eight months of this year, there were more than 500,000 cases of its antivirus software detecting either the presence of stalkerware on devices or attempts to install it, according to Slaughter.
The Retina-X apps monitored a huge amount of phone activity, including precise GPS locations, text messages sent and received, and photos stored on devices, said Andrew Smith, who directs the FTC's Bureau of Consumer Protection. “In the wrong hands, this information could be used to stalk, harass and abuse a person,” he said.
The firm's products were sold through its websites and not available on Apple's App Store or Google Play, the FTC said.
Purchasers of the apps often needed to circumvent a mobile device's security features, for example, by “jailbreaking” or “rooting” to install the software. These steps give a user unrestricted access to the device and they can expose a device to security vulnerabilities, the FTC said.
Retina-X instructed purchasers on how to hide the monitoring apps installed on mobile devices so users would never know they were being stalked. Once installed, the purchaser could remotely monitor the user's activity from an online dashboard provided by the firm.
FTC spokeswoman Juliana Gruenwald said the agency does not enforce any federal laws that specifically ban spyware, though such apps may be addressed in state and federal criminal law.
Pact requires firm to make changes
The agreement bans Retina-X from selling monitoring products that require circumventing security protections on devices, Gruenwald said. The firm must obtain a written statement from future purchasers that they will use the products for lawful purposes and they must include an app icon on any targeted device.
“We think these additional steps will help weed out illegitimate uses while allowing legitimate ones,” she said.
Parents, for example, may monitor a minor child; employers may watch workers who give written consent; and adults may track another adult who has consented in writing, the court agreement said.
The agreement requires the firm to destroy all personal information — such as Social Security and driver's license numbers, dates of birth and credit card information — previously collected with their monitoring apps and to set up a comprehensive information-security program.
The Retina-X website has a notice dated March 15, 2018, that says the company had been the victim of “sophisticated and illegal hackings” and would offer prorated refunds to people who bought one of the three monitoring services.
The FTC alleges a hacker accessed the firm's cloud storage account twice between February 2017 and February 2018 and deleted certain information.
Attorney Richard B. Newman, who represents Retina-X, said in an email Tuesday: “While the firm's clients were the unfortunate victims of a skilled hacker, they would like to thank the FTC for its professionalism during the course of the investigation."
Steps to make you safer
If you are worried about a stalking app on your device, the FTC urges:
- Check whether your smartphone has been “jailbroken” or “rooted,” which allows control over your phone by weakening its security protections. “Root checker” apps help identify if this occurred.
- Get help. Law enforcement and domestic-violence advocates can help you identify tech misuse and create a safety plan. Law enforcement can determine if spyware is on your phone. Domestic-violence advocates can advise you on preserving evidence of abuse before you make changes to your phone. If possible, ask people for help using a device other than the one that might carry a stalking app.
- Get a new smartphone or reset your phone. It might be safest to get a new smartphone with an account that an abuser can't access. If you keep your smartphone, remove the stalking app by factory-resetting the phone and reinstalling the manufacturer's operating system. Do not reinstall programs or content from the old phone or your cloud, as this could re-install the spyware.