The U.S. Federal Trade Commission (FTC) continues to go on the offensive against tech companies violating the privacy of everyday consumers. In recent months, the FTC has levied a massive $5 billion fine against Facebook and a $170 million fine against YouTube. Now the main federal agency tasked with the mission of looking after the best interests of U.S. consumers is turning its attention to monitoring apps, also known as “stalker apps.” For the first time ever, the FTC has now brought a case against the developers of stalking apps.
The FTC case against the developers of monitoring apps
In its case against Florida-based Retina-X Studios LLC, the FTC alleges in a public comment that the company and its owner (James N. Johns, Jr.) had created a set of three different mobile apps – MobileSpy, PhoneSheriff and TeenShield – designed to provide online and physical tracking of individuals. While the apps were marketed and promoted as a way for parents to track their kids and businesses to track their employees, it was clear that they were also being used for a wide range of other, more nefarious activities beyond just monitoring employees and children. In fact, they were uniquely suited to illegal activities.
For example, once installed, the monitoring apps could be used by domestic violence abusers to target and control their victims, or by criminals to drain the bank accounts of unsuspecting users. As a result of this proposed settlement, the FTC has banned any further sale of these monitoring apps until Retina-X can prove that they have taken specific steps to ensure that these monitoring apps will only be used for legitimate purposes. The FTC has also set a requirement that the app developers must overhaul how they are collecting and storing data, add new security protections for the way data is collected, and improve the way they are working with third-party service providers to store any personal information collected.
Privacy and security violations
There’s a lot to unpack here, and the director of the FTC’s Bureau of Consumer Protection has laid out a very convincing case why these three monitoring apps should never have been available in the first place. It’s not like the apps were being sold on the Dark Web, either. Until recently, you could download them from publicly available app platforms, such as the App Store. In fact, the FTC notes that Retina-X had actually sold over 15,000 subscriptions on a combined basis for all three of its monitoring apps.
One of the primary security issues involved with these monitoring apps was that they required users to bypass mobile device manufacturer restrictions – something that should have been a clear tip-off to app users that not everything was kosher. In layman’s terms, the apps required users to “jailbreak” the phones and circumvent a device’s built-in security restrictions. But that was not all – the apps also required users to have physical access to someone else’s phone without their knowledge in order to install the apps. In the base case scenario, claims Retina-X, this was for parents to install these monitoring apps on their children’s phones. However, another scenario – and one that the FTC suggests was much more likely – is that a jealous spouse might install this app on a former lover’s phone in order to track his or her whereabouts, or a stalker might use this to track a phone and follow a victim from place to place.
Illegal and dangerous applications
Moreover, the apps were designed to encourage this type of illegal and dangerous behavior. The app developer even went so far as to provide instructions of how to get the logo of the app from appearing anywhere on the phone. That way, even if a user suspected that his or her phone was running a bit slower than normal, or that the battery life was suddenly much worse than usual, there would be no way to uncover the fact that monitoring apps had been installed on the phone. Simply put, these apps were designed to run surreptitiously in the background, without the knowledge of the user. Meanwhile, someone else could view a user’s entire browser history.
And, as if that were not bad enough, the app developer was apparently also in violation of the Children’s Online Privacy Protection Act (COPPA), which sets up very tight and rigid guidelines for how personal information of young minors (age 13 and under) can be collected, analyzed and stored. If Retina-X ever plans to sell another of its monitoring apps, it will have to prove to the FTC that it is no longer in violation of COPPA, and that the apps will only be used for legitimate purposes.
Data breaches and security nightmares
In addition, Retina-X will have to prove to the FTC that it has cleaned up its data security practices. That’s because hackers twice accessed the cloud storage account of these apps in 2017 and 2018. These hackers were able to access a full range of personal information, including login username, encrypted login passwords, text messages, GPS locations, contact lists and photos. It’s bad enough when even a single “stalker” can access this information – but just imagine how bad it is when large numbers of people might be able to buy this kind of information on the Dark Web. Suddenly, it might be the case that complete strangers are stalking young children. With that in mind, the decision by the FTC to make an example of Retina-X could not have come any sooner. This rogue app developer was in violation of both the FTC Act (which prohibits unfair and deceptive practices) and COPPA.
Cracking down on stalkerware
The only problem, of course, is that Retina-X is hardly the only seller of monitoring apps to track a phone and all of its online activities. According to a 2018 study from Cornell University, there are dozens of stalkerware tools and monitoring apps available in the App Store. It might not be easy to spot them, however, because they do not advertise themselves as “stalker apps.” Instead, these monitoring apps masquerade as “child safety” or “anti-theft” apps.
Hopefully, the FTC case against Retina-X will lead to a further government crackdown on these monitoring apps and greater public awareness of just how dangerous these apps could be. While there may be some legitimate purposes why parents would want to monitor their children, any developer that requires you to jailbreak a phone and then install an app that has been designed specifically to run surreptitiously in the background is going to be in a lot of trouble going forward with the U.S government.