Last week, the US Federal Trade Commission (FTC) interpreted its broad consumer protection mandate to file a first-of-its-kind enforcement action against the developer of three mobile stalkerware applications. The developer was banned from further selling the apps unless significant changes were made in design and functionality.

The FTC’s required changes address notification procedures and language, built-in mobile device security, written consent, and proper cybersecurity documentation and policies.

Together, the requirements potentially create the first set of “standards” for what an app must include if it has features that can monitor another user’s device. However, the potential impact of those requirements—which do not apply to any other current stalkerware developers—remains in question.

Two anti-stalker advocates—Erica Olsen, who leads the National Network to End Domestic Violence’s Safety Net program, and Eva Galperin, cybersecurity director at Electronic Frontier Foundation—welcomed news of the FTC case, though to varying degrees.

“I absolutely think this is exciting, and it’s needed, and it’s an important precedent to set,” Olsen said, adding that the FTC’s case is just a first step, and that extra work is needed to hold stalkerware makers and abusers fully accountable.

In speaking with Business Insider, Galperin worried about what the FTC actually targeted.

“I’ll take what I can get,” Galperin said. “The basis of the [FTC’s] action is not that [the stalkerware developer] is making stalkerware, it’s that they’re not making secure stalkerware.”

The FTC investigation

On October 22, the FTC announced that an investigation into the Florida-based company Retina-X Studios LLC and its owner, James N. Johns Jr., produced several alleged violations of both the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act (FTCA), which prohibits companies from deceiving their customers.

In comments at a media briefing the same day, FTC Bureau of Consumer Protection Director Andrew Smith said that Retina-X’s three apps—MobileSpy, Phone Sheriff, and TeenSafe— “allowed purchasers to surreptitiously monitor almost everything on the mobile devices on which they were installed, all without the knowledge or permission of the mobile device’s user.”

The three apps, which have been featured in Motherboard’s series “When Spies Come Home” and in Malwarebytes Labs’ own reporting, allowed users to spy on another user’s device, granting them access to text messages, emails, phone calls and logs, GPS location data, and web browser activity. These apps, and others with similar features, have become a prominent hallmark in domestic abuse relationships. They are a serious threat to users everywhere.

According to an FTC spokesperson, the Commission recognized this threat.

“The FTC is always looking to protect consumers, and most especially vulnerable populations,” the spokesperson said. “We understand that consumers have a growing reliance on technology, and its misuse can cause new forms of abuse and be used as a tool to amplify harms, including in domestic violence situations.”

The FTC alleged that Retina-X and Johns Jr. failed users in several ways.

Retina-X allegedly failed to protect the data it was collecting, which included “GPS locations, text messages and other personal information from children.” Retina-X also allegedly allowed app purchasers to “access sensitive information about device users, including the user’s physical movements and online activities.”

The FTC also criticized Retina-X because, for its apps to be installed on a device, that device first had to be jailbroken or rooted, a process which the FTC said “exposed the devices to security vulnerabilities and likely invalidated manufacturer warranties.”

Further, the FTC called out Retina-X for its supposed privacy promise to users. Though the company told app purchasers that their “private information is safe with us,” Retina-X actually suffered two data breaches. Worse, the FTC said that Retina-X did not learn about the 2017 breach until a journalist with Vice contacted the company, having received a tip from the hacker themselves.

In 2018, nearly the exact same scenario happened again. Following the second breach, Retina-X shut down its apps “indefinitely.”

According to the FTC and Vice, the hacker accessed login names, encrypted login passwords, text messages, GPS locations, contacts, and photos.

In recent years, the FTC has shown large interest in trying to protect consumers harmed by company data breaches.

In 2017, the FTC reached a settlement with Uber, after an investigation found that the ride-hailing company failed to prevent unauthorized access to a cloud server storing sensitive consumer data. This year, the Commission reached a settlement with Equifax over the credit reporting agency’s 2017 data breach that affected 147 million Americans.

Along the way, the FTC has also provided guidance to consumers affected by the Marriot data breach and the more recent Capital One data breach.

An FTC spokesperson declined to comment on the origins of the investigation.

“FTC investigations are nonpublic so we don’t discuss why we started a particular investigation,” the spokesperson said.

The Retina-X consent order

Though the FTC cannot issue monetary fees for first-time offenders of the Federal Trade Commission Act, it can try to curb deceptive and dangerous behavior by getting companies and individuals to sign “consent orders.” If any party that has signed a consent order then violates that order in the future, the FTC can then issue monetary penalties.

The consent order presented to Retina-X and Johns Jr. has already been signed. It includes permanent rules that Retina-X and Johns Jr. must comply with should they ever try to engage in “promoting, selling, or distributing” any software application, program, or code that can be installed by one users onto another user’s device to track their activity.

To start, Retina-X and Johns Jr. cannot work on any monitoring app that would require a user to jailbreak or root or otherwise circumvent the built-in security of an end-user’s device. Retina-X and Johns Jr. also must ensure that any monitoring app they work on requires “written attestation” from its users that they will use the app for “legitimate and lawful” purposes.

According to the FTC, “legitimate and lawful” purposes for a monitoring app includes only the following:

  • Parent monitoring a minor child
  • Employer monitoring an employee who has provided express written consent to being monitored
  • Adult monitoring another adult who has provided express written consent to being monitored

Further, any app that Retina-X and Johns Jr. work on cannot give users the option to hide the app’s icon from an end-user’s device screen.

The FTC further stated that end-users should be able to “click” an app icon to reach a page that clearly and conspicuously tells the user the name of the app, its functions, that it is present and running on the end-user’s device, and information on how to contact the apps’ representatives in case of wrongful installation.

NNEDV’s Olsen spoke positively about the new notification requirements.

“We’re big on notifications,” Olsen said. “It’s not that there’s not a time and a place and use for certain types of monitoring apps, but the way these (MobileSpy, Phone Sheriff, TeenSafe) were obviously developed were clearly for a misuse, so, I think this is a great precedent.”

Olsen said that the FTC contacted NNEDV weeks before its public announcement, and that the commission and the organization worked together to develop shared images and language.

Olsen also said that, following communication with the FTC, NNEDV updated its own pages on stalkerware and spyware, including one resource on “Phone Surveillance & Safety for Survivors,” and another on “Computer Surveillance & Safety for Survivors.”

“This space is always changing a bit,” Olsen said, “so we tried to make sure that, when we’re connecting with people, we’re verifying and understanding the tech as much as possible.”

Data destruction and reporting requirements

The majority of the FTC’s remaining rules in its consent order focus on data collection, cybersecurity, and reporting protocols.

Should any monitoring app that Retina-X and Johns Jr. work on have an associated website, that website must have a home page that clearly states that the app can only be used for “legitimate and lawful” purposes. An additional, similar notice must be provided on any “purchase page” for users who buy any such monitoring app, otherwise the purchase cannot be allowed.

Further, Retina-X and Johns Jr. must, within 120 days, “destroy all Personal Information collected from a Monitoring Product or Service prior to entry” of the consent order.

Retina-X and Johns Jr. must also implement an information security program and obtain third party assessments every two years of that information security program. Retina-X and Johns Jr. must also provide annual certifications to the FTC that show whatever monitoring product they work on is in compliance with the consent order. Also, the two must report to the FTC “covered incidents,” like data breaches that already have notification requirements for every state, within 10 days of discovery.

Finally, if Retina-X and Johns Jr. decide to continue their business, or start a new one, a “compliance report” must be submitted to the FTC in one year detailing the primary physical, postal, and email addresses, and telephone numbers, of any business operations. For the next 10 years, Retina-X and Johns Jr. must report to the FTC, within 14 days, any changes to business names and residence address, any creation, merger, or sale of the business or its subsidiaries, and, for Johns Jr. specifically, any changes to his title or role.

A new front against stalkerware?

Not since 2014 has a stalkerware developer faced federal enforcement against their actions. That year, the FBI indicted a man for allegedly conspiring to sell and advertise the stalkerware app “Stealth Genie.” Months later, a US District judge ordered the permanent stop to the advertising, marketing, or sale of the app.  

At last week’s media briefing, FTC Bureau of Consumer Protection Director Smith said that, though the Commission’s actions against Retina-X were the first against a stalking app developer, they may not be the last.

“Although there may be legitimate reasons to track a phone, [Retina-X’s] apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” Smith said. “Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”

Olsen said that the FTC’s work in this area is just one piece of a much larger puzzle.

“What needs to happen is, there needs to be continued conversation on whether there are gaps in federal law and state law that would prevent these apps from being developed in the first place, or to hold people accountable after,” Olsen said. “There is still a lack of civil remedies for people to go after companies on these things.”

More so, Olsen explained that a multi-pronged approach is required in better stopping stalkerware. That includes better educating and equipping local law enforcement to find and detect stalkerware on mobile devices, she said.

Overall, the FTC’s new front appears to be a welcome one. However, the effort against stalkerware continues.

“It’s three apps, and there are hundreds more,” Olsen said. “There’s still a lot of work that needs to be done.”

If you or a loved one are the victim of domestic abuse, remember that you can call the National Domestic Violence Hotline at 1-800-799-7233, or can visit their website from a safe device at thehotline.org.