District Court Halts Sales of Keylogger Software
By Jim Milkey – Edited by Nicola Carah
FTC v. CyberSpy Software, LLC, November 6, 2008, 6:08-cv-1872
[Correction: Originally, this post erroneously indicated Judge Presnell upheld the TRO described below in a November 17th hearing. In actuality, the TRO was granted on November 6th, and a hearing on the matter occurred on November 24th. The preliminary injunction order resulting from the Nov. 24th hearing is detailed in our case update.]
On November 6th, Judge Gregory Presnell of the United States District Court for the Middle District of Florida granted the Federal Trade Commission’s request for a temporary restraining order prohibiting the sale of CyberSpy Software’s RemoteSpy keylogger software.
The order prohibits CyberSpy from marketing, selling, and providing support for its RemoteSpy software. RemoteSpy is designed to remotely monitor a host computer and record information such as keystrokes, visited websites, and opened documents. According to the FTC’s press release, CyberSpy allegedly violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive trade practices. Specifically, the FTC alleges that CyberSpy violated the Act by marketing and selling “software that could be: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information.” The complaint also alleges that CyberSpy unfairly disclosed the collected information to its clients. Both CyberSpy and its CEO, Tracer Spence, are listed as defendants in the complaint.
Both the complaint filed by the FTC and the TRO are available at the FTC website.
Ryan Singel of Wired notes that this case marks the first time that the FTC has targeted the amateur spyware market. He speculates that the case will likely turn on evidence that CyberSpy marketed its product to be used in situations where the victim was unaware of potential monitoring. Joel Hruska of Ars technica notes that “numerous tutorials and ‘how-to’s’ were included with RemoteSpy, including information on disguising the payload in order to maximize the chance of infection.” The same article goes on to suggest that the FTC should have been more responsive in filing the complaint, since RemoteSpy has been available to consumers since August 2005.
Graham Cluley points out that keylogger software such as RemoteSpy can be used for a wide variety of purposes, from protective child monitoring to identity theft, and that the final outcome of the CyberSpy case could have serious implications for sellers of “legitimate” spyware.