District Court Halts Sales of Keylogger Software
By Jim Milkey – Edited by Nicola Carah
FTC v. CyberSpy Software, LLC, November 6, 2008, 6:08-cv-1872
[Correction: Originally, this post erroneously indicated Judge Presnell upheld the TRO described below in a November 17th hearing. In actuality, the TRO was granted on November 6th, and a hearing on the matter occurred on November 24th. The preliminary injunction order resulting from the Nov. 24th hearing is detailed in our case update.]
On November 6th, Judge Gregory Presnell of the United States District Court for the Middle District of Florida granted the Federal Trade Commission’s request for a temporary restraining order prohibiting the sale of CyberSpy Software’s RemoteSpy keylogger software.
The order prohibits CyberSpy from marketing, selling, and providing support for its RemoteSpy software. RemoteSpy is designed to remotely monitor a host computer and record information such as keystrokes, visited websites, and opened documents. According to the FTC’s press release, CyberSpy allegedly violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive trade practices. Specifically, the FTC alleges that CyberSpy violated the Act by marketing and selling “software that could be: (1) deployed remotely by someone other than the owner or authorized user of a computer; (2) installed without the knowledge and consent of the owner or authorized user; and (3) used to surreptitiously collect and disclose personal information.” The complaint also alleges that CyberSpy unfairly disclosed the collected information to its clients. Both CyberSpy and its CEO, Tracer Spence, are listed as defendants in the complaint.
Ryan Singel of Wired notes that this case marks the first time that the FTC has targeted the amateur spyware market. He speculates that the case will likely turn on evidence that CyberSpy marketed its product to be used in situations where the victim was unaware of potential monitoring. Joel Hruska of Ars technica notes that “numerous tutorials and ‘how-to’s’ were included with RemoteSpy, including information on disguising the payload in order to maximize the chance of infection.” The same article goes on to suggest that the FTC should have been more responsive in filing the complaint, since RemoteSpy has been available to consumers since August 2005.
Graham Cluley points out that keylogger software such as RemoteSpy can be used for a wide variety of purposes, from protective child monitoring to identity theft, and that the final outcome of the CyberSpy case could have serious implications for sellers of “legitimate” spyware.
In granting the TRO, the court issued findings that CyberSpy provided its customers “with instructions and examples for how to disguise the software as an innocuous file in order to send the software to another computer and trick the owner or authorized user of the computer into installing the software,” and that “[o]nce installed on a computer, the owner or authorized user of the computer [could not] readily locate or uninstall RemoteSpy on his own.” Further, it found that the operation of RemoteSpy would likely cause substantial harm, including “financial harm (including identity theft) and endangering the health and safety of consumers.” Finally, it determined that there was substantial likelihood that the FTC would succeed in proving that CyberSpy had violated the FTC Act.
In addition to prohibiting CyberSpy from selling or distributing any keylogger, the TRO also enjoined any person from collecting information from already deployed keyloggers, or from misrepresenting keyloggers as innocuous files. Further, the court enjoined the Defendants from sharing the information collected through its products to others outside of law enforcement. Finally, the Defendants were ordered to shut down their web site.
Update – 12/5
On November 24th, Judge Presnell presided over a hearing regarding the November 6th TRO. The court issued a preliminary injunction, which is significanty more limited than the original TRO.
The new order primarily enjoys CyberSpy from
promoting, selling, or distributing RemoteSpy, or its equivalent, by means of informing or suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without the knowledge or consent of the computer’s owner including. . . instructions for disguising the name of the executable file that accomplishes the installation and/or recommendation of the use of a stealth email service for sending the executable file to the remote computer.
The ruling focuses on restricting the methods CyberSoftware may use to market or sell their product, but does allow the company to sell RemoteSpy once again.