Submit to Digest

Stalkerware: An Overlooked Harm Draws the Attention of the FTC

Cybersecurity Reports Privacy

The Stalking Prevention Awareness & Resource Center estimates that 1.5 million Americans are stalked through some form of technology every year. The term “stalkerware” has emerged to describe a particularly malicious type of software that can be used to secretly spy on someone’s device while remaining hidden in the background or disguised as something more mundane, like a calendar app. This growing collection of apps can include features like keylogging, call recording, photo and video access, social media monitoring, and remote control of a phone’s camera. The most common use of stalkerware is surreptitious location tracking via device GPS data.

Stalkerware is often used in abusive relationships to spy on an intimate partner, which can facilitate domestic violence. The problem is pervasive. The National Network to End Domestic Violence found that half of victim service providers report that perpetrators use phone apps to stalk their partners. In addition to the privacy invasion inherent in the software’s installation, the companies that develop these apps often have poor cybersecurity practices, which has led to data leaks that expose the sensitive phone data of people who were unaware their information was being collected at all.

Despite the privacy infringement and abuse that stalkerware enables, the creation and use of these apps has been sparsely prosecuted. Under federal wiretapping laws, it is illegal to sell spy software that is “primarily” meant to record private conversations; but many of these surveillance apps market themselves as legitimate services for monitoring children’s internet access or employees’ use of work devices. This stated purpose allows developers to plausibly deny that their “primary” goal is non-consensual surveillance. Consequently, only two stalkerware developers faced federal penalties between 2014 and 2019. Likewise, although the use of these apps to stalk others is also illegal, U.S. Attorney’s Offices only prosecuted 41 cases of cyberstalking between 2012 and 2016. This latter category of under-prosecution has been blamed on multiple factors, including low awareness of stalkerware and a lack of police technical expertise.

In 2019, the FTC brought its first case against a stalkerware developer. The company, Retina-X, had developed and advertised the apps MobileSpy, PhoneSheriff, and TeenShield as child device monitoring tools but engaged in a number of dubious practices, including requiring the bypass of device manufacturer restrictions, providing purchasers with instructions on how to remove the app’s icon from the phone’s screen, and failing to implement reasonable security measures, which ultimately led to multiple data hacks. The FTC settlement banned Retina-X from selling spyware until it made changes that would ensure its apps were only being used for legitimate purposes.

Last month, the FTC brought its second case against a stalkerware developer—but with noticeably more force. The company, SpyFone, much like Retina-X, had developed stalkerware that bypassed device manufacturer restrictions, hid its app from the device owner, and endured multiple security breaches. This time, a unanimous FTC action resulted in a settlement that permanently banned SpyFone and its CEO, Scott Zuckerman, from “licensing, advertising, marketing, promoting, distributing, or offering for sale” any monitoring products or services. Additionally, FTC Commissioner Rohit Chopra released a separate statement about the case that encouraged stronger action against stalkerware developers in the future:

“While this action was worthwhile, I am concerned that the FTC will be unable to meaningfully crack down on the underworld of stalking apps using our civil enforcement authorities. I hope that federal and state enforcers examine the applicability of criminal laws, including the Computer Fraud and Abuse Act, the Wiretap Act, and other criminal laws, to combat illegal surveillance, including the use of stalkerware.”

As the FTC has signaled a more aggressive pursuit of stalkerware developers, industry players have also begun to respond to the threat. For example, Google announced an official ban of stalkerware apps from the Play Store, requiring that all surveillance apps display persistent notifications when running and clearly inform users that their phone usage is being tracked. But, though these measures may help diminish stalkerware’s prevalence in the market, it will be impossible to eliminate malicious software entirely. Individual awareness of the threat is another crucial piece of the solution to this problem, and several major publications have published tips that can help people detect and address stalkerware on their own devices.