FTC upholds ban on stalkerware founder Scott Zuckerman

A stalkerware shaper who was banned from the surveillance manufacture aft a information breach that exposed the idiosyncratic accusation of its customers, arsenic good arsenic the radical they were spying on, volition not beryllium capable to spell backmost to selling the invasive software, according the U.S. Federal Trade Commission.

The FTC denied a petition to cancel that prohibition made by Scott Zuckerman, the laminitis of user spyware institution Support King and its subsidiaries SpyFone and OneClickMonitor. 

On Monday, the FTC announced the denial successful a property release aft Zuckerman petitioned the national watchdog to rescind oregon modify the prohibition bid successful July of this year. 

In 2021, the FTC banned Zuckerman from “offering, promoting, selling, oregon advertizing immoderate surveillance app, service, oregon business,” efficaciously preventing him from moving different stalkerware business. The bureau besides ordered Zuckerman to delete each the information collected by SpyFone, arsenic good arsenic to acquisition predominant audits and found definite cybersecurity practices for his businesses. 

“SpyFone is simply a brazen marque sanction for a surveillance concern that helped stalkers bargain backstage information,” said Samuel Levine, past acting manager of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from instrumentality owners, but was afloat exposed to hackers who exploited the company’s slipshod security.”

In his petition, Zuckerman claimed that the FTC order’s information requirements person made it harder for him to tally his different businesses owed to fiscal costs, contempt the information that Support King is nary longer successful cognition and helium present lone runs a edifice and plans different “tourism ventures” successful Puerto Rico, according to the petition. 

When reached via email, Zuckerman declined to remark and referred questions to his lawyer.

The FTC prohibition stemmed from an incidental successful 2018, erstwhile a information researcher recovered an Amazon S3 bucket belonging to SpyFone that near highly delicate information — including selfies, substance messages, chat app messages, audio recordings, contacts, location, hashed passwords and logins, and much — exposed online for anyone to spot and access.

The exposed information included 44,109 unsocial email addresses and, according to the researcher who recovered the breach, “at slightest 2,208 existent ‘customers’ and hundreds oregon thousands of photos and audio successful each folder” from 3,666 phones that had the SpyFone stalkerware installed connected them.

Less than a twelvemonth aft the 2021 FTC order, TechCrunch reported that Zuckerman appeared to beryllium moving different stalkerware company. In 2022, TechCrunch received a trove of breached information from stalkerware app SpyTrac. The information revealed that SpyTrac was tally by freelance developers with nonstop ties to Support King, successful what appeared to beryllium an effort to circumvent the FTC’s ban. Furthermore, the breached information included records from SpyFone, which Zuckerman was ordered to delete, and keys to entree the unreality retention of OneClickMonitor, different 1 of his stalkerware apps. 

Eva Galperin, a salient adept connected stalkerware, celebrated the news. “Mr. Zuckerman was intelligibly hoping that if helium laid debased for a fewer years, everyone would hide astir the reasons wherefore the FTC issued a prohibition not lone against the company, but against him specifically,” Galperin told TechCrunch. 

TechCrunch’s revelation successful 2022 that Zukerman seemingly violated the FTC ban, “suggests that Zuckerman did not larn his lesson,” added Galperin, who is the manager of cybersecurity astatine the integer rights nonprofit Electronic Frontier Foundation.

Stalkerware apps let their customers to surreptitiously spy connected the phones and devices of their loved ones. In summation to enabling perchance amerciable activities, for the past 8 years, determination person been astatine slightest 26 stalkerware companies that person been hacked oregon near delicate information exposed online, according to TechCrunch’s tally. These repeated incidents amusement these companies person repeatedly failed to support the privateness of their customers, arsenic good arsenic the radical they spy on.