A software company can’t sell “stalking” apps that monitor devices unless it ensures they’re only used for legitimate purposes, the Federal Trade Commission said in the agency’s first action against stalkerware.
The commission Oct. 22 said it reached a proposed settlement with software manufacturer Retina-X Studios LLC and its owner, James N. Johns, Jr., to resolve claims that the company’s products compromised consumers’ privacy and the security of devices on which the apps were installed. The company sold subscriptions to three apps before it stopped selling them in 2018, the FTC said.
The proposed settlement is a “sign that the FTC is concerned about surreptitious monitoring and failure to make disclosures,” Michelle Cohen, a partner and head of Ifrah Law PLLC’s privacy and data security practice, said.
Andrew Smith, director of the FTC’s consumer protection bureau, said the agreement is the agency’s first action against “a so-called ‘stalking app.’” Such apps, known as stalkerware, can monitor users’ movements and activities on their devices.
“Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses,” Smith said.
Retina-X and Johns allegedly violated the FTC Act, which prohibits unfair and deceptive practices, as well as the Children’s Online Privacy Protection Act, the commission said.
The company said, in a March 2018 note on its website, that it was the victim of “repeated illegal hackings.” Richard Newman, an attorney at Hinch Newman LLP who represents Retina-X and Johns, thanked the FTC “for its professionalism during the course of the investigation,” in an emailed statement when reached for comment on the proposed settlement.
Sending a Message
Retina-X and Johns developed three apps that let purchasers monitor mobile devices without device users’ knowledge or permission, the FTC alleged. App purchasers often had to circumvent device restrictions to install the apps, which can expose devices to security vulnerabilities, among other allegations, the commission said.
The company and its owner failed to take steps to make sure the app purchasers would use the monitoring products for legitimate purposes, the FTC said.
As part of the proposed settlement, Retina-X and Johns must ask app purchasers to attest in writing that they’ll use the app for “legitimate and lawful purposes.” Those might include a parent monitoring a minor child, an employer monitoring an employee who’s expressly consented to being monitored, or an adult monitoring another adult who’s given consent, it said.
Retina-X and Johns must delete data already collected from the apps, under the proposed settlement. They’re barred from promoting or selling any monitoring app that requires bypassing security protections for installation, unless there are steps to ensure the app is being used for legitimate reasons, the FTC said.
Johns and the company also must implement a comprehensive information security program, obtain third party assessments of that program every two years, and have a senior corporate manager certify annually compliance with the order, under the proposed settlement.
The agreement sends a message to all businesses, including those considering developing monitoring products that they have an obligation to safeguard the information they collect, Democratic FTC Commissioner Rebecca Kelly Slaughter said in a call with reporters. That’s especially important when collecting sensitive information and data from children, she said.
‘Clear and Transparent’
Morgan Reed, president of Washington-based ACT | The App Association, said developers need to clearly tell users how they’re using their information, whether it be to improve the product, deliver analytics, or send targeted ads, he said.
“It’s important for developers to be clear and transparent about what their app is about and what it does with consumer data,” he said.
Attorneys also say the settlement should deter companies from selling spyware to monitor consumers’ activities without their knowledge.
“There’s no justification for stalkerware to be on the market,” Carrie Goldberg, founder of victims’ rights law firm C.A. Goldberg PLLC, said in an email. “Thanks to these products my clients’ current and ex-boyfriends have been able to monitor their whereabouts and online activity, obtain passwords, hijack social media accounts, impersonate them, and even send naked pictures in their name and frame them for distribution of child pornography.
“Nobody should be monetizing products that exist primarily to hurt,” she added.