{"id":16720,"date":"2019-10-29T09:10:02","date_gmt":"2019-10-29T17:10:02","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/10\/29\/news-10459\/"},"modified":"2019-10-29T09:10:02","modified_gmt":"2019-10-29T17:10:02","slug":"news-10459","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/29\/news-10459\/","title":{"rendered":"Stalkerware developer dealt new blow by FTC"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 29 Oct 2019 15:56:37 +0000<\/strong><\/p>\n

Last week, the US Federal Trade Commission (FTC) interpreted its broad consumer protection mandate to file a first-of-its-kind enforcement action against the developer of three mobile stalkerware applications. The developer was banned from further selling the apps unless significant changes were made in design and functionality. <\/p>\n

The FTC\u2019s required changes address notification procedures and language, built-in mobile device security, written consent, and proper cybersecurity documentation and policies. <\/p>\n

Together, the requirements potentially create the first set of \u201cstandards\u201d for what an app must include if it has features that can monitor another user\u2019s device. However, the potential impact of those requirements\u2014which do not apply to any other current stalkerware developers\u2014remains in question. <\/p>\n

Two anti-stalker advocates\u2014Erica Olsen, who leads the National Network to End Domestic Violence\u2019s Safety Net program, and Eva Galperin, cybersecurity director at Electronic Frontier Foundation\u2014welcomed news of the FTC case, though to varying degrees. <\/p>\n

\u201cI absolutely think this is exciting, and it\u2019s needed, and it\u2019s an important precedent to set,\u201d Olsen said, adding that the FTC\u2019s case is just a first step, and that extra work is needed to hold stalkerware makers and abusers fully accountable.<\/p>\n

In speaking with Business Insider<\/a>, Galperin worried about what the FTC actually targeted. <\/p>\n

\u201cI\u2019ll take what I can get,\u201d Galperin said. \u201cThe basis of the [FTC\u2019s] action is not that [the stalkerware developer] is making stalkerware, it\u2019s that they\u2019re not making secure<\/em> stalkerware.\u201d <\/p>\n

The FTC investigation <\/strong><\/h3>\n

On October 22, the FTC announced<\/a> that an investigation into the Florida-based company Retina-X Studios LLC and its owner, James N. Johns Jr., produced several alleged violations of both the Children\u2019s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act (FTCA), which prohibits companies from deceiving their customers. <\/p>\n

In comments at a media briefing the same day<\/a>, FTC Bureau of Consumer Protection Director Andrew Smith said that Retina-X\u2019s three apps\u2014MobileSpy, Phone Sheriff, and TeenSafe\u2014 \u201callowed purchasers to surreptitiously monitor almost everything on the mobile devices on which they were installed, all without the knowledge or permission of the mobile device\u2019s user.\u201d<\/p>\n

The three apps, which have been featured in Motherboard\u2019s series \u201cWhen Spies Come Home<\/a>\u201d and in Malwarebytes Labs\u2019 own reporting<\/a>, allowed users to spy on another user\u2019s device, granting them access to text messages, emails, phone calls and logs, GPS location data, and web browser activity. These apps, and others with similar features, have become a prominent hallmark in domestic abuse relationships. They are a serious threat to users everywhere. <\/p>\n

According to an FTC spokesperson, the Commission recognized this threat. <\/p>\n

\u201cThe FTC is always looking to protect consumers, and most especially vulnerable populations,\u201d the spokesperson said. \u201cWe understand that consumers have a growing reliance on technology, and its misuse can cause new forms of abuse and be used as a tool to amplify harms, including in domestic violence situations.\u201d<\/p>\n

The FTC alleged that Retina-X and Johns Jr. failed users in several ways. <\/p>\n

Retina-X allegedly failed to protect the data it was collecting, which included \u201cGPS locations, text messages and other personal information from children.\u201d Retina-X also allegedly allowed app purchasers to \u201caccess sensitive information about device users, including the user\u2019s physical movements and online activities.\u201d <\/p>\n

The FTC also criticized Retina-X because, for its apps to be installed on a device, that device first had to be jailbroken or rooted, a process which the FTC said \u201cexposed the devices to security vulnerabilities and likely invalidated manufacturer warranties.\u201d<\/p>\n

Further, the FTC called out Retina-X for its supposed privacy promise to users. Though the company told app purchasers that their \u201cprivate information is safe with us,\u201d Retina-X actually suffered two data breaches. Worse, the FTC said that Retina-X did not learn about the 2017 breach until a journalist with Vice contacted the company<\/a>, having received a tip from the hacker themselves. <\/p>\n

In 2018, nearly the exact same scenario happened again<\/a>. Following the second breach, Retina-X shut down its apps \u201cindefinitely.\u201d<\/a> <\/p>\n

According to the FTC and Vice, the hacker accessed login names, encrypted login passwords, text messages, GPS locations, contacts, and photos. <\/p>\n

In recent years, the FTC has shown large interest in trying to protect consumers harmed by company data breaches. <\/p>\n

In 2017, the FTC reached a settlement with Uber, after an investigation found that the ride-hailing company failed to prevent unauthorized access to a cloud server storing sensitive consumer data<\/a>. This year, the Commission reached a settlement with Equifax<\/a> over the credit reporting agency\u2019s 2017 data breach that affected 147 million Americans. <\/p>\n

Along the way, the FTC has also provided guidance to consumers affected by the Marriot data breach<\/a> and the more recent Capital One data breach<\/a>. <\/p>\n

An FTC spokesperson declined to comment on the origins of the investigation. <\/p>\n

\u201cFTC investigations are nonpublic so we don\u2019t discuss why we started a particular investigation,\u201d the spokesperson said. <\/p>\n

The Retina-X consent order<\/strong><\/h3>\n

Though the FTC cannot issue monetary fees for first-time offenders of the Federal Trade Commission Act, it can try to curb deceptive and dangerous behavior by getting companies and individuals to sign \u201cconsent orders.\u201d If any party that has signed a consent order then violates that order in the future, the FTC can then issue monetary penalties. <\/p>\n

The consent order presented to Retina-X and Johns Jr. has already been signed. It includes permanent rules that Retina-X and Johns Jr. must comply with should they ever try to engage in \u201cpromoting, selling, or distributing\u201d any software application, program, or code that can be installed by one users onto another user\u2019s device to track their activity. <\/p>\n

To start, Retina-X and Johns Jr. cannot work on any monitoring app that would require a user to jailbreak or root or otherwise circumvent the built-in security of an end-user\u2019s device. Retina-X and Johns Jr. also must ensure that any monitoring app they work on requires \u201cwritten attestation\u201d from its users that they will use the app for \u201clegitimate and lawful\u201d purposes. <\/p>\n

According to the FTC, \u201clegitimate and lawful\u201d purposes for a monitoring app includes only<\/em> the following:<\/p>\n