The FTC and Cyberspy, the purveyor of the Remotespy stalkerware program, recently settled a case over the sale and distribution of that spyware program. [UPDATE: The FTC press release is here]. The settlement limits the Trojan-like features of the software, and forbids Cyberspy from training its users in how to use the software to infect other people’s PCs. Importantly, the settlement also forces Cyberspy to disable the monitoring in all current installations. However, Remotespy will be able to keep selling the modified software. The settlement is available from the court website, and has not yet been posted to the FTC’s page on the case. [UPDATE: The settlement is now available on the FTC website.]
The FTC filed the case in 2008 following a complaint from EPIC. The EPIC complaint detailed several practices by providers of stalkerware, including Cyberspy. The complaint noted that:
these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.
The FTC followed up on that complaint, and investigated Cyberspy. In it’s filing, the FTC alleged that Cyberspy engaged in several unfair and deceptive trade practices:
- Unfair Sale of Spyware
- Unfair Collection and Disclosure of Consumer’s Personal Information
- Providing the Means and Instrumentalities to Install Spyware and Access Consumer’s Personal Information
- Providing the Means and Instrumentalities to Engage in Deception
Cyberspy provided the Remotespy program via its website. There were several indications that the software was not a legitimate monitoring tool, but was instead a harmful and malicious product. The Remotespy program functioned as a keylogger, making a record of every key typed. It also regularly took screenshots of the victim’s PC. Cyberspy taught users how to disguise the software as an innocuous email to be sent to the victim. One the software was installed, the victim received no notice of it. The software sent the captured information — without encryption — from the victim’s machine to Cyberspy’s servers. The purchaser could then log in to Cyberspy’s website and view the information. Cyberspy would organize the information for the snoop, including identifying websites, and which username/password pairs the victim used to access those sites.
The settlement prohibits several key activities. Cyberspy can no longer teach the purchaser about disguising the software. This includes counseling them how to the hide the executable as an innocuous image, or in a word file, as well as barring Cyberspy from recommending the use of an anonymous email service. Further, the software can no longer function as a Trojan horse unless the purchaser shows they have administrative access to the machine. Without administrative access, the software has to function more like a normal program: showing a splash screen upon installation and installing desktop and task bar icons. These must have branding and naming similar to that used to sell the software. The purchaser must also receive notices that only a computer owner or one with permission may use the program. These notices should come on the Remotespy website, when the software is purchased, and when the remote deployment is configured. Cyberspy also has to control more tightly the reinstallation of its product — apparently the FTC believed that Cyberspy wasn’t enforcing its licenses, and was allowing more victimization. Cyberspy will also have to encrypt, or otherwise render unreadable, the data that it collects. Previous versions of the software transmitted this sensitive information without any encryption. Lastly, Cyberspy and its affiliates can no longer sell old versions of the software, and existing installations must be disabled.
Some matters still remain. The software is still being marketed as being able to “spy” — which is not how a legitimate monitoring tool would be marketed. The software still organizes the data in a way that would be useful to someone engaged in sniffing passwords. The order is silent in how the software interacts with anti-spyware and firewalls. A legitimate user of a computer thus would have no way of knowing whether Remotespy is on their machine, or be guaranteed that an anti-spyware tool would block it.