Complaint Against Amateur Spyware Purveyors Filed

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

Remote Spy

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Posted: March 6, 2008 in:

Spier Sues Spy Software Maker

I would guess that there are several companies in the business of selling what is basically “over the counter” or consumer grade spyware for the beginner level user. Depending on how this suit turns out, they will have to start being careful about how they promote their wares, and how they instruct their customers in using them:

Caught Snooping, Husband Sues Spy Software Vendor
By Ryan Singel

An Ohio man facing a lawsuit from his wife’s friend for intercepting her emails using spyware on a household computer filed suit Friday against the spyware maker, arguing the company’s ads failed to warn him that using it to monitor his family, including his wife, would violate state and federal laws.

As I previously blogged, intercepting communications can expose you to large civil liabilities.

Posted: September 23, 2007 in:

NYT on Digital Evidence and Divorce

A friend emailed this NYT article:

Tell-All PCs and Phones Transforming Divorce
The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

The article also mentions using GPS to track spouse; the ethical issues some spouses have when they decide to spy; and how the person spied upon can find it “particularly disturbing.”

In the legal issues, though, the article seems to be lacking. The only consideration is the admissability of the evidence: whether it can be seen by the divorce court. Furthermore, the entire article seems to gloss over the difference between the use of electronic evidence gained via discovery — the legitimate, court supervised method of gaining records from the other side — and the surreptitious access to information that is the use of spyware and unauthorized access to devices.

The legal issues are serious. The Electronic Communications Privacy Act (ECPA) governs interception of electronic communications. Intercepting an electronic communication can land you jail for five years. 18 USC 2511(4). You can also be sued civilly, being responsible for attorney’s fees and minimum damages of $10,000. Besides interception, accessing stored communications is regulated by the Stored Communications Act. Accessing someone’s stored communications can be punished by up to a year in jail. 18 USC 2702. And it can also expose you to suits of a minimum of $1000 plus attorneys fees. 18 USC 2707.

But under both of these, the issues can get tricky if the computer is shared between people, or if people have previously shared their passwords with each other. It’s no surprise that a reporter talking to divorce lawyers didn’t go into wiretap laws. But at least they should not have mixed up the very legitimate accessing of stored information during a lawsuit with spousal espionage and stalking.

Posted: September 17, 2007 in: