FTC Settles Key Stalkerware Case [UPDATED]

The FTC and  Cyberspy, the purveyor of the Remotespy stalkerware program, recently settled a case over the sale and distribution of that spyware program. [UPDATE: The FTC press release is here].  The settlement limits the Trojan-like features of the software, and forbids Cyberspy from training its users in how to use the software to infect other people’s PCs. Importantly, the settlement also forces Cyberspy to disable the monitoring in all current installations. However,  Remotespy will be able to keep selling the modified software.  The settlement is available from the court website, and has not yet been posted to the FTC’s page on the case. [UPDATE: The settlement is now available on the FTC website.]

Previous marketing for the Remotespy stalkerware program

Previous marketing for the Remotespy stalkerware program

The FTC filed the case in 2008 following a complaint from EPIC.  The EPIC complaint detailed several practices by providers of stalkerware, including Cyberspy. The complaint noted that:

these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

The FTC followed up on that complaint, and investigated Cyberspy. In it’s filing, the FTC alleged that Cyberspy engaged in several unfair and deceptive trade practices:

  • Unfair Sale of Spyware
  • Unfair Collection and Disclosure of Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Install Spyware and Access Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Engage in Deception

Cyberspy provided the Remotespy program via its website. There were several indications that the software was not a legitimate monitoring tool, but was instead a harmful and malicious product. The Remotespy program functioned as a keylogger, making a record of every key typed. It also regularly took screenshots of the victim’s PC. Cyberspy taught users how to disguise the software as an innocuous email to be sent to the victim.  One the software was installed, the victim received no notice of it. The software sent the captured information — without encryption — from the victim’s machine to Cyberspy’s servers.  The purchaser could then log in to Cyberspy’s website and view the information. Cyberspy would organize the information for the snoop, including identifying websites, and which username/password pairs the victim used to access those sites.

The settlement prohibits several key activities. Cyberspy can no longer teach the purchaser about disguising the software.  This includes counseling them how to the hide the executable as an innocuous image, or in a word file, as well as barring Cyberspy from recommending the use of an anonymous email service. Further, the software can no longer function as a Trojan horse unless the purchaser shows they have administrative access to the machine.  Without administrative access, the software has to function more like a normal program:  showing a splash screen upon installation and installing desktop and task bar icons. These must have branding and naming similar to that used to sell the software.  The purchaser must also receive notices that only a computer owner or one with permission may use the program. These notices should come on the Remotespy website, when the software is purchased, and when the remote deployment is configured.  Cyberspy also has to control more tightly the reinstallation of its product — apparently the FTC believed that Cyberspy wasn’t enforcing its licenses, and was allowing more victimization.  Cyberspy will also have to encrypt, or otherwise render unreadable, the data that it collects.  Previous versions of the software transmitted this sensitive information without any encryption.  Lastly, Cyberspy and its affiliates can no longer sell old versions of the software, and existing installations must be disabled.

Some matters still remain.  The software is still being marketed as being able to “spy” — which is not how a legitimate monitoring tool would be marketed. The software still organizes the data in a way that would be useful to someone engaged in sniffing passwords. The order is silent in how the software interacts with anti-spyware and firewalls.  A legitimate user of a computer thus would have no way of knowing whether Remotespy is on their machine, or be guaranteed that an anti-spyware tool would block it.

Posted: May 10, 2010 in:

DOJ Stalking Report Estimates Hundreds of Thousands of Electronic Privacy Invasions

The Department of Justice, Bureau of Justice Statistics last week reported on its survey: “Stalking Victimization in the United States.” The survey was composed of 65,000 responses, and led to a total estimate of 5.8 million victims: 3.4 million stalking, and 2.4 million for harassment. The study covers victimization occurring mostly in 2005: the responses were collected during the first half of 2006, and inquired about events in the previous 12 months. Of these 5.4 million victims, two hundred thousand were victimized by identity theft.

Significantly, the survey also showed that 23% of victims suffered some form of cyberstalking, and 6% suffered electronic monitoring such as spyware, bugging or video surveillance.

The estimated 138 thousand victims of spyware were probably victimized by the type of stalker spyware that EPIC complained to the FTC about.  I doubt that stalkers are writing their own software or using vulnerability scripts. I also suspect that the numbers have gone up in the 3 — now entering 4 — years since 2005.  The FTC has only now begun to look at stalker spyware, and the only previous action on it was DOJ’s prosecution of Loverspy.

I’m not surprised by the numbers showing cyberstalking using email, IM, or blogs. But I do find it interesting that 8.8% of  victims had Internet sites created about them. I suspect the cyberstalking numbers have also only increased — blog usage and providers are proliferating, and so are the ways that one can make a website about another. I’ve worked with two individuals who had false online dating profiles created, one repeatedly. In these and in other cases of cyberstalking, it’s important that lawyers representing them be aware of the victimization, can present it to the court in a manner that aids their case, and can craft remedies that address the victimization.

Posted: January 23, 2009 in:

Social Networking Spyware in Washington Post

Today’s Washingon Post has an A1 story about Facebook Application privacy:

Facebook fanatics who have covered their profiles on the popular social networking site with silly games and quirky trivia quizzes may be unknowingly giving a host of strangers an intimate peek at their lives.

Those mini-programs, called widgets or applications, allow users to personalize their pages and connect with friends and acquaintances. But they could pose privacy risks. Some security researchers warn that developers of the software have assembled too much information — home town, schools attended, employment history — and can use the data in ways that could harm or annoy use.

I’ve previously blogged on the privacy issues of Facebook Apps such as the civil liberties problems when law enforcement agencies create Facebook apps.

It’s good to see this issue gaining mainstream attention, because it means that people will start thinking differently about threats to privacy online. EPIC recently testified at a hearing on spyware. The testimony included social networking applications as a possible vector for spyware.

People at the hearing talked about the need to have any legislation in this area not be technology dependent. The bill being discussed, S. 1625, included some language that was focused on PCs, but ignored other threats. The bill had sections making unlawful certain behavior. It used language like “caus[ing] the installation on [a] computer of software that” did several prohibited things, like improperly collect information or display too many popups. But that language is focused on the idea that people keep their data on their computer. With social networking, people are keeping their data online, with social networking services. This data should also be protected from new types of spyware, and we should think of improper data collection from social network services in the same way we think about improper data collection from our home computers.

Posted: June 12, 2008 in:

Computers, Freedom and Privacy 2008

Today I got to CFP 2008: Technology Policy ’08 conference. Tomorrow I’ll be presenting on what could be a hopeful new direction in spyware policy. I’ll be speaking on the stalker spyware complaint EPIC filed earlier this year.

In this digital age, spyware is used by employers and parents, as well as stalkers and perpetrators of abuse. This workshop will discuss whether anti spyware policy and technology is appropriately tailored to spyware uses in the social context of abuse: misusing power and control. The essence of spyware is to spy, to monitor, to watch someone – all without their knowledge. How do we identify and respond to harmful, inappropriate use? What are the challenges faced by policymakers and antispyware technology providers when dealing with abusive uses of spyware? This workshop will explore the varying opinions on spyware policy and practice as it intersects with privacy and safety.

Other program topics that look interesting include network neutrality, reputation systems, and social networks. The whole program is here.

Posted: May 21, 2008 in:

Complaint Against Amateur Spyware Purveyors Filed

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

Remote Spy

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Posted: March 6, 2008 in:

Spier Sues Spy Software Maker

I would guess that there are several companies in the business of selling what is basically “over the counter” or consumer grade spyware for the beginner level user. Depending on how this suit turns out, they will have to start being careful about how they promote their wares, and how they instruct their customers in using them:

Caught Snooping, Husband Sues Spy Software Vendor
By Ryan Singel

An Ohio man facing a lawsuit from his wife’s friend for intercepting her emails using spyware on a household computer filed suit Friday against the spyware maker, arguing the company’s ads failed to warn him that using it to monitor his family, including his wife, would violate state and federal laws.

As I previously blogged, intercepting communications can expose you to large civil liabilities.

Posted: September 23, 2007 in:

NYT on Digital Evidence and Divorce

A friend emailed this NYT article:

Tell-All PCs and Phones Transforming Divorce
The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

The article also mentions using GPS to track spouse; the ethical issues some spouses have when they decide to spy; and how the person spied upon can find it “particularly disturbing.”

In the legal issues, though, the article seems to be lacking. The only consideration is the admissability of the evidence: whether it can be seen by the divorce court. Furthermore, the entire article seems to gloss over the difference between the use of electronic evidence gained via discovery — the legitimate, court supervised method of gaining records from the other side — and the surreptitious access to information that is the use of spyware and unauthorized access to devices.

The legal issues are serious. The Electronic Communications Privacy Act (ECPA) governs interception of electronic communications. Intercepting an electronic communication can land you jail for five years. 18 USC 2511(4). You can also be sued civilly, being responsible for attorney’s fees and minimum damages of $10,000. Besides interception, accessing stored communications is regulated by the Stored Communications Act. Accessing someone’s stored communications can be punished by up to a year in jail. 18 USC 2702. And it can also expose you to suits of a minimum of $1000 plus attorneys fees. 18 USC 2707.

But under both of these, the issues can get tricky if the computer is shared between people, or if people have previously shared their passwords with each other. It’s no surprise that a reporter talking to divorce lawyers didn’t go into wiretap laws. But at least they should not have mixed up the very legitimate accessing of stored information during a lawsuit with spousal espionage and stalking.

Posted: September 17, 2007 in: