FTC upholds ban on stalkerware founder Scott Zuckerman

A stalkerware maker that was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will no longer be able to return to selling invasive software, according to the US Federal Trade Commission.

The FTC rejected a request to overturn the ban filed by Scott Zuckerman, founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor.

On Monday, the Federal Trade Commission The denial was announced in a press release After Zuckerman petitioned the federal watchdog to rescind or modify the ban order in July of this year.

In 2021, the Federal Trade Commission barred Zuckerman from “offering, promoting, selling, or advertising any surveillance application, service, or business,” effectively barring him from running other stalkerware businesses. The agency also ordered Zuckerman to delete all data collected by SpyFone, as well as undergo frequent audits and establish certain cybersecurity practices for his business.

“SpyFone is a shameless brand name for a surveillance company that helps stalkers steal private information,” said Samuel Levin, acting director of the Federal Trade Commission’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but completely exposed to hackers who took advantage of the company’s compromised security.”

In his lawsuitZuckerman claimed that the security requirements of the FTC order made it difficult for him to operate his other businesses due to financial costs, despite the fact that Support King is no longer in business and now only operates a restaurant and plans other “tourism ventures” in Puerto Rico, according to the petition.

When reached by email, Zuckerman declined to comment and referred questions to his attorney.

The FTC’s ban stemmed from an incident in 2018, when A security researcher found an Amazon S3 bucket belonging to SpyFone This left highly sensitive data — including personal photos, text messages, chat app messages, voice recordings, contacts, location, hashed passwords, logins, and more — exposed online for anyone to see and access.

The exposed data included 44,109 unique email addresses and, according to the researcher who found the breach, “at least 2,208 existing customers and hundreds or thousands of photos and audio recordings in each folder” from 3,666 phones that had SpyFone stalkerware installed.

Less than a year after the FTC’s 2021 order, TechCrunch reported that Zuckerman appears to be running another stalkerware company. In 2022, TechCrunch received a large trove of data breaches from the stalkerware app SpyTrac. The data revealed that SpyTrac was run by independent developers with direct relationships with Support King, in what appeared to be an attempt to circumvent the FTC’s ban. Furthermore, the compromised data included logs from SpyFone, which Zuckerman was ordered to delete, and keys to access cloud storage for OneClickMonitor, another of his stalkerware applications.

Eva Galperin, a leading expert on stalking programmes, celebrated the news. “Mr. Zuckerman clearly hoped that if he stayed hidden for a few years, everyone would forget the reasons why the FTC issued a ban not just against the company, but against him specifically,” Galperin told TechCrunch.

Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation, added that TechCrunch’s 2022 discovery that Zuckerman had apparently violated the FTC ban “suggests that Zuckerman has not learned his lesson.”

Stalkerware apps allow their customers to surreptitiously spy on the phones and devices of their loved ones. In addition to enabling potentially illegal activities, over the past eight years, there have been at least 26 stalkerware companies that have been hacked or left sensitive data exposed online, according to TechCrunch’s tally. These repeated incidents show that these companies have repeatedly failed to protect the privacy of their customers, as well as the people they spy on.