FTC cracks down on stalking apps
|Freeman Lightner in Security Thursday, October 24, 2019|
The Federal Trade Commission settlement resolves charges that Retina-X’s products created security vulnerability and violated consumers' privacy.
The Federal Trade Commission has barred the developers of three “stalking” apps from selling apps that monitor consumers’ mobile devices unless they take certain steps to ensure the apps will only be used for legitimate purposes. The settlement resolves allegations that these apps compromised the privacy and security of the consumer devices on which they were installed.
The FTC’s proposed settlement also requires Retina-X Studios, LLC and its owner, James N. Johns, Jr., to delete the data they collected from the stalking apps. The settlement prohibits Retina-X and Johns from promoting, selling, or distributing any monitoring app that requires users to circumvent a device’s security protections to install it, absent reasonable steps to ensure that the app is being used for legitimate purposes.
“This is our first action against a so-called ‘stalking app,’” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”
The FTC alleges that Retina-X and Johns developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user. Retina-X and Johns marketed one of the apps, called MobileSpy, to monitor employees and children. Retina-X promoted two other apps, called PhoneSheriff and TeenShield, to monitor mobile devices used by children. Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them in 2018.
To install the apps, the purchasers were required to bypass mobile device manufacturer restrictions, which the FTC alleges exposed the devices to security vulnerabilities and likely invalidated manufacturer warranties. In addition, while Retina-X claimed in its legal policies that the apps were intended for monitoring employees and children, Retina-X did not take any steps to ensure that its apps were being used for these purposes.
Each of the apps provided purchasers with instructions on how to remove the app’s icon from appearing on the mobile device’s screen so that the device’s user would not know the app was installed on the device, according to the complaint.
The FTC alleges that the Retina-X apps allowed purchasers to access sensitive information about device users, including the user’s physical movements and online activities. At the same time, devices on which the apps were installed were exposed to security vulnerabilities.
The FTC also alleges that Retina-X and Johns failed to adequately secure the information collected from the mobile devices. The company outsourced most of its product development and maintenance to third parties. The FTC alleges that Retina-X failed to adopt and implement reasonable information security policies and procedures, conduct security testing on its mobile apps, and conduct adequate oversight of its service providers.
Despite these failures, the legal policies for all three apps claimed that, “Your private information is safe with us.” The FTC alleges that a hacker was able to access the company’s cloud storage account twice between February 2017 and 2018 and delete certain information. The hacker accessed data collected through the PhoneSheriff and TeenShield apps, including login usernames, encrypted login passwords, text messages, GPS locations, contacts, and photos. The company and Johns did not learn about the first intrusion until April 2017 when they were contacted by a journalist, who was tipped off by the hacker.
The FTC alleges that Retina-X and Johns violated the FTC Act’s prohibition against unfair and deceptive practices and the Children’s Online Privacy Protection Act (COPPA), which requires operators to secure the information they collect from children under 13. Retina-X failed to secure the information it collected despite collecting GPS locations, text messages and other personal information from children, according to the FTC complaint.
Under the proposed settlement, Retina-X and Johns must require purchasers to state that they will only use the app to monitor a child or an employee, or another adult who has provided written consent. In addition, they must include an icon with the name of the app on the mobile device, which is only removable by a parent or legal guardian who has installed the app on their minor child’s phone.
In addition, both Retina-X and Johns are prohibited from violating COPPA and from misrepresenting the extent to which they protect the privacy and security of personal information they collect.
Retina-X and Johns must also implement and maintain a comprehensive information security program designed to protect the personal information they collect; the program must include specific safeguards to address the security issues identified in the FTC complaint.
Johns and his company must obtain third-party assessments of their information security program every two years. The assessor must specify the evidence that supports its conclusions and conduct independent sampling, employee interviews, and document review. In addition, the order requires a senior corporate manager responsible for overseeing the information security program to certify compliance with the order every year. Finally, the order grants the Commission the authority to approve the assessor for each two-year assessment period.
The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with Retina-X and Johns was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.
Read more: https://www.consumer.ftc.gov