FTC bans Retina-X from selling creepy stalkerware

Richi Jennings Your humble blogwatcher, dba RJA

The backlash continues: This week, the Federal Trade Commission prevented Retina-X Studios, LLC from selling stalkerware—spying software intended to be secretly used by suspicious spouses, jealous exes, and other ne’er-do-wells.

Obviously, this business model is—frankly—abhorrent. But also, the company seemed incapable of securing the data collected by its malware.

It was hacked twice in 12 months, allegedly because of an unsecured S3 bucket. In this week’s Security Blogwatch, we despair for society.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Fake-skin UX.

Creepers gonna creep

What’s the craic? Joseph Cox—In a First, FTC Bans Company From Selling ‘Stalkerware’:

Stalkerware is malicious software that is installed on phones or computers [that] can intercept text messages and calls, track GPS locations, [etc.] Stalkerware is often used in abusive relationships, even if companies selling the software claim it is only to be used for legally monitoring children or employees.

Specifically, the FTC alleges that … Retina-X and its owner James N. Johns Jr. … violated the FTC Act's prohibition against unfair and deceptive practices, as well as the Children's Online Privacy Protection Act (COPPA). … The FTC announcement [also] alleges that Retina-X did not properly secure the data collected by its software.

The data was insecure? Sergiu Gatlan—Retina-X Banned by FTC:

Retina-X previously sold the MobileSpy app designed to monitor children and employees, and it was also behind two other 'stalkerware' apps called PhoneSheriff and TeenShield. … The developer stopped selling the apps in 2018 after its cloud storage was breached twice … in February 2017 [and again] in February 2018. The hacker managed to harvest and exfiltrate data collected using the … apps.

FTC's settlement orders Retina-X and … James N. Johns, Jr. to require their monitoring apps to always be used for legitimate purposes and with the written consent of the users that will be monitored. Additionally, they must destroy all the data their customers have already collected.

WTF? FTC PR FTW—FTC Brings First Case Against Developers of “Stalking” Apps:

The settlement resolves allegations that these apps compromised the privacy and security of the consumer devices on which they were installed. … The FTC alleges that Retina-X and Johns developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.

Retina-X sold more than 15,000 subscriptions to all three stalking apps before the company stopped selling them. … While Retina-X claimed in its legal policies that the apps were intended for monitoring employees and children, Retina-X did not take any steps to ensure that its apps were being used for these purposes.

At the same time, devices on which the apps were installed were exposed to security vulnerabilities. The FTC also alleges that Retina-X and Johns failed to adequately secure the information collected from the mobile devices. [It] failed to adopt and implement reasonable information security policies and procedures, conduct security testing on its mobile apps, [or] conduct adequate oversight of its service providers.

Despite these failures, the legal policies for all three apps claimed that, “Your private information is safe with us.” … Retina-X failed to secure the information it collected despite collecting GPS locations, text messages and other personal information from children.

Okay, but legalities aside, why does it really matter? Joe Uchill cuts to the chase—FTC takes action:

Why it matters: These apps are frequently operated by abusers to covertly keep tabs on significant others, providing data on locations, movements and online behaviors.

Yep, a.k.a. “spouseware.” The EFF’s Eva Galperin—@evacide—wistfully remembers:

 That time I got really mad and decided to kill an industry. … I’d be lying if I said I hadn’t started a meeting with “Now, everyone pick an industry you want to kill…”

For anyone who has ever asked me why I’m so angry, I’m here to tell you that anger gets **** done. … I’m anger and armor, all the way down.

One co-coworker once told another that I was smart, but “it’s a pity, how she presents herself.” That person is gone and I am the Director of Cybersecurity.

Change doesn’t happen in a vacuum. Shout out to the people who have been fighting spouseware and stalkerware all along: @harlo @lorenzofb @josephfcox @iblametom et al.

Donate to @EFF! Without our members, we are nothing.

But what right does the FTC have to do this? Aighearach explains:

[The FTC is] in charge of bringing down the hammer on companies that trade based on promoting illegal uses of a product. … This isn't about what software is legitimate, it is about what companies are legitimately trading in software.

This is exactly the same as if you sold a tool for breaking into cars, and made advertisements where it is implied the customer is using the product to steal cars. That would be illegal.

And yet, I can go to the auto parts store a buy a "slim jim," which is correctly and legally marketed as an emergency access tool. They don't try to boost sales by marketing at every possible type of customer use, they focus their promotion narrowly on the legal uses.

IT dept. anecdote time. somejerk123’s got one:

Once upon a time, I found this company's software on an employee's work laptop, installed by a jealous ex-boyfriend. I called the company, and they refused to remove our data.

The software helpfully logged the URL when it saved screenshots to S3. … The S3 bucket was fully public, listable, readable, writable. It also contained keylogging and other data. Not just from our employee. From everyone.

Shocking. And mysidia contrasts stalkerware with employer surveillance:

Nobody has any right to do surreptitious interception of the content of an Adult person's private communications; just like nobody has the right to do surreptitious Audio recording when permission is required, and even your spouse could be in legal trouble if they [did]. … The only reason employers can … under certain circumstances it is that they own the e-mail servers involved and [do] so openly and conspicuously with notice and agreement.

There are legal modes of investigation. … That does not extend to wiretapping on private text message contents, or planting hidden cameras in shared spaces.

Ah, bless: kizer sounds a tiny bit naïve:

Holy **** … what? People have been stalking their partners using hidden apps?

Is jealousy this powerful? WTF.

Meanwhile, here’s Chromal, who urges the FTC to apply this equitably:

This should be as applicable to Facebook, telcos, the advertising industry, and search providers. No information about an individual, their movements and destinations, their likeness, their politics, their frame-of-view upon the world, or their consumer preferences may be collected, distributed, resold, analyzed, subpoenaed without a warrant, or otherwise abused without their consent, which must be opt-in, not opt-out.

The moral of the story?

IT and CISOs should stay vigilant for this type of targeted spyware infecting your kit—no matter what the motivation of the perpetrator.

And finally

This is wild: Artificial skin for new UXs
More: Teyssier et al.
Hat tip: Mike Barton

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: stirner76 (Pixabay)

Read more articles about: SecurityInformation Security

More from Information Security