
FTC Brings First Case Against Developers of “Stalking” Apps - detaro
https://www.ftc.gov/news-events/press-releases/2019/10/ftc-brings-first-case-against-developers-stalking-apps
======
somejerk123
Once upon a time, I found this company's software on an employee's work
laptop, installed by a jealous ex-boyfriend.

I called the company, and they refused to remove our data or even help with
uninstalling the software without a court order.

The software helpfully logged the URL when it saved screenshots to S3, which
it did every few seconds.

The S3 bucket was fully public, listable, readable, writable. It also
contained keylogging and other data.

Not just from our employee. From everyone.

~~~
meowface
People need to stop calling it (just) stalkerware and call it what it
obviously is: malware. It's no different from any other form of malware. Just
the criminals are probably people you know rather than online opportunists.

~~~
peteretep
You seem to think that "malware" sounds worse and somehow more specific than
"stalkerware". Stalkerware sounds like a more nefarious subset of malware, and
I'm not sure what conflating a more specific term into a less specific one
achieves

~~~
segfaultbuserr
why not just "spyware"?

Am I getting too old?

~~~
TeMPOraL
I might be slightly younger, but under the meaning I remember, almost every
website today would qualify as running spyware. _Google Analytics is spyware_.

This kind of stalker app reminds me of remote administration tools. They had
another name, I don't remember what it was.

~~~
krageon
A RAT was frequently packaged in/used together with a trojan. Perhaps that's
what you were thinking of.

------
mindgam3
Good. The stalkerware problem is bigger than most people realize. Teens whose
parents use Life360 to stalk them are already well aware of the issue.

[http://www.wired.com/story/life360-location-tracking-
familie...](http://www.wired.com/story/life360-location-tracking-families/)

~~~
droithomme
> Teens whose parents use...

The FTC order allows them to do so. The problem was the apps are marketed to
monitor employees and minors of which the installer is the legal guardian,
both which are completely legal. But it was being used in some cases by
customers to monitor other adults, which is not legal without consent. The
company agreed to get the users to check a box saying it was being used for
minors or employees, both which remain legal uses of the apps.

~~~
mindgam3
My point is: using these apps to monitor people without legal consent is super
not cool, obviously, but there’s an even bigger problem which is parents
relying on legal-but-shady stalking apps. Parents and kids need to be able to
trust each other. Surveilling your kids is not the answer. Full stop.

~~~
paulddraper
> Surveilling your kids is not the answer. _Full stop._

surveillance [1]

n. Close observation of person or group, especially one under suspicion.

n. The act of observing or the condition of being observed.

\---

This is _CERTAINLY_ your responsibility toward your children. (The lack of it
is known as "neglect".)

Personally, I do not let my 6 year old go to the small neighborhood park by
himself. But if he has a remote monitoring device, I do.

As he gets older, there will be other cases where he will be allowed to do
things only under some type of supervision.

Obviously it varies by age and maturity, where age 0 requires earshot
proximity, and age 17.5 requires comparatively minimal attention to diet,
education, and recreation.

"No surveillance full stop" is simply wrong.

"No electronic surveillance" is I think unwise and ignores opportunities for
safe, constructive experiences.

"No secret surveillance" is I think a fair statement.

[https://www.wordnik.com/words/surveillance](https://www.wordnik.com/words/surveillance)

~~~
micmil
We're not talking about 6 year olds here. We're talking about "children" that
are at times not even minors, whose parents are trying to control every aspect
of their lives well beyond any reasonable limit.

~~~
paulddraper
Let's talk about a 12 year old then.

Old enough to use technology well, but young enough to require oversight of
some manner.

~~~
bonoboTP
As a 12 year old me and my peers had no mobile phones and most of us went home
from school alone, using public transportation in Budapest, a city of 2
million. This was already this century.

Americans seem to have a very strange notion of what children can do at what
ages. Kids at age 8 can reasonably go to and from school if it's close enough.
This of course relies on living in a walkable area and I guess that's
partially where the problem starts in the US. Parents got used to the idea
that kids need to be transported by car or a specific, restricted-use school
bus, leaving no freedom or agency for the children. Yes, growing up involves
making mistakes, doing mischief, testing boundaries, learning what it is like
to lie, feeling what a resulting bad conscience feels like, what a secret
feels like etc. Yes, it may mean that the kid may skip a class or go somewhere
they are not supposed to, but usually these aren't life shaking mistakes,
unless there are deeper problems at home and with the parental environment.

~~~
otakucode
What children can do at what age is a direct function of how they are raised.
Americans, unfortunately, have been sold on the notion that what a child is
capable of is instead somehow a biological limitation. There are some
biological limitations, of course, such as the inability for average children
before around age 10 to perform abstract reasoning, etc, but they are very
few. And those limitations are misunderstood, as well. While the truth is that
a child exposed to something 'before they can understand it' will experience
confusion (or misunderstanding... 'kid logic' can be amazing in the lengths to
which it stretches to attempt to integrate new knowledge), it is assumed they
will instead experience intense, damaging trauma. I think there is also a
component involved of 'doing something is better than doing nothing' when, in
many cases, doing nothing would definitely be the better solution. I don't
believe there are hardly any parents who, for instance, could come across a
string of 'dead baby' jokes in a group chat their 11 year old is participating
in and conclude 'my child is developing a sense of humor and fitting in with a
peer group.' They would instead conclude 'my child is uncaring, incapable of
empathy, foul-mouthed, and I need to make them understand how serious this
is.' A reaction like that, from your parent, would be devastating. They know
you better than anyone. If they tell you that you are an uncaring, unkind,
vicious person, you are not going to be able to step back and see that your
parent is being ridiculous in most cases. You will simply be hurt, and that
parent has certainly not prepared you for how to handle emotions like that. It
ends up with an immature person (the parent) inflicting distress on another
immature person (the child) and no one benefits.

~~~
bonoboTP
Also, parents overestimate their explicit influence on kids and thereby their
importance and responsibility in explicitly teaching them by setting rules and
"preaching". Instead, kids brains are very good at filtering out the bullshit,
learning by observing actions rather than talk and learning from peers and
other adults.

However, a truly dictatorial parental surveillance scheme, as is now possible
through tech, may inhibit the information transfer even more. Combined with
practices like constant parental transportation, structured extracurriculars
every day, no recess at school or homeschooling a very dystopian picture
emerges.

I really hope this wave won't hit Europe.

And the effects are already showing: [https://www.economist.com/graphic-
detail/2019/02/27/generati...](https://www.economist.com/graphic-
detail/2019/02/27/generation-z-is-stressed-depressed-and-exam-obsessed)

~~~
aphextim
I grew up in a home where my parents separated when I was in 1st grade.

Mother who gained custody had sever bipolar which led to days where she
literally would not get out of bed.

When I was in 6th grade I remember having to pack lunches for my sister who
was 4 years younger and make sure we both went to the bus stop and got to
school each day.

It was a bit more difficult when I hit the 7th and 8th grades as the school in
the area started those grades an hour earlier than K-6 and my sister and I no
longer rode the same bus at the same time.

We managed pretty good, and my sister and I are very close to this day because
of how we took care of each other growing up.

I also had immense freedom, no curfew/bedtime and freedom to roam unsupervised
unless my grades slipped. I enjoyed the freedom so I managed to keep my grades
up my entire education.

It helped that cell phones in the hands of every child were still not a thing,
just as I turned 18 and moved out on my own is when I remember getting my
first cell phone.

------
SmallDeadGuy
> Each of the apps provided purchasers with instructions on how to remove the
> app’s icon from appearing on the mobile device’s screen so that the device’s
> user would not know the app was installed on the device, according to the
> complaint.

For the legitimate uses of this app, there should be absolutely no need to
remove the app icon from the home screen and there should be a
regular/persistent notification of when monitoring is in effect. I can't
believe that the company would even think this is a good idea for their
intended use, let alone ignoring how it enables malicious behaviour.

------
relaunched
>>>The FTC alleges that Retina-X and Johns developed three mobile device apps
that allowed purchasers to monitor the mobile devices on which they were
installed, without the knowledge or permission of the device’s user.

They are being accused of taking no precautions to make sure their app was
being used in a legal way (employees and children), as well as violating child
privacy laws and deliquent security practices.

To your other point, selling a legal service that can be used in an illegal
way often has legal reprecussions, especially when you ignore compliance w/
applicable laws.

------
Jerry2
From the article:

> _Retina-X and Johns marketed one of the apps, called MobileSpy, to monitor
> employees and children. Retina-X promoted two other apps, called
> PhoneSheriff and TeenShield, to monitor mobile devices used by children.
> Retina-X sold more than 15,000 subscriptions to all three stalking apps
> before the company stopped selling them in 2018._

MobileSpy's website [1] is still up but they now have an "apology" for getting
hacked from 2018:

> _Regrettably Retina-X Studios, which offers cutting edge technology that
> helps parents and employers gather important information on devices they
> own, has been the victim of sophisticated and repeated illegal hackings.
> Over the past year, Retina-X Studios has begun to implement steps designed
> to enhance our security measures which had the positive outcome of
> restricting data obtained by the hackers in the most recent intrusion. No
> personal data was accessed, but some photographic material of TeenShield and
> PhoneSheriff customers has been exposed._

These apps also appear to be Android only. I don't see how they could run
something like this without a jailbreak.

[1] [https://www.mobile-spy.com/](https://www.mobile-spy.com/)

------
3wolf
This is small potatoes compared to the number of apps out there periodically
harvesting a users' locations to be aggregated and sold to some quant fund.

~~~
TheSpiceIsLife
Yours is a legitimate concern, but a separate issue.

Stalking can present _real, immediate, and severe_ consequences to the
target(s).

~~~
everlastingfan
Right, don't talk about advanced persistent threats here.

~~~
_jal
I do not think that means what you think it means.

[https://en.wikipedia.org/wiki/Advanced_persistent_threat](https://en.wikipedia.org/wiki/Advanced_persistent_threat)

~~~
everlastingfan
I know what the words mean. Go meditate if you have trouble understanding.

------
kizer
Holy shit... what?! People have been stalking their partners using hidden
apps? Is jealousy this powerful? WTF - that legitimately sounds crazy to me.

------
detcader
I've never heard of these apps and it's really alarming and at the same time
not surprising at all. I can only imagine how widespread this is... I'm
tempted to print out flyers with that NNEDV graphic to put up in public

------
geoffreyhale
What's the problem here? I don't see it. I see family opt-in location sharing.

~~~
LeonB
For example, abusive partners can use it to track their partner and continue
to track them when they (hopefully) become ex partners.

~~~
C1sc0cat
And some times kill the ex partner sadly in some cases.

Back when I worked for a large telco we had a training film about why you
should never look up data on our systems for a "friend" and there was a real
case of this happening.

------
trhway
I wonder whether these apps are used by police, cool TV FBI agents and the
likes, and whether their ability to fight terrorism, drug and human
trafficking, etc would get negatively impacted by limiting of those apps.

~~~
inetknght
> _whether their ability to fight terrorism, drug and human trafficking, etc
> would get negatively impacted by limiting of those apps._

I seriously doubt it. First that I strongly disagree with the war on drugs.
Second because, while human trafficking is certainly a _problem_ , I think the
scope of the problem is made out to be far larger than it is in actuality;
it's often hand-waived for more security, more laws... but what are the actual
yearly numbers of people trafficked?

If the FBI gets a warrant to find you using your phone, they don't need to
install an app for that. If they want to see what's on the phone then
surreptitiously installing an app isn't going to guarantee that either.

------
techntoke
These apps are against the law, but you can still implement the built-in
location tracking and activity history of the devices? Seems weird to me. They
probably forgot to pay the lobbyists in the industry.

~~~
relaunched
Think of it this way, chefs knives are legal. Murder is not. If you work in my
restaurant, you can use the chefs knives to make food. You can't use them to
kill people. If you do, you will be prosecuted.

~~~
bendbro
In your world:

Chef knife :: the app

Chef knife mfg :: the app developer

Murder :: stalking

Cooking :: legal tracking

The law prosecutes app developers and makes illegal apps that allow for
stalking. :: The law prosecutes chef knife mfgs and makes illegal chef knifes
that can be used for murder.

This is not you have stated. Your example world does not map to the real
world, as it is a paradox to think a "murdering chef knife" can be
discriminated from a "cooking chef knife" when the manufacturer creates it.

And that is the point of the parent commenter. A tracking app can be used for
both legal tracking and stalking, but it is absurd to think the developer will
know which it is.

~~~
ergothus
> it is a paradox to think a "murdering chef knife" can be discriminated from
> a "cooking chef knife" when the manufacturer creates it.

You can certainly market your knives with an intention. You can study which
knives "murder" best, and not study which knives are best for cooking.

I agree that this should be a harder bar to prove, but I don't think it's
paradoxical to say it can be done.

> it is absurd to think the developer will know which it is.

True, the developer won't "know" for any given instance. But it is NOT absurd
to think the developer will be trying for one or the other, perfecting it for
that purpose (with intent), and marketing it for that purpose, nor is it
absurd that such an intent could be reasonably proven. (Not ABSOLUTELY proven,
but reasonably)

~~~
grawprog
>You can certainly market your knives with an intention. You can study which
knives "murder" best, and not study which knives are best for cooking.

But there's also no law against selling knives designed for murdering people
in many places. I mean I can walk into a store and walk out with a katana or a
long sword or something. You're not supposed to use them for killing people,
but that's literally the reason why they were invented. I don't want to say
for sure, but I pretty sure the katana manufacturer is still not going to be
liable if I go and hack someone up with my katana.

~~~
PhasmaFelis
A katana can be (and usually is) used as a display piece. The FCC is saying
(not unreasonably) that these apps aren't really suited for anything but
illegally stalking people. They claim to be for legitimate tracking, but they
made design decisions that clearly disagree with that.

There's not really a direct analogy there (an...invisible katana?), but I
think the difference is clear.

~~~
bendbro
What design decisions? If I wanted to track my child with their phone, or
track my phone in case it was stolen, what design decisions would differ from
those use cases and the stalker use case?

~~~
PhasmaFelis
If you just want to locate your phone, or your child's, or your employee's
company phone, you can use Apple's or Google's built-in tracking; a third-
party app is unnecessary.

If you want to directly monitor a child's or employee's usage, and/or restrict
them from some sites/apps/settings, you probably want a parental/employer
control app that doesn't compromise the phone to hide itself.

Have you read the article? These apps require you to disable important
security measures on the target phone, leaving it vulnerable to attack, in
order to hide the app from the user. There's no legitimate use case for that.

