A stalkerware maker who was banned from the surveillance industry after a data breach that exposed the personal information of its customers, as well as the people they were spying on, will not be able to go back to selling the invasive software, according to the U.S. Federal Trade Commission.
The FTC denied a request to cancel that ban made by Scott Zuckerman, the founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor. The FTC announced the denial after Zuckerman petitioned the federal watchdog to rescind or modify the ban order in July of this year.
In 2021, the FTC banned Zuckerman from offering, promoting, selling, or advertising any surveillance app, service, or business, effectively preventing him from running another stalkerware business. The agency also ordered Zuckerman to delete all the data collected by SpyFone and to undergo frequent audits and establish certain cybersecurity practices for his businesses.
Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection, said, “SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information. The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
In his petition, Zuckerman claimed that the FTC order’s security requirements have made it harder for him to run his other businesses due to financial costs. He stated that Support King is no longer in operation and he now only runs a restaurant and plans other tourism ventures in Puerto Rico. When reached via email, Zuckerman declined to comment and referred questions to his lawyer.
The FTC ban stemmed from an incident in 2018, when a security researcher found an Amazon S3 bucket belonging to SpyFone that left extremely sensitive data exposed online for anyone to see. The data included selfies, text messages, chat app messages, audio recordings, contacts, location data, hashed passwords and logins, and more.
The exposed data included 44,109 unique email addresses and, according to the researcher, information from at least 2,208 current customers and hundreds or thousands of photos and audio files from 3,666 phones that had the SpyFone stalkerware installed.
Less than a year after the 2021 FTC order, TechCrunch reported that Zuckerman appeared to be running another stalkerware company. In 2022, TechCrunch received a trove of breached data from stalkerware app SpyTrac. The data revealed that SpyTrac was run by freelance developers with direct ties to Support King, in what appeared to be an attempt to circumvent the FTC’s ban. Furthermore, the breached data included records from SpyFone, which Zuckerman was ordered to delete, and keys to access the cloud storage of OneClickMonitor, another one of his stalkerware apps.
Eva Galperin, a prominent expert on stalkerware and director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation, celebrated the news. She stated, “Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about the reasons why the FTC issued a ban not only against the company, but against him specifically.” She added that TechCrunch’s 2022 revelation that Zuckerman apparently violated the FTC ban suggests he did not learn his lesson.
Stalkerware apps allow their customers to surreptitiously spy on the phones and devices of their loved ones. In addition to enabling potentially illegal activities, for the last eight years, there have been at least 26 stalkerware companies that have been hacked or left sensitive data exposed online. These repeated incidents show these companies have repeatedly failed to protect the privacy of their customers, as well as the people they spy on.