US regulator the Federal Trade Commission has barred the firm Retina-X Studios from selling three of its mobile spying apps unless it takes steps to ensure they’ll only be used for legitimate purposes.
The FTC on Tuesday published its first ever proposed settlement aimed at putting restrictions on the makers of stalker apps, which are often marketed as for parents to monitor children but frequently used to spy on spouses. The FTC found that only a third of targets of Retina-X’s discontinued TeenShield iOS app were under 13.
The buyer of a stalker app typically needs physical access to install it on the device they wish to monitor, allowing them capture log the target’s GPS location, text messages, photos, call history, browser history.
The settlement concerns three of Retina-X's spying apps: PhoneSheriff, TeenShield and MobileSpy. The FTC alleged the company allowed buyers of the apps to monitor mobile devices without the knowledge or permission of the device’s user.
According to the FTC, Retina-X sold more than 15,000 subscriptions to the stalking apps before it stopped selling them in 2018. It ceased selling them after its cloud storage account was hacked in 2017 and then again 2018, exposing sensitive personal information collected through the apps.
Retina-X was breached in 2017 by a vigilante hacker who believed the products expose victims to serious dangers, as Motherboard reported at the time. A year later the same hacker wiped Retina-X's servers.
“This is our first action against a so-called ‘stalking app,’” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.
“Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”
Buyers who install the apps on a target’s device were required to ‘root’ the device’s first in order to bypass operating system protections. The FTC alleges this exposed victims to further security vulnerabilities. Additionally, the apps instructed buyers howe to conceal the app’s icon from the target’s home screen in order to avoid suspicion.
It also charged Retina-X of failing to take steps to ensure the apps were being used for purpose of monitoring children or employees as was claimed in its legal policies.
Regarding Retina-X’s breaches, the FTC highlighted that the company’s legal policies stated that “your information is safe with us”, which was not true because the hacker was able to access data collected through the PhoneSheriff and TeenShield apps.
The complaint includes one count of unfair acts or practices and three counts of deception. Retina-X also allegedly failed to comply with the FTC-regulated Children's Online Privacy Protection Act or COPPA, which is designed to protect children under the age of 13.
As part of the settlement, Retina-X and its founder James Johns Jr, agreed to delete data collected from the apps and not sell any product that requires the device to be jailbroken or rooted.
The company will also need to get statements from buyers detailing that the app will only be used by parents and employers to monitor their child and employees, respectively. Adults will need to provide written consent to being monitored. And only parents can remove the app icon. Finally, Retina-X will need to have third-party security assessments every two years.
Assuming Retina-X maintains business under the burden of its new compliance requirements, it will also need to implement record keeping systems for most aspects of its business for the next decade including records of its finances, employees, and all customer complaints.