Special thanks to Martha Medina for her contributions to this post.
On October 22, 2019, the Federal Trade Commission (“FTC”) settled its case against a Florida company, Retina-X Studios, LLC and its owner, James N. Johns, Jr. (“Johns”). The company sold “stalkerware” that allowed people to tap into others’ phones and track their calls, texts, photos, physical movements, and browser history.
According to the FTC’s complaint, Retina-X failed to ensure that its three applications (“apps”) were being properly used by those who purchased them. The three apps – MobileSpy, PhoneSheriff, and TeenShield – were all marketed as apps that would allow the “purchaser to monitor, often surreptitiously, another person’s activities on that person’s mobile device or computer.” For example, TeenShield was marketed as an app that would help parents monitor their children’s activities.
The apps would allow the user to delete the apps’ icons from the phone’s home screen, allowing them to run in the background and preventing the phone’s owner from knowing that his/her movements were being monitored. Additionally, installing the app software often required the user to “jailbreak” or “root” their phones – an action that would allow users to circumvent the operating system’s security features and would likely invalidate the manufacturer’s warranty. Once the app is installed, a purchaser could remotely monitor the owner’s phone activity without having physical access to it.
All three apps claimed to keep its users’ private information confidential. In reality, however, Retina-X failed to secure users’ personal information and exposed their information to disclosure and improper use. In fact, in 2017 and in 2018, hackers were able to access unencrypted credentials on the TeenShield and PhoneSheriff apps. The hackers collected photos and other sensitive consumer data, including passwords, text messages, and GPS locations. According to the FTC, Retina-X’s failure to properly secure this information when it claimed to protect users’ personal information constituted an unfair or deceptive act in violation of the FTC Act, as well as the Children’s Privacy Protection Rule.
Pursuant to the settlement agreement, Retina-X is now banned from selling monitoring products that require purchasers to bypass security protections on their devices. Retina-X and Johns must also require purchasers to state that they will only use the app to monitor a child or an employee, or another adult who has provided written consent. Additionally, the icon with the name of the app cannot be removed unless it is done by a parent or legal guardian who has installed the app on their minor child’s phone.
Retina-X and Johns will be required to destroy all data that has already been collected from their monitoring services. The settlement also required Retina-X and Johns to establish and maintain a comprehensive information security program that protects the information they collect and addresses the security issues identified in the FTC’s complaint.