In a rare Children’s Online Privacy Protection Rule enforcement action, the U.S. Federal Trade Commission announced a settlement in October with “stalking app” developer Retina-X Studios, LLC and its owner, James Johns. The consent decree bars the respondents from selling subscriptions to their services unless they take affirmative steps to ensure the apps are used for legitimate purposes.

This decree also marks the FTC’s first action against stalking apps. “Although there may be legitimate reasons to track a phone,” Director of the FTC’s Bureau of Consumer Protection Andrew Smith, said in a news release. “These apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses.” FTC Commissioner Rebecca Kelly Slaughter noted a 2014 study revealed 85% of domestic violence shelters had assisted victims who had been tracked by abusers through GPS. “These apps are not just creepy,” said Slaughter, “they put victims of stalking and domestic violence at profound risk.”

FTC allegations

In its complaint, the FTC alleged that Retina-X marketed two apps, TeenShield, and PhoneSheriff, to parents seeking to monitor their children’s mobile devices. They also marketed a third app, MobileSpy, to parents as well as employers who wanted to monitor their employees. The FTC said all three apps “substantially injured device users by enabling purchasers to surreptitiously stalk them.” The apps permitted subscribers to capture location information, the content of text messages, and browser and email history, among other data points. Retina-X also told users how to remove the app icons so the mobile user would not know the app was on their phone.

Because installing the apps required users to physically access and jailbreak or root the mobile devices, using them would void the warranty of almost all mobile devices. Jailbreaking a device can expose it to security vulnerabilities, which device users would not have been aware of if the person who installed the app followed Retina-X’s instructions to remove the icon.

The privacy policies for each app stated, “Your private information is safe with us.” However, in February 2017 and again in February 2018 a hacker found credentials to two of Retina-X’s cloud storage accounts. In the 2017 event, the hacker accessed usernames, passwords, text messages, contact lists, browser histories and photos belonging to surveilled individuals. The hacker then erased the database. Retina-X only learned of the breach after a journalist notified the company in April 2017.

The FTC alleged Retina-X failed to meet its obligation under the COPPA Rule because it failed to secure the data it collected from children under 13 years old. COPPA requires website operators collect, use or disclose personal information from children under 13 years of age to establish and maintain reasonable procedures to protect the confidentiality, security and integrity of data collected from children.

The FTC further alleged that Retina-X had engaged in unfair and deceptive practices in violation of Section 5 of the Federal Trade Commission Act in two ways. First, it allegedly behaved unfairly by selling monitoring apps that required the circumvention of device security systems without taking reasonable steps to ensure that the apps would only be used for legitimate, lawful purposes. Second, the company's representation that, "your private information is safe with us," was a false and deceptive statement under Section 5.

The consent order

Under the proposed settlement, Retina-X and Johns are forbidden from making any product or service that requires jailbreaking a mobile device. Additionally, the respondents are forbidden from distributing any monitoring apps unless they first obtain express written confirmation from the purchaser that it will use the monitoring app for lawful and legitimate purposes. The only three “lawful and legitimate” purposes are: a parent monitoring a minor child, an employer monitoring an employee who has provided express written consent and an adult monitoring another adult who has provided express written consent.

Unless the device user child under 13, Retina-X and Johns will have to configure the app to display a clickable application icon. Clicking the icon will provide the user with information on the function of the app, confirmation that the app is running, and the respondent’s contact information.

Retina-X and Johns must also destroy any information they collected from the monitoring apps. They are enjoined from further COPPA and FTC Act violations, and the respondents must prominently disclose on any monitoring app’s homepage and purchase page the fact that failure to use the app for a lawful and legitimate purpose may be a violation of the law.

Finally, the FTC ordered a granular and comprehensive security program that includes assessing, monitoring, and testing the respondents’ information safeguards to ensure their effectiveness. The program includes an assessment by an independent third party every two years and an annual certification to the FTC that Retina-X is in full compliance with the mandated program.

Public comment on the proposed consent agreement is open through Dec. 2.

Photo by ipse dixit on Unsplash