FTC Brings First Case against Developers of "Stalking" Applications
TOPICS: Data Protection, Data Security, Dual-Use App, COPPA, FTC, US
The Federal Trade Commission ("FTC") has settled a case against Retina-X Studios, LLC ("Retina-X") and its owner, which developed three "stalking" applications for mobile devices. Following the settlement, the developers will be barred from promoting, selling or distributing any monitoring applications, unless they take certain steps to ensure the legitimacy of use and the security of its users.
Retina-X, a US based company, developed and sold three different monitoring applications, which enabled purchasers to secretly monitor another person's mobile device or computer activities. The applications were marketed as tools to monitor children or employees, enabling clients to capture information, such as geolocation, call history, photos, browser history, screenshots and text messages. In order to install the application, purchasers were often required to "jailbreak" the mobile device in order to circumvent security protections implemented in the operation system.
According to the FTC's allegations, Retina-X did not take any actions to ensure that the applications were used only for the purpose of monitoring children or employees. Consequently, Retina-X had breached the Federal Trade Commission Act ("FTC Act") provisions against unfair and deceptive practices. In addition, it violated the Children's Online Privacy Protection Act ("COPPA"), by not implementing appropriate safeguards to protect the personal information collected from children under the age of 13. The FTC also alleged that Retina-X had deceived its users by publicly claiming that the personal information of its users was safe, although hackers were in fact able to access the company's cloud storage twice between February 2017 and 2018.
The settlement states that Retina-X and its owner will be restrained from promoting, selling or distributing monitoring products unless they comply with certain requirements, including that: (i) the monitoring applications will be used for monitoring of children only by their legal guardians; (ii) the monitoring of adults would be subject to express written consent by the monitored adult; (iii) the purchaser of the application must provide Retina-X with an express written attestation stating the purpose of using the application; and (iv) the monitoring application shall not require circumventing the security protection implemented by the mobile device's operation system. Moreover, the
application must be visible to the user that is being monitored and provide information regarding the stalking entity.
Retina-X shall provide potential purchasers with a notice stating that the applications must only be used for legitimate and lawful purposes. The notice shall appear in the homepage of any website advertising the products and prior to the completion of the sale of any monitoring products. In addition, Retina-X must delete any personal data collected prior the settlement and must not sell or transfer any personal data, unless it implements and maintains a comprehensive security program, which shall include periodic risk assessments, external audits and the implementation of safeguards.
This settlement marks a continued tendency of the FTC to focus on privacy related
enforcements. However, this case is the first of its kind as it brings charges against a
developer of an app that could be used both for legitimate and illegitimate purposes. The
FTC explained in a press release
although there may be legitimate reasons to track
a phone, these apps were designed to run surreptitiously in the background and are
uniquely suited to illegal and dangerous uses. Under these circumstances, we will seek
to hold app developers accountable for designing and marketing a dangerous
We will be happy to advice our clients with respect to the practical implications of this case.
This update was published as part of our Technology & Regulation monthly client update. To read more about HFN's Technology & Regulation Department, click here.