On November 25, the Federal Trade Commission successfully obtained injunctive relief under the FTC Act, freezing all sales of RemoteSpy, keylogging software designed to allow individuals to spy on other computer users. According to the ruling from the United States District Court for the Middle District of Florida, CyberSpy Software, LLC, the makers of RemoteSpy, provide instruction to consumers on how to trick other users into installing the software on their workstations. Once installed, the software sends information, including keystrokes, passwords, and visited URLs, to CyberSpy's servers, where it can be retrieved by the consumer who purchased the software license. The court found that sale and operation of RemoteSpy was likely to cause financial harm to consumers, including as the result of identity theft, and endangered consumers' health and safety. Further, the likelihood of harm outweighed any potential legitimate uses, such as by parents wishing to monitor their children's computer use. In particular, the court held that "[t]he ability of RemoteSpy to invade the privacy of an unsuspecting victim is, indeed, alarming. And it is to this use that Defendants direct their promotional and instructional materials. In light of these marketing efforts, the potential for devastating abuse far outweighs the possibility of benign use. As part of the preliminary injunction, CyberSpy was enjoined from "promoting, selling, or distributing RemoteSpy, or its equivalent, by means of informing or suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without knowledge or consent of the computer's owner...." The ruling puts software developers on notice that documentation and promotional materials can give rise to liability under the FTC Act for unfair and deceptive trade practices, even where the developer may have no actual knowledge of how its software is being used by consumers. A copy of the court's ruling and the FTC's press release can be found at http://www.ftc.gov/os/caselist/0823160/index.shtm.
- How-to guide How-to guide: How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity (USA)
- How-to guide How-to guide: How to develop, implement and maintain a US information and data security compliance program (USA)
- How-to guide How-to guide: How to determine and apply relevant US privacy laws to your organization (USA)