FTC upholds ban on stalkerware founder Scott Zuckerman

A stalkerware maker banned from the surveillance industry after a data breach exposed the personal information of its customers as well as the people it spied on will not be able to go back to selling the invasive software, according to the US Federal Trade Commission.

The FTC rejected a request to overturn that ban made by Scott Zuckerman, founder of consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor.

On Monday, the FTC announced the denial in a press release after Zuckerman asked the federal watchdog to rescind or modify the ban in July of this year.

In 2021, the FTC banned Zuckerman from “offering, promoting, selling, or advertising any tracking application, service, or business,” effectively barring him from running another stalkerware business. The agency also ordered Zuckerman to delete all data collected by SpyFone, as well as submit to frequent audits and establish certain cybersecurity practices for his businesses.

“SpyFone is a brazen name for a surveillance business that helped stalkers steal private information,” said Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection. “Stalkerware was hidden from device owners, but fully exposed to hackers exploiting the company’s lackluster security.”

In his reportZuckerman claimed the security requirements of the FTC order have made it difficult for him to run his other businesses due to financial costs, despite the fact that Support King is no longer in business and now only runs one restaurant and plans other “tourism businesses” in Puerto Rico, according to the report.

When reached by email, Zuckerman declined to comment and referred questions to his attorney.

The FTC ban stemmed from an incident in 2018 when a security researcher found an Amazon S3 bucket belonging to SpyFone that left highly sensitive data—including selfies, text messages, chat app messages, recordings, contacts, location, hashed passwords and logins, and more—exposed online for anyone to see and access.

The exposed data included 44,109 unique email addresses and, according to the researcher who discovered the breach, “at least 2,208 current ‘customers’ and hundreds or thousands of photos and audio in each folder” from 3,666 phones that had the SpyFone stalkerware installed.

Less than a year after the FTC order in 2021, TechCrunch reported that Zuckerman appeared to be running another stalkerware company. In 2022, TechCrunch obtained a batch of compromised data from the stalkerware app SpyTrac. The data revealed that SpyTrac was run by independent developers with direct ties to Support King, in what appeared to be an attempt to circumvent the FTC ban. In addition, the compromised data included files from SpyFone, which Zuckerman was ordered to delete, and keys to access the cloud storage of OneClickMonitor, another of his stalkerware applications.

Eva Galperin, a prominent stalkerware expert, celebrated the news. “Mr. Zuckerman clearly hoped that if he laid low for a few years, everyone would forget why the FTC issued a ban not only against the company, but specifically against him,” Galperin told TechCrunch.

TechCrunch’s revelation in 2022 that Zuckerman apparently violated the FTC ban “suggests that Zuckerman has not learned his lesson,” added Galperin, who is director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation.

Stalkerware apps allow their customers to secretly spy on their loved ones phones and devices. In addition to enabling potentially illegal activities, in the past eight years, there have been at least 26 stalkerware companies that have been hacked or left sensitive data exposed online, by TechCrunch’s count. These repeated incidents show that these companies have repeatedly failed to protect the privacy of their customers, as well as the people they spy on.