A U.S. District Court for the Middle District of Florida recently issued a preliminary injunction ordering CyberSpy Software, LLC to stop promoting and selling “RemoteSpy,” a keylogger software program that, once installed on a computer, collects information regarding use of the computer.
Specifically, RemoteSpy collects information regarding keystrokes typed, websites visited, images viewed and passwords used on a computer. Through marketing and instructional materials, CyberSpy provided its clients with information on how to remotely deploy the program by concealing it as a seemingly innocuous e-mail attachment to mislead a computer user into installing the software on his or her computer. RemoteSpy then would upload the collected information to CyberSpy servers, which clients could access by logging onto a CyberSpy website.
Prompted by a complaint and request for investigation from the Electronic Privacy Information Center (“EPIC”), the FTC brought suit against CyberSpy alleging that the promotion and sale of RemoteSpy constituted unfair and deceptive trade practices in violation of Section 5 of the FTC Act. According to the FTC, RemoteSpy was “likely to cause substantial injury to consumers that cannot be reasonably avoided and is not outweighed by countervailing benefits to consumers or corporations.” CyberSpy claimed that its software had legitimate uses, such as a parent monitoring a child’s computer use. The FTC, however, argued that CyberSpy wrongfully provided guidance to its clients on how deceive people into installing the software.
In issuing the preliminary injunction, the district court found that the sale of RemoteSpy was likely to cause substantial harm to consumers from possible identity theft and creates a danger to the health and safety of individuals. Characterizing the risks posed by RemoteSpy as “alarming,” the court stated that “[t]he clandestine remote installation of RemoteSpy on the computer of an unrelated person is fraught with potential abuse.”
Moreover, the court highlighted CyberSpy’s role in advancing the likelihood of such abuses through its marketing materials, which instructed people on how to invade the privacy of unsuspecting victims. The court noted that the defendants specifically marketed RemoteSpy as a way to collect information remotely from a computer without the knowledge or authorization of the owner or user of a computer. In fact, CyberSpy claimed that RemoteSpy was “100% undetectable” and encouraged the use of “stealth” e-mails to disguise the identity of the person attempting to install RemoteSpy. Thus, the court found that “[i]n light of these marketing efforts, the potential for devastating abuse far abuse far outweighs the possibility of benign use.”
Nevertheless, the court did not bar the sale of RemoteSpy entirely. Rather, it enjoined the marketing and sale of RemoteSpy “by means of informing or suggesting to customers that it may be, or is intended to be, surreptitiously installed on a computer without the knowledge or consent of the computer’s owner . . . .” In addition, CyberSpy cannot misrepresent to clients that RemoteSpy is an innocuous program.
The FTC is seeking a permanent bar on the sale of RemoteSpy and disgorgement of CyberSpy’s ill-gotten gains.