The Federal Trade Commission scored a victory over spyware with a recent settlement with a company that will prohibit it from marketing its keylogging software as a “100 percent undetectable” way to “Spy on Anyone, From Anywhere.”
The FTC brought an action against CyberSpy Software, LLC and its owner, Tracer R. Spence, two years ago seeking to enjoin the defendants from selling RemoteSpy, a keylogger spyware program, and showing customers how to remotely install it on other people’s computers without their knowledge or consent.
According to the FTC complaint, the defendants allegedly provided their clients with detailed instructions explaining how to disguise RemoteSpy as an innocuous file attached to an e-mail. When the recipient clicked on the attachment, the program allegedly was downloaded and installed without the recipient’s knowledge.
The defendants argued that RemoteSpy was meant to be used by people who wanted to monitor their own computers to keep tabs on their employees or children.
The U.S. District Court for the Middle District of Florida entered a preliminary injunction on November 25, 2008. The court found “[t]he ability of RemoteSpy to invade the privacy of an unsuspecting victim is, indeed, alarming. And it is to this use that defendants direct their promotional and instructional materials. In light of these marketing efforts, the potential for devastating abuse far outweighs the possibility of benign use.”
The Stipulated Order and Final Judgment (“Order”) settling the case does not prohibit the defendants from selling RemoteSpy or other similar programs, but establishes several restrictions on how the program may be marketed and used. Pursuant to the Order, in order to continue selling RemoteSpy defendants must:
- not assist purchasers in falsely representing that the software is an innocuous file;
- cause an installation notice to be displayed which must include a description of the nature and function of the program and to which the user must expressly consent;
- cause an icon to appear in the task bar on the user’s desktop when the software is running, unless the icon is disabled by a person with administrative rights to the computer;
- inform purchasers that improper use of the program may violate state or federal law;
- take measures to reduce the risk that the spyware is misused, including license monitoring and policing affiliates;
- encrypt data collected by the program that is transferred over the internet; and
- remove legacy versions of the software from computers on which it was previously installed.
The FTC’s enforcement action is a lesson to companies selling products with both benign and potentially harmful uses: marketing the product’s potentially harmful uses may lead to more sales, but it will also lead to more scrutiny.