On October 22, 2019, the Federal Trade Commission reached a proposed settlement with the developer of three so-called “stalking” apps that enabled purchasers of the app to secretly monitor the mobile devices on which they were installed. Developer Retina-X Studios, LLC and its owner James N. Johns marketed the three apps—MobileSpy, PhoneSheriff, and TeenShield—as a means to monitor children and employees by sharing detailed information about these individuals’ smart phone activities, including their text messages and GPS locations. The FTC complaint alleges that the developer failed to ensure that the apps would be used for legitimate and lawful purposes, did not secure personal information collected from children and other users, and misrepresented the extent to which that information would be kept confidential.
While the FTC settlement represents its first case against developers of tracking apps, the complaint’s allegations rely on provisions of the FTC Act that are broadly applicable to companies that collect, store, and/or monitor users’ personal information, as well as the Children’s Online Privacy Protection Act (“COPPA”):
Unfair Act or Practice. Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Under the FTC Act, an act or practice is unfair if it causes or is likely to cause substantial injury to consumers, cannot be reasonably avoided by consumers, and is not outweighed by countervailing benefits to consumers.
The FTC complaint alleges that Retina-X substantially injured customers by undermining their mobile devices’ security features. Specifically, in order to install the apps, purchasers were required to bypass various restrictions provided by the mobile device’s operating system or manufacturer, a process called “jailbreaking” or “rooting” a device. Circumventing these restrictions can expose a device to security vulnerabilities. For example, a jailbroken phone often does not receive security updates.
In addition, the complaint alleges that Retina-X failed to take reasonable steps to ensure that the apps were used for a legitimate and lawful purpose, e.g., solely to monitor employees or children, resulting in substantial injury to the targeted users. As the FTC complaint and scholars have noted, domestic abusers and stalkers often turn to surreptitious monitoring apps to track victims’ physical movements and online activities.
Deceptive Act or Practice. According to the complaint, Retina-X misrepresented that personal information collected by the apps would remain confidential, private, and safe, in violation of the FTC Act’s prohibition on deceptive acts. The privacy policies for MobileSpy, PhoneSheriff, and, and TeenShield each state that “[i]t is company policy that our customer databases remain confidential and private.” Despite these assurances, Retina-X allegedly put users’ personal information at risk of unauthorized disclosure by outsourcing most of its product development to third-party service providers and by failing to perform adequate oversight of those providers. Furthermore, the complaint alleges that Retina-X did not adopt written information security standards and procedures or conduct security testing of the apps.
Violation of the COPPA Rule. The COPPA Rule applies to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Under the Rule, an operator with actual knowledge must establish reasonable procedures to protect the confidentiality and security of children’s personal information prior to its collection, disclosure, or use. Retina-X’s TeenShield app allegedly violated the COPPA Rule by collecting personal information from children under the age of 13 with actual knowledge and by failing to establish measures to ensure that their information would be kept safe.
The proposed consent order addresses these alleged violations by stipulating that Retina-X will adopt measures to prevent the unlawful use of the apps and to protect users’ information from unauthorized disclosure and use. These stipulations include:
Mobile Device Security and Registration Attestation. Under the proposed agreement, Retina-X may not require purchasers to “jailbreak” or “root” a mobile device in order to download the app. To ensure that the app is used for legitimate purposes, Retina-X must obtain an “express written attestation” from the purchaser that they will use the app for legitimate purposes, specifically, for parent-child or employer-employee monitoring or to monitor an adult who has provided their express written consent.
Notice. Retina-X must post a notice on the app’s website homepage and on the app’s purchase page informing purchasers that they may only use the app for legitimate and lawful purposes. The agreement also prohibits the developer from enabling purchasers to hide the app icon upon installation (to prevent the mobile device user from detecting that they are being monitored), unless the purchaser is the legal guardian or parent of a minor child and installs the app on that child’s device.
Data Security and Deletion. The proposed consent order requires Retina-X to implement and maintain an “information security program” to secure its networks, web and mobile applications, and databases from an unauthorized breach. Concomitant with this requirement, Retina-X must retain a third party to conduct information security assessments every other year to evaluate the information security program’s effectiveness and identify any weaknesses or gaps. The agreement also requires Retina-X to destroy all personal information collected by the monitoring apps every 120 days.
The FTC voted to issue the proposed administrative complaint and accept the consent agreement. The agreement is subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final.