FTC Enforcement Action May Open Way for Punishment of Hacker Tools
An FTC suit against a software developer may open the door for prosecution of hacker tools
On Oct. 22, the U.S. Federal Trade Commission (FTC) settled an enforcement action against a software developer because its software could be used by users for purposes that would invade privacy. The government filed a complaint against a company called Retina-X, which developed three mobile device apps that allowed purchasers to install the software on their own devices to monitor other people’s use of that device.
The apps, called MobileSpy, PhoneSheriff and TeenShield, were all designed (or at least marketed) to permit parents to monitor the activities of their children by having the parent install the device on the phones that the parent owned or controlled. By default, these apps disclosed to the device user that they were being monitored (e.g., an icon on a monitored mobile device), but the device owner could turn off this warning.
To install the software, the phone owner had to “jailbreak” or “root” the device, which would make the phone less secure. It was not clear, however, from the FTC complaint whether the apps would continue to operate if the devices were un-jailbroken and, even though a user might not know that the software was installed, it’s pretty difficult to hide the fact that a phone has been jailbroken. The FTC concluded that parents would not jailbreak a phone to install this software “when many other monitoring products are available in the marketplace that do not require jailbreaking or rooting” and faulted Retina-X because the company “did not take any steps to ensure” that purchasers would use the software to monitor kids. The commission also asserted that the data collected by the app was not adequately protected by Retina-X.
So let’s break that down. The software is “deceptive and unfair” because it required a jailbreak to install, did not have any measures to prevent someone for using it in a manner other than how it was marketed and sold, and because the warnings that monitoring was enabled could be turned off by the owner of the device.
Exactly how is that different from any other software that collects personal data (jailbreak excepted)?
Is Spyware Illegal?
One of the questions raised by the FTC action is whether the broad category of software, hardware, applications and devices we can call “spyware” is illegal. This includes any application or device that collects data (not just PII) without the knowledge and consent of the user of the device. That would include applications and devices used to monitor internet traffic, user behavior, logins, access, uploads and downloads, etc.—you know, stuff we use every day. So, is it legal?
Magic 8 Ball says: Situation murky. Ask again later.
The problem here is that various laws, including the federal wiretap and electronic surveillance laws make it unlawful to “intercept” communications either in transmission or in “electronic storage” except for specific circumstances such as a warrant or other court order, being a provider of electronic or other communications services and such monitoring is done “in the ordinary course of business,” or with the consent—express or implied—of at least one party to the communication. Privacy laws, including the interpretation of the FTC’s enabling legislation prohibiting “deceptive or unfair” trade practices, have been interpreted as preventing certain data collections without the consent of the person from whom the data has been collected.
Thus, to vastly oversimplify these laws, the keystone here is consent. Does the person or persons whose data is being collected (or whose conversations are being intercepted) know that the data is being collected and meaningfully consent to the collection of that data? If yes, the collection is likely OK (at least under U.S. federal law, but not so much under laws such as CCPA and the EU GDPR, which rely on the collection to have a “lawful basis”). If no, probably not.
The old joke about the Thermos being the smartest thing ever created because it keeps hot foods hot and cold foods cold and how does it know which is which, applies equally to data collection and analytics tools. While a company may use an analytics engine to examine data flowing through its system, the developer does not know whether any or all of the users of the system on which the engine is applied have actually consented to the collection of the data.
How Can Software Be (Mis)Used?
The key problem with making software developers liable for those who use their software is that the developer has little control over who uses the software or how it is used. A federal law, 18 USC 2512, makes it a crime to to “manufacture, assemble, possess, or sell any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications.” Indeed, in 2005, Carlos Enrique Perez-Melara, the developer and marketer of the “LoverSpy” software, was indicted by a federal grand jury in San Diego for precisely these charges.
Problem is, many software tools—and surveillance tools—have dual uses. If used with authorization and consent, they can be used to protect children, investigate crimes, prevent fraud and protect data and networks. This includes hacker tools, monitoring tools, data analytics tools and the like. The very same tools can be used to invade privacy (in an unwarranted or unlawful way) or to probe networks for vulnerabilities with the intent to unlawfully exploit them. A hammer can be used to build or tear down a house. As the inimicable Tom Lehrer said about German rocket scientist (and fomer Nazi collaborator-turned-NASA scientist) Wernher von Braun, “’Once the rockets are up, who cares where they come down? That’s not my department,’ said Wernher von Braun. ‘I just build the software.'”
Finding software developers liable—whether civilly or criminally—for others’ use of their products or services is a dangerous precedent. It potentially can be used to prosecute developers of scanners, pen-testing software, hacker tools, AI products and anything that can be used or misused to collect data or invade privacy. It’s not that it’s not appropriate in very limited situations. It’s that it is a dangerous tool.
Magic 8 Ball says: Outlook not so good.
