Commercial spyware firm ordered to clean up its act

Filed Under: Data loss, Law & order

Long term readers of the Clu-blog will recall the case of CyberSpy, the Florida firm that marketed a spyware program to those who wished to "spy on anyone, from anywhere".

CyberSpy was ordered to stop selling (and then allowed again) its RemoteSpy keylogging program, which made it simple for people to snoop on remote PCs without the knowledge of their true owners.

RemoteSpy website

When innocent internet users clicked on the disguised file, the RemoteSpy code would install itself silently onto the victims' computer, monitoring every keystroke, email and instant message, and making a record of every website visited. I'm sure many of you can imagine why that may not be what you want to happen to your PC.

Well, it looks like the battle between the US Federal Trade Commission and CyberSpy is finally over - with a win for the feds, who have ordered the Orlando-based company to rewrite its keylogging software, and change the way it markets its product.

In summary:

  • CyberSpy will no longer be able to advertise that their spyware can be be disguised and installed on someone else's computer without the owner's knowledge.
  • The software has to now notify the user that the program has been downloaded, and ask for permission from the computer owner that the software can be installed.
  • The company can no longer provide purchasers with the means to disguise the product. (In the past, an invisible installer for RemoteSpy could be installed onto a victim's computer by disguising it as an innocuous file, such as a photo, and sent as an email attachment)
  • CyberSpy will be required to inform their customers that improper use of the software may break the law.
  • CyberSpy must ensure that any data it collects from a computer is encrypted before being transmitted across the internet.
  • The company must remove legacy versions of its software from computers on which it was previously installed. I wonder how that's going to be handled? Could be quite a challenge..
  • Finally, CyberSpy has been told that it must police its affiliates to ensure that they also comply with the order. That's an important element, as we see plenty of dubious software packages being promoted unethically or illegally in exchange for a few dollars worth of commission.

CyberSpy, of course, isn't the only business working in this apparent "grey" area between legitimate and illegitimate software. Often the products are marketed as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it's clear that they can be used with a wide variety of motives.

, ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.