Long term readers of the Clu-blog will recall the case of CyberSpy, the Florida firm that marketed a spyware program to those who wished to "spy on anyone, from anywhere".
When innocent internet users clicked on the disguised file, the RemoteSpy code would install itself silently onto the victims' computer, monitoring every keystroke, email and instant message, and making a record of every website visited. I'm sure many of you can imagine why that may not be what you want to happen to your PC.
Well, it looks like the battle between the US Federal Trade Commission and CyberSpy is finally over - with a win for the feds, who have ordered the Orlando-based company to rewrite its keylogging software, and change the way it markets its product.
- CyberSpy will no longer be able to advertise that their spyware can be be disguised and installed on someone else's computer without the owner's knowledge.
- The software has to now notify the user that the program has been downloaded, and ask for permission from the computer owner that the software can be installed.
- The company can no longer provide purchasers with the means to disguise the product. (In the past, an invisible installer for RemoteSpy could be installed onto a victim's computer by disguising it as an innocuous file, such as a photo, and sent as an email attachment)
- CyberSpy will be required to inform their customers that improper use of the software may break the law.
- CyberSpy must ensure that any data it collects from a computer is encrypted before being transmitted across the internet.
- The company must remove legacy versions of its software from computers on which it was previously installed. I wonder how that's going to be handled? Could be quite a challenge..
- Finally, CyberSpy has been told that it must police its affiliates to ensure that they also comply with the order. That's an important element, as we see plenty of dubious software packages being promoted unethically or illegally in exchange for a few dollars worth of commission.
CyberSpy, of course, isn't the only business working in this apparent "grey" area between legitimate and illegitimate software. Often the products are marketed as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft - but it's clear that they can be used with a wide variety of motives.