Sophos Cloud Optix
In the US, it’s a federal crime to sell spyware.
To adhere to the legal side of the line, monitoring apps have to be marketed at employers who want to keep an eye on their workers, or guardians who want to watch over their kids.
But one company, StealthGenie, made no bones about its target audience being jealous people.
So on Tuesday, we saw the first-ever criminal conviction concerning the advertisement and sale of a mobile device spyware app.
The Department of Justice announced that the creator of StealthGenie, 31-year-old Danish citizen Hammad Akbar, had pleaded guilty to advertising and selling StealthGenie.
After accepting the guilty plea, the court immediately sentenced Akbar to time served – he was arrested in September – and ordered him to pay a $500,000 fine.
He was also ordered to turn over the source code for StealthGenie to the government.
Akbar was indicted in the US state of Virginia in October on federal wiretapping charges of creating and distributing a known interception device.
StealthGenie had been used to intercept email, images, video, phone calls, texts and other communications on mobile phones, and to turn a mobile device into a bug that can pick up sound in a 15-foot (4.5m) radius around a target, while being undetectable by the average user.
According to court documents, StealthGenie said right upfront in its business plan that partner-stalkers were its target market, or in spyware-speak the “spousal cheat” market:
This business plan ... stated that the first target population for the marketing of the app was "[s]pousal cheat: Husband/Wife of boyfriend/girlfriend suspecting their other half of cheating or any other suspicious behaviour or if they just want to monitor them."
This so-called “spousal cheat” market would constitute 65% of buyers, according to that business plan:
According to our market research[,] the majority chunk of the sales will come from people suspecting their partners to be cheating on them or just wanting to keep an eye on then [sic].
But as advocates for the victims of domestic violence will tell you, stalkers and abusers often use these type of apps to track their victims.
Prosecuting users of spyware isn’t unheard of. In October, a California woman was charged with planting spyware on the phone of a police officer who was also her ex-husband.
But prosecuting one of the makers of such spyware is new.
At the time Akbar was indicted, Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation, told Wired that it’s not enough to hold spyware users accountable:
The government is trying to say it’s not enough that the users are responsible, but that the maker is an enabler of this privacy invasion and are potentially liable.
Following Akbar’s sentencing, US Attorney Dana J. Boente of the Eastern District of Virginia confirmed that law enforcement has no plans to shy away from prosecuting spyware makers:
The product allowed for the wholesale invasion of privacy by other individuals, and this office in coordination with our law enforcement partners will prosecute not just users of apps like this, but the makers and marketers of such tools as well.
So how do you know if there’s spyware on your phone? Here are some answers to a couple of commonly asked questions:
Can spyware such as StealthGenie be installed without physical access to the phone?
Not usually. Stalkers need access to the phone, if just for a few minutes, to install spying apps like StealthGenie or mSpy.
As far as security software goes, these apps often get classified as “Potentially Unwanted Apps” (PUAs) rather than as malware, given that, typically, they’re manually installed, and somebody’s agreed to their terms.
“Somebody” doesn’t mean the phone’s owner/user, mind you. A stalker or abuser can check the box to say “yes, please snoop on this phone” for you.
And again, these apps can be legally used for parental tracking of children, employee monitoring (preferably with informed consent), or tracking down a lost or stolen phone.
All of that means that spyware apps often can’t really be defined as malware, regardless of how dangerous they can be in the wrong hands or how easy it is to use the apps for illegal purposes.
How can I detect if somebody’s installed spyware on my phone?
Unfortunately, it can be hard to do. Increased battery drain, storage or data usage might indicate something’s up, but how many of us average people have the time, or the know-how, to check such things?
Best advice? Don’t let anyone near your gadget. If only you have access to it, then only you know what apps you have on it.
It’s hard to see how they could prosecute Akbar, the producer of the product, since it does have substantial legal uses, e.g., employee and child surveillance. An illegal use of this product requires criminal intent to do harm. The manufacturer of this product has no control over such use.
Prosecuting the manufacturer is like prosecuting the manufacturers of handguns because some users abuse them. The 2004 Federal Gun Industry Legal Shield Law inhibits such prosecution (see bradycampaign.org).
Sustaining a law like this opens the door for a law banning the sale of kitchen knives, since they can also be used for nefarious purposes over which the producer has no control.
Perhaps the DoJ bullied Akbar into an undeserved conviction; a couple of months in the slammer without bail would do it. That’s something one might expect of a third world country, not the United States.
The manufacturers of firearms have to comply with quite a number of related regulations pertaining to manufacture, licensing, advertising, supply, shipping and so on…do they not?
And those who sell firearms also have a raft of regulations to follow.
I suspect that even in so-called “gun friendly” states, manufacturers who deliberately advertised their products as ideal for criminality, who aided vendors in bypassing registration or waiting-period requirements, who supplied firearms without a record of manufacture (e.g. serial number), and and so on, would be in a world of trouble.
(Some countries do control the sale of things like kitchen and craft knives, BTW. Maybe not terribly strictly, but it’s not a free-for-all to purchase them. They’re not banned, but there are regulations surrounding both their sale and use. Circumventing or flouting those regulations is punishable as a crime.)
Akbar didn’t do himself any favours by having stalkers as his main business plan:
This business plan … stated that the first target population for the marketing of the app was “[s]pousal cheat: Husband/Wife of boyfriend/girlfriend suspecting their other half of cheating or any other suspicious behaviour or if they just want to monitor them.”
If he would have marketed it differently would he have been charged is the question in my mind?
Try setting up a phone shop and advertising that you have “low-cost mobile phones, pre-paid and contract”.
In a competitive market, you might struggle to get attention.
Try setting up a phone shop and advertising that you have “burner phones pre-registered to bogus addresses”.
You won’t struggle for attention at all, though it might not quite be the sort you had in mind 🙂
At least StealthGenie required physical access to the target phone. The NSA downloads their spyware directly from the nearest cellular tower and even switches off the encryption.