FTC issues its first ban on 'stalking' apps

It's the agency's first case against a developer of apps made to monitor children and employees.

The FTC has prohibited Florida-based company Retina-X Studios from promoting and selling its apps, which were designed to monitor employees and children. That is, unless and until the developer can ensure those apps will only be used for legitimate purposes. Andrew Smith, the director of the FTC's Bureau of Consumer Protection, said it's the agency's first action against "stalking" apps. He added that "although there may be legitimate reasons to track a phone, [the company's] apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses."

The FTC's decision affects three applications in particular: MobileSpy, created to keep an eye on employees' and kids' devices, as well as PhoneSheriff and TeenShield, which were specifically designed to monitor kids' phones. Retina-X sold 15,000 subscriptions for its apps before it stopped selling them last year.

Retina-X apps bypass Android and iOS security restrictions, the agency explained, allowing them to collect sensitive data and exposing the devices to security vulnerabilities. The developer also didn't bother to ensure the the apps were truly being used to track employees and children. That makes them a potential tool for spying, especially since the company provides purchasers with instructions on how to prevent the app's icon from showing up on the phone screen, as well.

In addition, the FTC accused the company of failing to keep collected information secure. A hacker was able to break into its cloud storage account twice between February 2017 and 2018, accessing data collected through PhoneSheriff and TeenShield, which includes logins, text messages, GPS locations, contacts and photos. Since those apps were made to monitor kids, the FTC also accused Retina-X of violating the Children's Online Privacy Protection Act (COPPA) that requires companies to secure the information they collect from children under 13.

The developer can only resume selling its apps and subscriptions if it requires purchasers to prove that they will be used to monitor children, employees or other consenting adults. Further, the apps' icons and name smust be visible on the phone screen, unless it's a parent or a legal guardian deleting them from a minor's device. The company must also launch and maintain a security program to protect the personal information it collects, subject to third-party assessments every two years.