Franken Renews Push To Make Tracking Apps Illegal Following mSpy Data Breach
Following reports the makers of the monitoring and safety application mSpy encountered a data breach, questions were raised by privacy advocates, security experts and Sen. Al Franken, D-Minn., about the safety of spying software apps, including those designed to allow parents to monitor their children's activities. Franken said tracking apps have a “striking” similarity to stalking apps used by domestic abusers and stalkers to “continuously and secretly spy on victims’ electronic communications, movements, and whereabouts,” and encouraged the FTC and Department of Justice to support his Location Privacy Protection Act, which would “put an end to these appalling apps that allow abusers to secretly track their victims,” a news release said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
MSpy’s data breach was reported by KrebsOnSecurity’s Brian Krebs in a May 15 blog post. Krebs reported an anonymous source shared a link to a Web page reachable only via Tor. Data posted on the Web page included emails and text messages, plus payment and location data, on an undetermined number of mSpy users, Krebs said. The unknown hackers who claimed responsibility for the breach left a message saying the data dump included information on more than 400,000 users and included personal information like photos, calendar data, corporate email threads and Apple IDs and passwords, Krebs said.
Franken urged the DOJ and FTC to investigate mSpy’s data breach. In a letter to Attorney General Loretta Lynch and FTC Chairwoman Edith Ramirez Tuesday, Franken asked the agencies to look into the company, take action to protect consumers and said such apps be banned. “Every American has a fundamental right to privacy, which includes the right to control whether and with whom personal, sensitive information -- including location data -- is being shared," Franken wrote. “We need to take a comprehensive approach to protecting the sensitive information of consumers,” and “update our laws to make sure that stalking apps cannot continue to operate in any form,” he said.
A spokeswoman for mSpy confirmed the company suffered a breach and told us mSpy has “never put the safety of our users’ data at risk.” But mSpy has received “frequent threats of similar nature, pursuing financial gain ‘or else,’” she said. The company never has and never will “fall for provocations of 3rd parties” and pays “close attention to each and every ‘hacking’ threat, making sure it doesn’t have reasonable grounds,” the spokeswoman said.
MSpy’s “discreet software” is the most popular “monitoring and safety application in the market,” with millions of users according to its website. The app works by “tracking all activity in the background of the monitored phone including GPS location, Web history, images, videos, email, SMS, Skype, WhatsApp, keystrokes,” text messages, call history, calendar information and IM chats, mSpy said. The app can be installed in 5-10 minutes and doesn't notify users they're being monitored, mSpy said.
To install mSpy’s tracking app, a user doesn’t necessarily need to be in physical possession of the device, the company said. A user who buys mSpy Without Jailbreak and has the mobile user’s iCloud credentials, the company said, doesn't need to physically access the phone. But mSpy for a jailbroken iOS phone or tablet will require a user to physically access a device for 5 to 15 minutes for a successful installation, the company said.
“Mobile spyware is very easy to install if the actor has physical access to the victim’s mobile,” SecurityAffairs founder Pierluigi Paganini said: “More sophisticated spyware and mobile RAT (Remote Access Trojan) could be also served with a targeted phishing attack that could exploit for example a malicious email as an attack vector.”
“The principal problem related to commercial surveillance apps is that in many cases they lack security by design,” Paganini said. Surveillance apps easily can be hacked in several ways and some lack encryption, “so their traffic could be eavesdropped by bad actors,” he said. The majority of the time these apps are purchased by people with limited knowledge of basic computer security, who use default configurations or weak passwords to access the administration console, Paganini said.
In March, mSpy sent a story pitch to Krebs, which said 40 percent of the company’s users are parents “interested in keeping tabs on their kids,” Krebs said. “Assuming that is a true statement, it’s ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne’er-do-wells thanks to this breach,” Krebs said.
Electronic Privacy Information Center Consumer Protection Counsel Julia Horwitz said she doesn’t think it’s illegal for a parent to monitor a child’s activity, but said there are sector-specific privacy laws, such as the Children’s Online Privacy Protection Act and the Health Insurance Portability and Accountability Act, that forbid collection of certain types of information. It’s almost always illegal to track another person, Horwitz said, pointing to the Supreme Court’s ruling in U.S. v. Jones, which said law enforcement can’t put a tracker on a car without probable cause and a warrant. Whether it’s legal for employers to hand out devices like FitBits or phones with GPS trackers is up in the air right now, Horwitz said. EPIC’s perspective is that it’s unacceptable, she said.