Case Study 19.1: SpyFone and the FTC — First Action Against Stalkerware

Background

In September 2021, the Federal Trade Commission (FTC) announced a settlement with Support King, LLC — operating as SpyFone — the first major federal enforcement action specifically targeting a stalkerware company. The action required SpyFone to stop providing monitoring services and to delete all data it had collected from stalkerware installations on victims' devices.

The SpyFone case represents both a milestone in federal stalkerware accountability and a demonstration of the limits of regulatory action in this space. Understanding both dimensions is essential for thinking about how law and technology intersect in the context of intimate partner surveillance.

What SpyFone Did

SpyFone sold software that, once installed on a device, secretly collected data and transmitted it to the account of whoever had purchased the software. The data collected included:

  • Real-time GPS location
  • Text messages (SMS and app-based messaging)
  • Call logs (numbers, duration, timestamps)
  • Photos from the device's camera
  • Browser history
  • Social media activity
  • Keystrokes (including passwords entered on the device)
  • Email content

The software was designed to be invisible to the device owner. It did not appear in the app drawer, did not generate notifications, and actively attempted to avoid detection by security software.

SpyFone's marketing, prior to the FTC action, included advertising copy that explicitly promoted monitoring of intimate partners and spouses. The company's materials included testimonials from people who had used the product to discover a partner's infidelity or to "keep tabs" on someone. Some materials targeted specifically by the FTC included a FAQ entry asking "Is it legal to spy on my spouse?" — with an answer that characterized the legality as depending on the circumstances.

The FTC's Theory of the Case

The FTC brought its case under Section 5 of the FTC Act, which prohibits "unfair or deceptive acts or practices" in commerce. The FTC identified two primary theories of liability:

Unfair practices: SpyFone's product was designed to be installed without the device owner's knowledge, to operate covertly, and to facilitate surveillance that the device owner had not consented to. The FTC characterized this as inherently unfair — a product whose business model depended on enabling privacy violations and, in many cases, facilitating domestic abuse.

Deceptive practices: SpyFone's marketing made claims about the product's legality and its use cases that the FTC characterized as deceptive, in that they suggested the product could be legally used for partner monitoring in circumstances where such monitoring would violate state wiretapping and electronic surveillance laws.

The FTC complaint noted that SpyFone had itself been the subject of a data breach in 2018, in which a hacker accessed the SpyFone database and exposed data about 2,200 devices being monitored by the software — including the content of messages, photos, and location data about the people being stalked. The data breach exposed both the stalker-customers and their victims to additional risk. The FTC cited the breach as evidence that SpyFone had failed to provide adequate security for the highly sensitive data it collected.

The Settlement

The settlement required Support King/SpyFone to:

  • Permanently cease providing monitoring services
  • Delete all personal information collected from devices where the software had been installed
  • Be banned from the mobile security surveillance business absent a prohibition order modification
  • Notify the owners of devices on which SpyFone had been installed that the software had been present — giving stalking victims, potentially for the first time, notification that they had been monitored

This last requirement — victim notification — was unprecedented and was considered one of the most significant features of the settlement. The FTC required SpyFone to tell device owners, insofar as the company could identify them, that monitoring software had been on their devices. This notification created risks (some recipients might be in danger if their abuser learned they had been notified) and benefits (some recipients would learn for the first time that they had been stalked).

The FTC did not impose a financial penalty in the settlement — a feature that drew criticism from privacy advocates who argued that the absence of financial consequences reduced deterrence for other companies in the stalkerware space.

What the Action Did Not Accomplish

The SpyFone settlement, while significant as a precedent, left the broader stalkerware market largely intact:

The market continued: SpyFone was one of dozens of stalkerware products available at the time of the settlement. mSpy, FlexiSPY, Spyic, and many others continued to operate. The settlement against SpyFone did not create binding precedent that automatically applied to similar products; each would require its own enforcement action.

The dual-use problem persisted: The FTC's action targeted SpyFone's most explicit partner-monitoring marketing and its covert installation design. It did not address the broader category of apps that could be used for partner monitoring while marketing themselves primarily as parental control tools.

International limits: Many stalkerware products operate through companies headquartered outside the United States, beyond the FTC's jurisdictional reach. The commercial stalkerware market is global; U.S. regulatory action has limited reach over offshore operators.

App stores remained imperfect: Both Apple and Google had policies against stalkerware, but enforcement was inconsistent. After the SpyFone action, advocates noted that products with substantially similar functionality to SpyFone remained available through official app stores.

The Significance of the Case

Despite its limits, the SpyFone case was significant for several reasons:

Establishing the FTC's jurisdiction and interest: The case established that the FTC viewed stalkerware as an "unfair practice" subject to Section 5 enforcement. This framing opened the door for future actions against other stalkerware companies and created a legal foundation for advocacy to push for broader enforcement.

Victim notification as a remedy: The victim notification requirement was innovative and potentially more valuable to individual survivors than the business prohibition. Learning that stalkerware had been on a device is information that allows survivors to take protective action — changing accounts, securing communications, understanding the scope of what was monitored.

The data security dimension: The FTC's focus on SpyFone's data breach highlighted a surveillance problem within surveillance: stalkerware companies are themselves data security risks. A company that collects intimate surveillance data from thousands of devices — messages, photos, locations, passwords — without adequate security creates a second harm layer beyond the abuse it enables. The data can be breached, as SpyFone's was, exposing both abusers' identities and victims' private information.

The public record: The FTC complaint created a detailed public record of SpyFone's practices that other advocates, researchers, and reporters could use. Understanding the specific mechanisms by which stalkerware companies operated, marketed, and collected data was important for advocacy and for educating both survivors and technology professionals.

Analysis

The Limits of Individual Enforcement

The SpyFone case illustrates a general principle about regulatory enforcement against commercial surveillance: individual enforcement actions against specific companies, while valuable, do not address the structural conditions that make the market viable. SpyFone operated because there was demand for partner surveillance software, because that demand was sufficient to sustain a commercial business, and because the legal risk of operating such a business was low enough not to deter entry.

Addressing the structural conditions requires: comprehensive rules that apply to all stalkerware products, not just the ones that get caught; meaningful financial penalties that create deterrence; coordination between U.S. regulators and international counterparts; consistent app store enforcement; and investment in survivor resources and law enforcement training that increases the legal risk of using stalkerware, not just producing it.

The Intersection of Technology and Abuse

The SpyFone case makes visible what academic research on coercive control has established: technology is not merely incidental to contemporary intimate partner abuse — it is a primary tool of it. The National Network to End Domestic Violence has documented that technology abuse is present in the vast majority of domestic violence cases. Stalkerware is the most sophisticated form of this abuse, but it exists on a continuum with the more casual forms of partner surveillance examined in this chapter.

Treating stalkerware as a technology problem with a technology solution — catch the bad software, remove it, problem solved — misses the deeper issue. The technology is an expression of a relationship dynamic, and the relationship dynamic is what requires attention. Legal accountability, advocacy resources, and survivor support remain essential even when the technical fix is available.

Discussion Questions

  1. The FTC imposed no financial penalty in the SpyFone settlement. Privacy advocates argued this reduced deterrence. Make the case for a substantial financial penalty in stalkerware enforcement actions. What factors should determine the penalty amount?

  2. SpyFone's data breach exposed victim data as well as abuser account data. What obligations should stalkerware companies (if they are to be permitted at all) have to protect the data they collect? Is there a coherent answer to this question, given that collecting the data is itself harmful?

  3. The victim notification requirement in the SpyFone settlement was innovative but raised safety concerns. Design a notification protocol that maximizes information for survivors while minimizing escalation risk.

  4. The FTC had jurisdiction over SpyFone because it was a U.S. company. How should the international stalkerware market be addressed? What mechanisms are available for cross-border regulatory coordination?

  5. The chapter describes stalkerware as existing in a "legal grey zone." Based on the SpyFone case, evaluate whether the grey zone has narrowed. What would be required to eliminate it entirely?