Would you hand over your smartphone, including your call history, text messages, photos, GPS locations, and browser history to your employer? To your significant other? How about to a random stranger? I’m guessing your answer is an overwhelming “No” to each of these questions.

Stalkerware and stalking apps do just that. Both are spyware that secretly monitors your smart phone. In its first case against the developer of a stalkerware app, the Federal trade Commission (FTC) recently announced a settlement with Retina-X Studios, LLC. Retina-X developed several apps (MobileSpy, PhoneSheriff and TeenShield) that shared detailed information about a user’s smartphone activities.

The FTC filed a complaint against Retina-X, alleging that the company’s apps didn’t do enough to make sure users were using the apps for legitimate purposes. According to the FTC, in order to install the apps, users had to weaken the security on the phone (i.e., jailbreak it). The FTC further alleged that the company failed to keep data confidential and safe.

The settlement requires Retina-X to ensure that their apps are only used for legitimate purposes. The settlement also states that Retina-X shall not require circumventing security protections implemented by the mobile device manufacturer (no jailbreaking allowed). Prior to the sale of an app, Retina-X must also “obtain a written attestation from the purchaser that it will use the Monitoring Product or Service for legitimate and lawful purposes by authorized users.”

The express written attestation must state the legitimate and lawful purpose for which the purchaser is using the device, which may include only the following:

  1. Parent monitoring a minor child;
  2. Employer monitoring an employee who has provided express written consent to being monitored; or
  3. Adult monitoring another adult who has provided express written consent to be monitored.

The FTC also took issue with what it alleged were Retina-X’s lack of adequate privacy protections regarding data collection. The settlement states that Retina-X is “permanently restrained and enjoined from misrepresenting, expressly or by implication, the extent to which Respondents maintain and protect the privacy, security, confidentiality, or integrity of Personal Information.” Finally, the settlement requires that within 120 days, “Retina-X must destroy all Personal Information collected from a Monitoring Product or Service prior to entry of this Order.”

The FTC website has useful tips on how to remove spyware as well as information for victims of domestic violence.