The Federal Trade Commission has settled a lawsuit against CyberSpy Software, a company that makes the Remote Spy keylogging and remote monitoring program that can record keystrokes, passwords, and personal information, as well as log Internet and application use, email, screen captures, and just about anything else someone does on a computer. But the FTC’s settlement doesn’t result in CyberSpy paying any damages or penalties, or having to significantly alter its software or business practices. Instead, the company is merely restrained from marketing the software in ways that would be illegal…and that includes installing it on people’s computers without their knowledge, or providing instructions on how to do so.
Under the terms of the settlement, neither CyberSpy nor its resellers can advertise that the company’s keylogger software can be installed and hidden on someone’s computer without their consent. The settlement also requires that the software be altered to provide notice and obtain consent from a computer’s owner before the software can be installed. However, the software will not be required to give notice that it is operating once installed—meaning someone can still clandestinely install the software on someone else’s computer, and the keylogger would remain as undetectable as ever.
The final order does require CyberSpy alter their software to reduce mis-use through man in the middle attacks by encrypting the collected data it sends over the Internet. CyberSpy is also being required to ensure its affiliates comply with the order and remove older, non-compliant versions of the software both from distribution and from computers where it was previously installed.
The settlement follows a 2008 FTC suit against CyberSpy, which touted the Remote Spy keylogger program as “100 percent undetectable” and a way to spy on any Windows user. The company also provided instructions on how to disguise the software as a seemingly-innocuous image that could be attached to email; once naively opened, the spyware would install without the user’s knowledge.
Although there are potentially valid uses for keylogger programs—employers monitoring machines or employees with access to sensitive data, parents monitoring childrens’ Internet use, etc.—the potential for misuse and abuse is also tremendous. CyberSpy now alerts potential customers that installing the software without permission may be illegal…but that’s hardly much comfort to folks whose privacy has been willfully violated.
