Support King, LLC (SpyFone.com); Analysis of Proposed Consent Order To Aid Public Comment, 50357-50359 [2021-19388]
Download as PDF
<![CDATA[
Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices
instructions to each of the other reports
is mandatory.
Certain information collected on the
FR Y–9C and FR Y–9SP Reports is kept
confidential by the Board. The following
items may be kept confidential under
exemption 4 of the Freedom of
Information Act (FOIA) because these
data items reflect commercial and
financial information that is both
customarily and actually treated as
private by the respondent: 16
• FR Y–9C, Schedule HI, memoranda
item 7(g), ‘‘FDIC deposit insurance
assessments;’’
• FR Y–9C, Schedule HC–P, item 7(a)
‘‘Representation and warranty reserves
for 1–4 family residential mortgage
loans sold to U.S. government agencies
and government sponsored agencies;’’
• FR Y–9C, Schedule HC–P, item 7(b)
‘‘Representation and warranty reserves
for 1–4 family residential mortgage
loans sold to other parties;’’
• FR Y–9C, Schedule HC–C, Part I,
Memorandum items 16.a and 16.b, for
eligible loan modifications under
Section 4013 of the 2020 Coronavirus
Aid, Relief, and Economic Security Act;
and
• FR Y–9C, Schedule HC and FR Y–
9SP, Schedule SC, Memoranda item
2.b., the name and email address of the
external auditing firm’s engagement
partner.17
In some circumstances, disclosing
these data items may also reveal
confidential examination and
supervisory information protected from
disclosure under exemption 8 of the
FOIA.18 The Board has previously
assured submitters that these data items
will be treated as confidential.
In addition, the Chief Executive
Officer Contact Information section of
both the FR Y–9C and FR Y–9SP may
be kept confidential pursuant to FOIA
exemption 6, which applies to
personnel and medical files the
disclosure of which would constitute a
clearly unwarranted invasion of
personal privacy,19 and exemption 8,
which applies to information contained
in or related to examination, operating,
or condition reports prepared by, on
behalf of, or for the use of an agency
responsible for the regulation or
supervision of financial institutions.20
Aside from the data items described
above, data collected by the FR Y–9
16 12
U.S.C. 552(b)(4).
Board has assured respondents that this
information will be treated as confidential since the
collection of this data item was proposed in 2004,
under the assumption that the identity of the
engagement partner is treated as private information
by holding companies.
18 12 U.S.C. 552(b)(8).
19 5 U.S.C. 552(b)(6).
20 5 U.S.C. 552(b)(8).
jbell on DSKJLSW7X2PROD with NOTICES
17 The
VerDate Sep<11>2014
17:21 Sep 07, 2021
Jkt 253001
50357
reports generally are not accorded
confidential treatment. As provided in
the Board’s Rules Regarding Availability
of Information,21 however, a respondent
may request confidential treatment for
any data items the respondent believes
should be withheld pursuant to a FOIA
exemption. The Board will review any
such request to determine if confidential
treatment is appropriate and will inform
the respondent if the request for
confidential treatment has been granted
or denied.
To the extent that the instructions to
the FR Y–9 reports direct the financial
institution to retain the workpapers and
related materials used in preparation of
each report, such material would only
be obtained by the Board as part of the
examination or supervision of the
financial institution. Accordingly, such
information may be considered
confidential pursuant to exemption 8 of
the FOIA.22 In addition, the workpapers
and related materials may also be
protected by exemption 4 of the FOIA
to the extent such financial information
is customarily and actually treated as
private by the respondent.23
Consultation outside the agency: The
Board consulted with the FDIC and OCC
regarding the proposed revisions on
brokered deposits and SA–CCR check
box.
FOR FURTHER INFORMATION CONTACT:
Board of Governors of the Federal Reserve
System, September 1, 2021.
Michele Taylor Fennell,
Deputy Associate Secretary of the Board.
Support King, LLC (SpyFone.com);
Analysis of Proposed Consent Order
To Aid Public Comment
Kelly Powell, HR Specialist, at 202–
942–1681.
SUPPLEMENTARY INFORMATION: Title 5,
U.S. Code, 4314(c)(4), requires that the
appointment of Performance Review
Board members be published in the
Federal Register before Board service
commences. The following persons will
serve on the Federal Retirement Thrift
Investment Board’s Performance Review
Board which will review initial
summary ratings to ensure the ratings
are consistent with established
performance requirements, reflect
meaningful distinctions among senior
executives based on their relative
performance and organizational results
and provide recommendations for
ratings, awards, and pay adjustments in
a fair and equitable manner: Susan
Crowder, Vijay Desai, Gisile Goethe, and
Sean McCaffrey.
Dharmesh Vashee,
General Counsel, Federal Retirement Thrift
Investment Board.
[FR Doc. 2021–19490 Filed 9–7–21; 8:45 am]
BILLING CODE 6760–01–P
FEDERAL TRADE COMMISSION
[File No. 192 3003]
Federal Trade Commission.
Proposed consent agreement;
request for comment.
[FR Doc. 2021–19298 Filed 9–7–21; 8:45 am]
AGENCY:
BILLING CODE 6210–01–P
ACTION:
FEDERAL RETIREMENT THRIFT
INVESTMENT BOARD
Senior Executive Service Performance
Review Board
Federal Retirement Thrift
Investment Board.
ACTION: Notice.
AGENCY:
This notice announces the
appointment of the members of the
Senior Executive Service Performance
Review Board for the Federal
Retirement Thrift Investment Board.
The purpose of the Performance Review
Board is to make written
recommendations on each executive’s
annual summary ratings, performancebased pay adjustment, and performance
awards to the appointing authority.
DATES: This notice is applicable on
September 8, 2021.
SUMMARY:
21 12
CFR part 2.
U.S.C. 552(b)(8).
23 5 U.S.C. 552(b)(4).
22 5
PO 00000
Frm 00035
Fmt 4703
Sfmt 4703
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis of Proposed Consent Order to
Aid Public Comment describes both the
allegations in the draft complaint and
the terms of the consent order—
embodied in the consent agreement—
that would settle these allegations.
DATES: Comments must be received on
or before October 8, 2021.
ADDRESSES: Interested parties may file
comments online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Please write ‘‘Support King, LLC
(SpyFone.com); File No. 192 3003’’ on
your comment, and file your comment
online at https://www.regulations.gov by
following the instructions on the webbased form. If you prefer to file your
comment on paper, mail your comment
to the following address: Federal Trade
Commission, Office of the Secretary,
SUMMARY:
E:\FR\FM\08SEN1.SGM
08SEN1
jbell on DSKJLSW7X2PROD with NOTICES
50358
Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex D), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Thomas B. Carter (214–979–9372),
Federal Trade Commission, Southwest
Regional Office, 199 Bryan Street, Suite
2150, Dallas, TX 75201.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before October 8, 2021. Write ‘‘Support
King, LLC (SpyFone.com); File No. 192
3003’’ on your comment. Your
comment—including your name and
your state—will be placed on the public
record of this proceeding, including, to
the extent practicable, on the https://
www.regulations.gov website.
Due to the COVID–19 pandemic and
the agency’s heightened security
screening, postal mail addressed to the
Commission will be subject to delay. We
strongly encourage you to submit your
comments online through the https://
www.regulations.gov website.
If you prefer to file your comment on
paper, write ‘‘Support King, LLC
(SpyFone.com); File No. 192 3003’’ on
your comment and on the envelope, and
mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC–
5610 (Annex D), Washington, DC 20580.
If possible, submit your paper comment
to the Commission by overnight service.
Because your comment will be placed
on the publicly accessible website at
https://www.regulations.gov, you are
solely responsible for making sure your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
VerDate Sep<11>2014
17:21 Sep 07, 2021
Jkt 253001
include sensitive personal information,
such as your or anyone else’s Social
Security number; date of birth; driver’s
license number or other state
identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure your
comment does not include sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the https://
www.regulations.gov website—as legally
required by FTC Rule 4.9(b)—we cannot
redact or remove your comment from
that website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing the proposed
settlement. The FTC Act and other laws
that the Commission administers permit
the collection of public comments to
consider and use in this proceeding, as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before October 8, 2021. For information
on the Commission’s privacy policy,
including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy.
PO 00000
Frm 00036
Fmt 4703
Sfmt 4703
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission
(‘‘Commission’’) has accepted, subject to
final approval, an agreement containing
a consent order from Support King, LLC,
formerly d/b/a SpyFone.com
(‘‘Corporate Respondent’’), and Scott
Zuckerman (‘‘Individual Respondent’’)
(collectively, ‘‘Respondents’’).
The Commission has placed the
proposed consent order (‘‘Proposed
Order’’) on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission again will review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement or make
final the agreement’s Proposed Order.
Support King has sold various
monitoring products and services, each
of which allowed a purchaser to
monitor surreptitiously another person’s
activities on that person’s mobile
device. Scott Zuckerman is the
president, founder, resident agent, and
chief executive of Support King.
Individually or in concert with others,
Mr. Zuckerman controlled or had the
authority to control, or participated in
the acts and practices alleged in the
proposed complaint.
Respondents’ monitoring products
and services included SpyFone for
Android Basic, Premium, Xtreme, and
Xpress. These monitoring products and
services had varying capabilities and
costs. Purchasers of these products had
to take steps to bypass numerous
restrictions implemented by the
operating system or the mobile device
manufacturer on the monitored mobile
device during installation. To enable
certain functions of the monitoring
products and services, purchasers had
to gain administrative privileges,
exposing mobile devices to various
security vulnerabilities.
All of Respondents’ monitoring
products and services required that the
purchaser have physical access to the
device user’s mobile device for
installation, and then the purchaser
could remotely monitor the device
user’s activities from an online
dashboard. Once installed, the
monitoring products and services ran
surreptitiously, meaning that the device
user was unaware that he or she was
being monitored. The SpyFone software
would then only be found by navigating
through the device’s ‘‘Settings,’’ where,
according to SpyFone’s website, it is
labeled as ‘‘System Service’’ in order ‘‘to
be more stealthy[.]’’
E:\FR\FM\08SEN1.SGM
08SEN1
jbell on DSKJLSW7X2PROD with NOTICES
Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices
Device users surreptitiously
monitored by Respondents’ monitoring
products and services could not
uninstall or remove Respondents’
monitoring products and services
because they did not know that they
were being monitored. Device users
often had no way of knowing that
Respondents’ monitoring products and
services were being used on their
phones. Respondents did not take any
steps to ensure that purchasers would
use Respondents’ monitoring products
and services for legitimate purposes.
Moreover, Respondents did not take
steps to secure the personal information
collected from device users being
monitored despite stating, ‘‘SpyFone
cares about the integrity and security of
your personal information. We will take
all reasonable precautions to safeguard
customer information, including but not
limited to contact information,
personally identifiable information (PII),
and payment details,’’ and ‘‘SpyFone
uses its databases to store your
encrypted personal information.’’
Respondents engaged in a number of
practices that, taken together, failed to
provide reasonable data security to
protect the personal information
collected from device users.
As a result of these unreasonable data
security practices, in August 2018, an
unauthorized third party accessed
Respondents’ server, gaining access to
the data of approximately 2,200
consumers. Respondents then
disseminated a notice to purchasers
following the unauthorized access,
representing that Respondents had
‘‘partner[ed] with leading data security
firms to assist in our investigation’’ and
that they would ‘‘coordinate with law
enforcement authorities’’ on the matter.
In reality, Respondents did not partner
with any data security firms or
coordinate with law enforcement
authorities.
The Commission’s proposed threecount complaint alleges that
Respondents violated Section 5(a) of the
Federal Trade Commission Act. The
first count alleges that Respondents
unfairly sell or have sold monitoring
products and services that operate
surreptitiously on mobile devices
without taking reasonable steps to
ensure that the purchasers use the
monitoring products and services only
for legitimate and lawful purposes.
The second count alleges
Respondents deceived consumers about
Respondents’ data security practices by
falsely representing that it would take
all reasonable precautions to safeguard
customer information, including by
using their database to store consumers’
personal information encrypted.
VerDate Sep<11>2014
17:21 Sep 07, 2021
Jkt 253001
Respondents failed to implement
appropriate security procedures to
protect the personal information they
collected from consumers, such as by:
(1) Failing to encrypt personal
information stored on Respondents’
server; (2) failing to ensure access to
Respondents’ server was properly
configured so that only authorized users
could access consumers’ personal
information; (3) failing to adequately
assess and address vulnerabilities of its
Application Programing Interfaces
(APIs); (4) transmitting purchasers’
passwords for their SpyFone accounts
in plain text; and (5) failing to
contractually require its service
provider to adopt and implement data
security standards, policies, procedures
or practices.
The third count alleges Respondents
deceived consumers about Respondents’
data breach response, when
Respondents stated they were
partnering with leading data security
firms to investigate the data breach and
coordinating with law enforcement
authorities, when in fact Respondents
did not.
The Proposed Order contains
provisions designed to prevent
Respondents from engaging in the same
or similar acts or practices in the future.
Part I of the Proposed Order requires
Respondents to disable immediately all
access to any information collected
through a monitored mobile device, and
immediately to cease collection of any
data through any monitoring software.
Part II requires that within 30 days of
the entry of the Proposed Order,
Respondents must delete all consumer
data collected.
Part III of the Proposed Order requires
Respondents to provide notice on all of
Support King’s websites, and to provide
notice through emails to purchasers and
trial users, stating that the FTC alleged
Support King sold illegal monitoring
products and services, that Support
King agreed to disable the software, and
that Respondents’ previous notice of
June 2020 was inaccurate. Respondents
must also provide notice to each user of
a monitored device, through an onscreen notification, informing the user
that Support King collected information
from his or her phone, and that the
phone may not be secure.
Part IV of the Proposed Order bans
Respondents from licensing,
advertising, marketing, promoting,
distributing, selling, or assisting in any
of the former, any monitoring product or
service to consumers. Part V of the
Proposed Order prohibits Respondents
from making any misrepresentations
about the extent to which Respondents
work with privacy or security firms, or
PO 00000
Frm 00037
Fmt 4703
Sfmt 9990
50359
the extent to which Respondents
maintain and protect the privacy,
security, confidentiality, and integrity of
personal information. Part VI of the
Proposed Order prohibits Corporate
Respondent, and any Covered Business
(any business controlled, directly or
indirectly, by either Corporate
Respondent or Individual Respondent)
from transferring, selling, sharing,
collecting, maintaining, or storing
personal information unless it
establishes and implements, and
thereafter maintains, a comprehensive
information security program that
protects the security, confidentiality,
and integrity of such personal
information.
Part VII requires Respondents to
obtain initial and biennial data security
assessments for twenty years for any
Covered Business that collects personal
information online. Part VIII of the
Proposed Order requires Respondents to
disclose all material facts to the assessor
and prohibits Respondents from
misrepresenting any fact material to the
assessments required by Part VII.
Part IX requires Respondents to
submit an annual certification from a
senior corporate manager (or senior
officer responsible for its information
security program), that Respondents
have implemented the requirements of
the Proposed Order, are not aware of
any material noncompliance that has
not been corrected or disclosed to the
Commission, and includes a brief
description of any covered incident
involving unauthorized access to or
acquisition of personal information. Part
X requires Respondents to submit a
report to the Commission following
their discovery of any covered incident.
Parts XI through XIV of the Proposed
Order are reporting and compliance
provisions, which include
recordkeeping requirements and
provisions requiring Respondents to
provide information or documents
necessary for the Commission to
monitor compliance. Part XV states that
the Proposed Order will remain in effect
for twenty (20) years, with certain
exceptions.
The purpose of this analysis is to aid
public comment on the Proposed Order.
It is not intended to constitute an
official interpretation of the complaint
or Proposed Order, or to modify in any
way the Proposed Order’s terms.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2021–19388 Filed 9–7–21; 8:45 am]
BILLING CODE 6750–01–P
E:\FR\FM\08SEN1.SGM
08SEN1
]]>Agencies
[Federal Register Volume 86, Number 171 (Wednesday, September 8, 2021)]
[Notices]
[Pages 50357-50359]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-19388]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 192 3003]
Support King, LLC (SpyFone.com); Analysis of Proposed Consent
Order To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement; request for comment.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis of Proposed Consent Order to Aid
Public Comment describes both the allegations in the draft complaint
and the terms of the consent order--embodied in the consent agreement--
that would settle these allegations.
DATES: Comments must be received on or before October 8, 2021.
ADDRESSES: Interested parties may file comments online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Please write ``Support King,
LLC (SpyFone.com); File No. 192 3003'' on your comment, and file your
comment online at https://www.regulations.gov by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail your comment to the following address: Federal Trade
Commission, Office of the Secretary,
[[Page 50358]]
600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC
20580, or deliver your comment to the following address: Federal Trade
Commission, Office of the Secretary, Constitution Center, 400 7th
Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Thomas B. Carter (214-979-9372),
Federal Trade Commission, Southwest Regional Office, 199 Bryan Street,
Suite 2150, Dallas, TX 75201.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
at https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before October 8, 2021.
Write ``Support King, LLC (SpyFone.com); File No. 192 3003'' on your
comment. Your comment--including your name and your state--will be
placed on the public record of this proceeding, including, to the
extent practicable, on the https://www.regulations.gov website.
Due to the COVID-19 pandemic and the agency's heightened security
screening, postal mail addressed to the Commission will be subject to
delay. We strongly encourage you to submit your comments online through
the https://www.regulations.gov website.
If you prefer to file your comment on paper, write ``Support King,
LLC (SpyFone.com); File No. 192 3003'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580. If possible, submit your paper
comment to the Commission by overnight service.
Because your comment will be placed on the publicly accessible
website at https://www.regulations.gov, you are solely responsible for
making sure your comment does not include any sensitive or confidential
information. In particular, your comment should not include sensitive
personal information, such as your or anyone else's Social Security
number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure your comment does not include
sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the https://www.regulations.gov website--as legally
required by FTC Rule 4.9(b)--we cannot redact or remove your comment
from that website, unless you submit a confidentiality request that
meets the requirements for such treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the news release describing the proposed settlement. The FTC Act and
other laws that the Commission administers permit the collection of
public comments to consider and use in this proceeding, as appropriate.
The Commission will consider all timely and responsive public comments
that it receives on or before October 8, 2021. For information on the
Commission's privacy policy, including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission (``Commission'') has accepted, subject
to final approval, an agreement containing a consent order from Support
King, LLC, formerly d/b/a SpyFone.com (``Corporate Respondent''), and
Scott Zuckerman (``Individual Respondent'') (collectively,
``Respondents'').
The Commission has placed the proposed consent order (``Proposed
Order'') on the public record for thirty (30) days for receipt of
comments by interested persons. Comments received during this period
will become part of the public record. After thirty (30) days, the
Commission again will review the agreement and the comments received,
and will decide whether it should withdraw from the agreement or make
final the agreement's Proposed Order.
Support King has sold various monitoring products and services,
each of which allowed a purchaser to monitor surreptitiously another
person's activities on that person's mobile device. Scott Zuckerman is
the president, founder, resident agent, and chief executive of Support
King. Individually or in concert with others, Mr. Zuckerman controlled
or had the authority to control, or participated in the acts and
practices alleged in the proposed complaint.
Respondents' monitoring products and services included SpyFone for
Android Basic, Premium, Xtreme, and Xpress. These monitoring products
and services had varying capabilities and costs. Purchasers of these
products had to take steps to bypass numerous restrictions implemented
by the operating system or the mobile device manufacturer on the
monitored mobile device during installation. To enable certain
functions of the monitoring products and services, purchasers had to
gain administrative privileges, exposing mobile devices to various
security vulnerabilities.
All of Respondents' monitoring products and services required that
the purchaser have physical access to the device user's mobile device
for installation, and then the purchaser could remotely monitor the
device user's activities from an online dashboard. Once installed, the
monitoring products and services ran surreptitiously, meaning that the
device user was unaware that he or she was being monitored. The SpyFone
software would then only be found by navigating through the device's
``Settings,'' where, according to SpyFone's website, it is labeled as
``System Service'' in order ``to be more stealthy[.]''
[[Page 50359]]
Device users surreptitiously monitored by Respondents' monitoring
products and services could not uninstall or remove Respondents'
monitoring products and services because they did not know that they
were being monitored. Device users often had no way of knowing that
Respondents' monitoring products and services were being used on their
phones. Respondents did not take any steps to ensure that purchasers
would use Respondents' monitoring products and services for legitimate
purposes.
Moreover, Respondents did not take steps to secure the personal
information collected from device users being monitored despite
stating, ``SpyFone cares about the integrity and security of your
personal information. We will take all reasonable precautions to
safeguard customer information, including but not limited to contact
information, personally identifiable information (PII), and payment
details,'' and ``SpyFone uses its databases to store your encrypted
personal information.'' Respondents engaged in a number of practices
that, taken together, failed to provide reasonable data security to
protect the personal information collected from device users.
As a result of these unreasonable data security practices, in
August 2018, an unauthorized third party accessed Respondents' server,
gaining access to the data of approximately 2,200 consumers.
Respondents then disseminated a notice to purchasers following the
unauthorized access, representing that Respondents had ``partner[ed]
with leading data security firms to assist in our investigation'' and
that they would ``coordinate with law enforcement authorities'' on the
matter. In reality, Respondents did not partner with any data security
firms or coordinate with law enforcement authorities.
The Commission's proposed three-count complaint alleges that
Respondents violated Section 5(a) of the Federal Trade Commission Act.
The first count alleges that Respondents unfairly sell or have sold
monitoring products and services that operate surreptitiously on mobile
devices without taking reasonable steps to ensure that the purchasers
use the monitoring products and services only for legitimate and lawful
purposes.
The second count alleges Respondents deceived consumers about
Respondents' data security practices by falsely representing that it
would take all reasonable precautions to safeguard customer
information, including by using their database to store consumers'
personal information encrypted. Respondents failed to implement
appropriate security procedures to protect the personal information
they collected from consumers, such as by: (1) Failing to encrypt
personal information stored on Respondents' server; (2) failing to
ensure access to Respondents' server was properly configured so that
only authorized users could access consumers' personal information; (3)
failing to adequately assess and address vulnerabilities of its
Application Programing Interfaces (APIs); (4) transmitting purchasers'
passwords for their SpyFone accounts in plain text; and (5) failing to
contractually require its service provider to adopt and implement data
security standards, policies, procedures or practices.
The third count alleges Respondents deceived consumers about
Respondents' data breach response, when Respondents stated they were
partnering with leading data security firms to investigate the data
breach and coordinating with law enforcement authorities, when in fact
Respondents did not.
The Proposed Order contains provisions designed to prevent
Respondents from engaging in the same or similar acts or practices in
the future.
Part I of the Proposed Order requires Respondents to disable
immediately all access to any information collected through a monitored
mobile device, and immediately to cease collection of any data through
any monitoring software. Part II requires that within 30 days of the
entry of the Proposed Order, Respondents must delete all consumer data
collected.
Part III of the Proposed Order requires Respondents to provide
notice on all of Support King's websites, and to provide notice through
emails to purchasers and trial users, stating that the FTC alleged
Support King sold illegal monitoring products and services, that
Support King agreed to disable the software, and that Respondents'
previous notice of June 2020 was inaccurate. Respondents must also
provide notice to each user of a monitored device, through an on-screen
notification, informing the user that Support King collected
information from his or her phone, and that the phone may not be
secure.
Part IV of the Proposed Order bans Respondents from licensing,
advertising, marketing, promoting, distributing, selling, or assisting
in any of the former, any monitoring product or service to consumers.
Part V of the Proposed Order prohibits Respondents from making any
misrepresentations about the extent to which Respondents work with
privacy or security firms, or the extent to which Respondents maintain
and protect the privacy, security, confidentiality, and integrity of
personal information. Part VI of the Proposed Order prohibits Corporate
Respondent, and any Covered Business (any business controlled, directly
or indirectly, by either Corporate Respondent or Individual Respondent)
from transferring, selling, sharing, collecting, maintaining, or
storing personal information unless it establishes and implements, and
thereafter maintains, a comprehensive information security program that
protects the security, confidentiality, and integrity of such personal
information.
Part VII requires Respondents to obtain initial and biennial data
security assessments for twenty years for any Covered Business that
collects personal information online. Part VIII of the Proposed Order
requires Respondents to disclose all material facts to the assessor and
prohibits Respondents from misrepresenting any fact material to the
assessments required by Part VII.
Part IX requires Respondents to submit an annual certification from
a senior corporate manager (or senior officer responsible for its
information security program), that Respondents have implemented the
requirements of the Proposed Order, are not aware of any material
noncompliance that has not been corrected or disclosed to the
Commission, and includes a brief description of any covered incident
involving unauthorized access to or acquisition of personal
information. Part X requires Respondents to submit a report to the
Commission following their discovery of any covered incident.
Parts XI through XIV of the Proposed Order are reporting and
compliance provisions, which include recordkeeping requirements and
provisions requiring Respondents to provide information or documents
necessary for the Commission to monitor compliance. Part XV states that
the Proposed Order will remain in effect for twenty (20) years, with
certain exceptions.
The purpose of this analysis is to aid public comment on the
Proposed Order. It is not intended to constitute an official
interpretation of the complaint or Proposed Order, or to modify in any
way the Proposed Order's terms.
By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2021-19388 Filed 9-7-21; 8:45 am]
BILLING CODE 6750-01-P
