Support King, LLC (SpyFone.com); Analysis of Proposed Consent Order To Aid Public Comment, 50357-50359 [2021-19388]

Download as PDF Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices instructions to each of the other reports is mandatory. Certain information collected on the FR Y–9C and FR Y–9SP Reports is kept confidential by the Board. The following items may be kept confidential under exemption 4 of the Freedom of Information Act (FOIA) because these data items reflect commercial and financial information that is both customarily and actually treated as private by the respondent: 16 • FR Y–9C, Schedule HI, memoranda item 7(g), ‘‘FDIC deposit insurance assessments;’’ • FR Y–9C, Schedule HC–P, item 7(a) ‘‘Representation and warranty reserves for 1–4 family residential mortgage loans sold to U.S. government agencies and government sponsored agencies;’’ • FR Y–9C, Schedule HC–P, item 7(b) ‘‘Representation and warranty reserves for 1–4 family residential mortgage loans sold to other parties;’’ • FR Y–9C, Schedule HC–C, Part I, Memorandum items 16.a and 16.b, for eligible loan modifications under Section 4013 of the 2020 Coronavirus Aid, Relief, and Economic Security Act; and • FR Y–9C, Schedule HC and FR Y– 9SP, Schedule SC, Memoranda item 2.b., the name and email address of the external auditing firm’s engagement partner.17 In some circumstances, disclosing these data items may also reveal confidential examination and supervisory information protected from disclosure under exemption 8 of the FOIA.18 The Board has previously assured submitters that these data items will be treated as confidential. In addition, the Chief Executive Officer Contact Information section of both the FR Y–9C and FR Y–9SP may be kept confidential pursuant to FOIA exemption 6, which applies to personnel and medical files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy,19 and exemption 8, which applies to information contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions.20 Aside from the data items described above, data collected by the FR Y–9 16 12 U.S.C. 552(b)(4). Board has assured respondents that this information will be treated as confidential since the collection of this data item was proposed in 2004, under the assumption that the identity of the engagement partner is treated as private information by holding companies. 18 12 U.S.C. 552(b)(8). 19 5 U.S.C. 552(b)(6). 20 5 U.S.C. 552(b)(8). jbell on DSKJLSW7X2PROD with NOTICES 17 The VerDate Sep<11>2014 17:21 Sep 07, 2021 Jkt 253001 50357 reports generally are not accorded confidential treatment. As provided in the Board’s Rules Regarding Availability of Information,21 however, a respondent may request confidential treatment for any data items the respondent believes should be withheld pursuant to a FOIA exemption. The Board will review any such request to determine if confidential treatment is appropriate and will inform the respondent if the request for confidential treatment has been granted or denied. To the extent that the instructions to the FR Y–9 reports direct the financial institution to retain the workpapers and related materials used in preparation of each report, such material would only be obtained by the Board as part of the examination or supervision of the financial institution. Accordingly, such information may be considered confidential pursuant to exemption 8 of the FOIA.22 In addition, the workpapers and related materials may also be protected by exemption 4 of the FOIA to the extent such financial information is customarily and actually treated as private by the respondent.23 Consultation outside the agency: The Board consulted with the FDIC and OCC regarding the proposed revisions on brokered deposits and SA–CCR check box. FOR FURTHER INFORMATION CONTACT: Board of Governors of the Federal Reserve System, September 1, 2021. Michele Taylor Fennell, Deputy Associate Secretary of the Board. Support King, LLC (SpyFone.com); Analysis of Proposed Consent Order To Aid Public Comment Kelly Powell, HR Specialist, at 202– 942–1681. SUPPLEMENTARY INFORMATION: Title 5, U.S. Code, 4314(c)(4), requires that the appointment of Performance Review Board members be published in the Federal Register before Board service commences. The following persons will serve on the Federal Retirement Thrift Investment Board’s Performance Review Board which will review initial summary ratings to ensure the ratings are consistent with established performance requirements, reflect meaningful distinctions among senior executives based on their relative performance and organizational results and provide recommendations for ratings, awards, and pay adjustments in a fair and equitable manner: Susan Crowder, Vijay Desai, Gisile Goethe, and Sean McCaffrey. Dharmesh Vashee, General Counsel, Federal Retirement Thrift Investment Board. [FR Doc. 2021–19490 Filed 9–7–21; 8:45 am] BILLING CODE 6760–01–P FEDERAL TRADE COMMISSION [File No. 192 3003] Federal Trade Commission. Proposed consent agreement; request for comment. [FR Doc. 2021–19298 Filed 9–7–21; 8:45 am] AGENCY: BILLING CODE 6210–01–P ACTION: FEDERAL RETIREMENT THRIFT INVESTMENT BOARD Senior Executive Service Performance Review Board Federal Retirement Thrift Investment Board. ACTION: Notice. AGENCY: This notice announces the appointment of the members of the Senior Executive Service Performance Review Board for the Federal Retirement Thrift Investment Board. The purpose of the Performance Review Board is to make written recommendations on each executive’s annual summary ratings, performancebased pay adjustment, and performance awards to the appointing authority. DATES: This notice is applicable on September 8, 2021. SUMMARY: 21 12 CFR part 2. U.S.C. 552(b)(8). 23 5 U.S.C. 552(b)(4). 22 5 PO 00000 Frm 00035 Fmt 4703 Sfmt 4703 The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order— embodied in the consent agreement— that would settle these allegations. DATES: Comments must be received on or before October 8, 2021. ADDRESSES: Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write ‘‘Support King, LLC (SpyFone.com); File No. 192 3003’’ on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the webbased form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, SUMMARY: E:\FR\FM\08SEN1.SGM 08SEN1 jbell on DSKJLSW7X2PROD with NOTICES 50358 Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices 600 Pennsylvania Avenue NW, Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Thomas B. Carter (214–979–9372), Federal Trade Commission, Southwest Regional Office, 199 Bryan Street, Suite 2150, Dallas, TX 75201. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https:// www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before October 8, 2021. Write ‘‘Support King, LLC (SpyFone.com); File No. 192 3003’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https:// www.regulations.gov website. Due to the COVID–19 pandemic and the agency’s heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https:// www.regulations.gov website. If you prefer to file your comment on paper, write ‘‘Support King, LLC (SpyFone.com); File No. 192 3003’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC– 5610 (Annex D), Washington, DC 20580. If possible, submit your paper comment to the Commission by overnight service. Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. In particular, your comment should not VerDate Sep<11>2014 17:21 Sep 07, 2021 Jkt 253001 include sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https:// www.regulations.gov website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at https:// www.ftc.gov to read this Notice and the news release describing the proposed settlement. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before October 8, 2021. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission (‘‘Commission’’) has accepted, subject to final approval, an agreement containing a consent order from Support King, LLC, formerly d/b/a SpyFone.com (‘‘Corporate Respondent’’), and Scott Zuckerman (‘‘Individual Respondent’’) (collectively, ‘‘Respondents’’). The Commission has placed the proposed consent order (‘‘Proposed Order’’) on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement’s Proposed Order. Support King has sold various monitoring products and services, each of which allowed a purchaser to monitor surreptitiously another person’s activities on that person’s mobile device. Scott Zuckerman is the president, founder, resident agent, and chief executive of Support King. Individually or in concert with others, Mr. Zuckerman controlled or had the authority to control, or participated in the acts and practices alleged in the proposed complaint. Respondents’ monitoring products and services included SpyFone for Android Basic, Premium, Xtreme, and Xpress. These monitoring products and services had varying capabilities and costs. Purchasers of these products had to take steps to bypass numerous restrictions implemented by the operating system or the mobile device manufacturer on the monitored mobile device during installation. To enable certain functions of the monitoring products and services, purchasers had to gain administrative privileges, exposing mobile devices to various security vulnerabilities. All of Respondents’ monitoring products and services required that the purchaser have physical access to the device user’s mobile device for installation, and then the purchaser could remotely monitor the device user’s activities from an online dashboard. Once installed, the monitoring products and services ran surreptitiously, meaning that the device user was unaware that he or she was being monitored. The SpyFone software would then only be found by navigating through the device’s ‘‘Settings,’’ where, according to SpyFone’s website, it is labeled as ‘‘System Service’’ in order ‘‘to be more stealthy[.]’’ E:\FR\FM\08SEN1.SGM 08SEN1 jbell on DSKJLSW7X2PROD with NOTICES Federal Register / Vol. 86, No. 171 / Wednesday, September 8, 2021 / Notices Device users surreptitiously monitored by Respondents’ monitoring products and services could not uninstall or remove Respondents’ monitoring products and services because they did not know that they were being monitored. Device users often had no way of knowing that Respondents’ monitoring products and services were being used on their phones. Respondents did not take any steps to ensure that purchasers would use Respondents’ monitoring products and services for legitimate purposes. Moreover, Respondents did not take steps to secure the personal information collected from device users being monitored despite stating, ‘‘SpyFone cares about the integrity and security of your personal information. We will take all reasonable precautions to safeguard customer information, including but not limited to contact information, personally identifiable information (PII), and payment details,’’ and ‘‘SpyFone uses its databases to store your encrypted personal information.’’ Respondents engaged in a number of practices that, taken together, failed to provide reasonable data security to protect the personal information collected from device users. As a result of these unreasonable data security practices, in August 2018, an unauthorized third party accessed Respondents’ server, gaining access to the data of approximately 2,200 consumers. Respondents then disseminated a notice to purchasers following the unauthorized access, representing that Respondents had ‘‘partner[ed] with leading data security firms to assist in our investigation’’ and that they would ‘‘coordinate with law enforcement authorities’’ on the matter. In reality, Respondents did not partner with any data security firms or coordinate with law enforcement authorities. The Commission’s proposed threecount complaint alleges that Respondents violated Section 5(a) of the Federal Trade Commission Act. The first count alleges that Respondents unfairly sell or have sold monitoring products and services that operate surreptitiously on mobile devices without taking reasonable steps to ensure that the purchasers use the monitoring products and services only for legitimate and lawful purposes. The second count alleges Respondents deceived consumers about Respondents’ data security practices by falsely representing that it would take all reasonable precautions to safeguard customer information, including by using their database to store consumers’ personal information encrypted. VerDate Sep<11>2014 17:21 Sep 07, 2021 Jkt 253001 Respondents failed to implement appropriate security procedures to protect the personal information they collected from consumers, such as by: (1) Failing to encrypt personal information stored on Respondents’ server; (2) failing to ensure access to Respondents’ server was properly configured so that only authorized users could access consumers’ personal information; (3) failing to adequately assess and address vulnerabilities of its Application Programing Interfaces (APIs); (4) transmitting purchasers’ passwords for their SpyFone accounts in plain text; and (5) failing to contractually require its service provider to adopt and implement data security standards, policies, procedures or practices. The third count alleges Respondents deceived consumers about Respondents’ data breach response, when Respondents stated they were partnering with leading data security firms to investigate the data breach and coordinating with law enforcement authorities, when in fact Respondents did not. The Proposed Order contains provisions designed to prevent Respondents from engaging in the same or similar acts or practices in the future. Part I of the Proposed Order requires Respondents to disable immediately all access to any information collected through a monitored mobile device, and immediately to cease collection of any data through any monitoring software. Part II requires that within 30 days of the entry of the Proposed Order, Respondents must delete all consumer data collected. Part III of the Proposed Order requires Respondents to provide notice on all of Support King’s websites, and to provide notice through emails to purchasers and trial users, stating that the FTC alleged Support King sold illegal monitoring products and services, that Support King agreed to disable the software, and that Respondents’ previous notice of June 2020 was inaccurate. Respondents must also provide notice to each user of a monitored device, through an onscreen notification, informing the user that Support King collected information from his or her phone, and that the phone may not be secure. Part IV of the Proposed Order bans Respondents from licensing, advertising, marketing, promoting, distributing, selling, or assisting in any of the former, any monitoring product or service to consumers. Part V of the Proposed Order prohibits Respondents from making any misrepresentations about the extent to which Respondents work with privacy or security firms, or PO 00000 Frm 00037 Fmt 4703 Sfmt 9990 50359 the extent to which Respondents maintain and protect the privacy, security, confidentiality, and integrity of personal information. Part VI of the Proposed Order prohibits Corporate Respondent, and any Covered Business (any business controlled, directly or indirectly, by either Corporate Respondent or Individual Respondent) from transferring, selling, sharing, collecting, maintaining, or storing personal information unless it establishes and implements, and thereafter maintains, a comprehensive information security program that protects the security, confidentiality, and integrity of such personal information. Part VII requires Respondents to obtain initial and biennial data security assessments for twenty years for any Covered Business that collects personal information online. Part VIII of the Proposed Order requires Respondents to disclose all material facts to the assessor and prohibits Respondents from misrepresenting any fact material to the assessments required by Part VII. Part IX requires Respondents to submit an annual certification from a senior corporate manager (or senior officer responsible for its information security program), that Respondents have implemented the requirements of the Proposed Order, are not aware of any material noncompliance that has not been corrected or disclosed to the Commission, and includes a brief description of any covered incident involving unauthorized access to or acquisition of personal information. Part X requires Respondents to submit a report to the Commission following their discovery of any covered incident. Parts XI through XIV of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondents to provide information or documents necessary for the Commission to monitor compliance. Part XV states that the Proposed Order will remain in effect for twenty (20) years, with certain exceptions. The purpose of this analysis is to aid public comment on the Proposed Order. It is not intended to constitute an official interpretation of the complaint or Proposed Order, or to modify in any way the Proposed Order’s terms. By direction of the Commission. April J. Tabor, Secretary. [FR Doc. 2021–19388 Filed 9–7–21; 8:45 am] BILLING CODE 6750–01–P E:\FR\FM\08SEN1.SGM 08SEN1

Agencies

[Federal Register Volume 86, Number 171 (Wednesday, September 8, 2021)]
[Notices]
[Pages 50357-50359]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-19388]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 192 3003]


Support King, LLC (SpyFone.com); Analysis of Proposed Consent 
Order To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the draft complaint 
and the terms of the consent order--embodied in the consent agreement--
that would settle these allegations.

DATES: Comments must be received on or before October 8, 2021.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Support King, 
LLC (SpyFone.com); File No. 192 3003'' on your comment, and file your 
comment online at https://www.regulations.gov by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary,

[[Page 50358]]

600 Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 
20580, or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Thomas B. Carter (214-979-9372), 
Federal Trade Commission, Southwest Regional Office, 199 Bryan Street, 
Suite 2150, Dallas, TX 75201.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
at https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before October 8, 2021. 
Write ``Support King, LLC (SpyFone.com); File No. 192 3003'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the https://www.regulations.gov website.
    Due to the COVID-19 pandemic and the agency's heightened security 
screening, postal mail addressed to the Commission will be subject to 
delay. We strongly encourage you to submit your comments online through 
the https://www.regulations.gov website.
    If you prefer to file your comment on paper, write ``Support King, 
LLC (SpyFone.com); File No. 192 3003'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580. If possible, submit your paper 
comment to the Commission by overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the https://www.regulations.gov website--as legally 
required by FTC Rule 4.9(b)--we cannot redact or remove your comment 
from that website, unless you submit a confidentiality request that 
meets the requirements for such treatment under FTC Rule 4.9(c), and 
the General Counsel grants that request.
    Visit the FTC website at https://www.ftc.gov to read this Notice and 
the news release describing the proposed settlement. The FTC Act and 
other laws that the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
that it receives on or before October 8, 2021. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from Support 
King, LLC, formerly d/b/a SpyFone.com (``Corporate Respondent''), and 
Scott Zuckerman (``Individual Respondent'') (collectively, 
``Respondents'').
    The Commission has placed the proposed consent order (``Proposed 
Order'') on the public record for thirty (30) days for receipt of 
comments by interested persons. Comments received during this period 
will become part of the public record. After thirty (30) days, the 
Commission again will review the agreement and the comments received, 
and will decide whether it should withdraw from the agreement or make 
final the agreement's Proposed Order.
    Support King has sold various monitoring products and services, 
each of which allowed a purchaser to monitor surreptitiously another 
person's activities on that person's mobile device. Scott Zuckerman is 
the president, founder, resident agent, and chief executive of Support 
King. Individually or in concert with others, Mr. Zuckerman controlled 
or had the authority to control, or participated in the acts and 
practices alleged in the proposed complaint.
    Respondents' monitoring products and services included SpyFone for 
Android Basic, Premium, Xtreme, and Xpress. These monitoring products 
and services had varying capabilities and costs. Purchasers of these 
products had to take steps to bypass numerous restrictions implemented 
by the operating system or the mobile device manufacturer on the 
monitored mobile device during installation. To enable certain 
functions of the monitoring products and services, purchasers had to 
gain administrative privileges, exposing mobile devices to various 
security vulnerabilities.
    All of Respondents' monitoring products and services required that 
the purchaser have physical access to the device user's mobile device 
for installation, and then the purchaser could remotely monitor the 
device user's activities from an online dashboard. Once installed, the 
monitoring products and services ran surreptitiously, meaning that the 
device user was unaware that he or she was being monitored. The SpyFone 
software would then only be found by navigating through the device's 
``Settings,'' where, according to SpyFone's website, it is labeled as 
``System Service'' in order ``to be more stealthy[.]''

[[Page 50359]]

    Device users surreptitiously monitored by Respondents' monitoring 
products and services could not uninstall or remove Respondents' 
monitoring products and services because they did not know that they 
were being monitored. Device users often had no way of knowing that 
Respondents' monitoring products and services were being used on their 
phones. Respondents did not take any steps to ensure that purchasers 
would use Respondents' monitoring products and services for legitimate 
purposes.
    Moreover, Respondents did not take steps to secure the personal 
information collected from device users being monitored despite 
stating, ``SpyFone cares about the integrity and security of your 
personal information. We will take all reasonable precautions to 
safeguard customer information, including but not limited to contact 
information, personally identifiable information (PII), and payment 
details,'' and ``SpyFone uses its databases to store your encrypted 
personal information.'' Respondents engaged in a number of practices 
that, taken together, failed to provide reasonable data security to 
protect the personal information collected from device users.
    As a result of these unreasonable data security practices, in 
August 2018, an unauthorized third party accessed Respondents' server, 
gaining access to the data of approximately 2,200 consumers. 
Respondents then disseminated a notice to purchasers following the 
unauthorized access, representing that Respondents had ``partner[ed] 
with leading data security firms to assist in our investigation'' and 
that they would ``coordinate with law enforcement authorities'' on the 
matter. In reality, Respondents did not partner with any data security 
firms or coordinate with law enforcement authorities.
    The Commission's proposed three-count complaint alleges that 
Respondents violated Section 5(a) of the Federal Trade Commission Act. 
The first count alleges that Respondents unfairly sell or have sold 
monitoring products and services that operate surreptitiously on mobile 
devices without taking reasonable steps to ensure that the purchasers 
use the monitoring products and services only for legitimate and lawful 
purposes.
    The second count alleges Respondents deceived consumers about 
Respondents' data security practices by falsely representing that it 
would take all reasonable precautions to safeguard customer 
information, including by using their database to store consumers' 
personal information encrypted. Respondents failed to implement 
appropriate security procedures to protect the personal information 
they collected from consumers, such as by: (1) Failing to encrypt 
personal information stored on Respondents' server; (2) failing to 
ensure access to Respondents' server was properly configured so that 
only authorized users could access consumers' personal information; (3) 
failing to adequately assess and address vulnerabilities of its 
Application Programing Interfaces (APIs); (4) transmitting purchasers' 
passwords for their SpyFone accounts in plain text; and (5) failing to 
contractually require its service provider to adopt and implement data 
security standards, policies, procedures or practices.
    The third count alleges Respondents deceived consumers about 
Respondents' data breach response, when Respondents stated they were 
partnering with leading data security firms to investigate the data 
breach and coordinating with law enforcement authorities, when in fact 
Respondents did not.
    The Proposed Order contains provisions designed to prevent 
Respondents from engaging in the same or similar acts or practices in 
the future.
    Part I of the Proposed Order requires Respondents to disable 
immediately all access to any information collected through a monitored 
mobile device, and immediately to cease collection of any data through 
any monitoring software. Part II requires that within 30 days of the 
entry of the Proposed Order, Respondents must delete all consumer data 
collected.
    Part III of the Proposed Order requires Respondents to provide 
notice on all of Support King's websites, and to provide notice through 
emails to purchasers and trial users, stating that the FTC alleged 
Support King sold illegal monitoring products and services, that 
Support King agreed to disable the software, and that Respondents' 
previous notice of June 2020 was inaccurate. Respondents must also 
provide notice to each user of a monitored device, through an on-screen 
notification, informing the user that Support King collected 
information from his or her phone, and that the phone may not be 
secure.
    Part IV of the Proposed Order bans Respondents from licensing, 
advertising, marketing, promoting, distributing, selling, or assisting 
in any of the former, any monitoring product or service to consumers. 
Part V of the Proposed Order prohibits Respondents from making any 
misrepresentations about the extent to which Respondents work with 
privacy or security firms, or the extent to which Respondents maintain 
and protect the privacy, security, confidentiality, and integrity of 
personal information. Part VI of the Proposed Order prohibits Corporate 
Respondent, and any Covered Business (any business controlled, directly 
or indirectly, by either Corporate Respondent or Individual Respondent) 
from transferring, selling, sharing, collecting, maintaining, or 
storing personal information unless it establishes and implements, and 
thereafter maintains, a comprehensive information security program that 
protects the security, confidentiality, and integrity of such personal 
information.
    Part VII requires Respondents to obtain initial and biennial data 
security assessments for twenty years for any Covered Business that 
collects personal information online. Part VIII of the Proposed Order 
requires Respondents to disclose all material facts to the assessor and 
prohibits Respondents from misrepresenting any fact material to the 
assessments required by Part VII.
    Part IX requires Respondents to submit an annual certification from 
a senior corporate manager (or senior officer responsible for its 
information security program), that Respondents have implemented the 
requirements of the Proposed Order, are not aware of any material 
noncompliance that has not been corrected or disclosed to the 
Commission, and includes a brief description of any covered incident 
involving unauthorized access to or acquisition of personal 
information. Part X requires Respondents to submit a report to the 
Commission following their discovery of any covered incident.
    Parts XI through XIV of the Proposed Order are reporting and 
compliance provisions, which include recordkeeping requirements and 
provisions requiring Respondents to provide information or documents 
necessary for the Commission to monitor compliance. Part XV states that 
the Proposed Order will remain in effect for twenty (20) years, with 
certain exceptions.
    The purpose of this analysis is to aid public comment on the 
Proposed Order. It is not intended to constitute an official 
interpretation of the complaint or Proposed Order, or to modify in any 
way the Proposed Order's terms.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2021-19388 Filed 9-7-21; 8:45 am]
BILLING CODE 6750-01-P