FTC settles suit against cyberspying vendor

The FTC has settled its two-year-old lawsuit against keylogger vendor CyberSpy, allowing the company to continue to sell its RemoteSpy product but placing a few conditions on its use.

Announcing the settlement Thursday, the Federal Trade Commission said it "put the brakes" on the business practices of CyberSpy Software, which was sued by the FTC in 2008 over the sale and advertising of its RemoteSpy keylogger software.

Promoted as a computer monitoring product, RemoteSpy can capture keystrokes, passwords, and other information from unsuspecting users. The FTC had alleged that CyberSpy violated the FTC Act by allowing customers to surreptitiously install and even disguise RemoteSpy on PCs without the owner's knowledge.

The agreement prevents CyberSpy from promoting the fact that RemoteSpy can be installed without the consent of the PC's owner or that it can be hidden within an e-mail attachment or other type of innocent payload. The FTC is also requiring that CyberSpy notify a user that the program has been downloaded and get that person's approval before RemoteSpy can be installed. People who buy the product must be informed that improper use of the software may violate state or federal laws.

Finally, CyberSpy must take steps to reduce the risk that the software is misused, encrypt any data sent from PCs with RemoteSpy over the Internet, manage its software affiliates to make sure they comply with the order, and uninstall older, legacy copies of RemoteSpy from computers on which it was secretly installed.

In November 2008, the U.S. District Court for the Middle District of Florida, Orlando Division, temporarily barred the sale of RemoteSpy at the request of the FTC following a complaint by the Electronic Frontier Foundation (PDF). The following month, the court decided not to issue an outright ban on the software but did impose limits on its marketing while the case was being heard.

Much of the FTC's complaint stemmed from the fact that CyberSpy and its owner, Tracer R. Spence, were advertising RemoteSpy as a "100 percent undectectable" way to spy on anyone from anywhere.

Papers filed with the court found that customers were given detailed steps on how to disguise the product as a photo or other innocuous attachment within an e-mail, according to the FTC. Clicking on the attachment would install RemoteSpy without the owner's knowledge and then record keystrokes, take screen images, track Web sites visited, and even obtain passwords. RemoteSpy customers were then able to log onto CyberSpy's Web site to access all of the information captured.

The RemoteSpy product page also touts all of the features mentioned by the FTC in its complaint.

The FTC said it accepted the settlement by a vote of 5-0. The order (PDF) handed down by the court doesn't constitute an admission of guilt by the defendants, but does have the power of the law to enforce it.

Update at 6:30 a.m. PDT, June 4:
In a response to a request for comment from CNET, Clegg Ivey, general counsel for CyberSpy, offered the company's take on the settlement.

CyberSpy is pleased with the settlement, Ivey said, because 90 percent of the stipulations are changes the company offered to make to its software and marketing late last year. He added that the FTC wanted a lot more than it got and called the FTC's press release an "attempt to put lipstick on a pig."

Citing specific examples, Ivey said the FTC had argued that Spence had broken the law simply by selling RemoteSpy and should give up all profits from the sale of the software. But the settlement didn't include a fine, he noted. The FTC also argued that the ability to remotely install the software should not be allowed, according to Ivey, but the settlement lets RemoteSpy stay on the market with the capability of installing it remotely.

CyberSpy has made several changes in the way it sells and promotes RemoteSpy, noted Ivey. The company has updated its license system to make sure customers have the necessary permissions to install the software. Splash screens and pop-up notices have been added to remind people that the product should only be installed on their own PCs or PCs for which they have permission to install it. Ivey added that CyberSpy has added more layers of encryption and authentication for additional security.

In response to Ivey's claims, the FTC told CNET that it stands behind the facts in its press release, none of which were refuted by Ivey.

Ivey added his own take on the company's interactions with the FTC. "I see this as a David and Goliath story," he said. "Maybe we weren't able to knock the government Goliath on its tail, but we made it pack up its things and go home, which is almost as good."