The Criminal Indictment That Could Finally Hit Spyware Makers Hard

The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called stalkingware. But the case could have negative implications for others who make and sell spyware and similar snooping tools, experts hope.
spygetty
Binoculars flat iconGetty

The indictment this week of the man behind an app designed for surreptitiously monitoring cellphone activity is only the second federal case filed against someone involved in the commercial sale of so-called spyware and stalkingware. But the case could have negative implications for others who make and sell similar snooping tools, experts hope.

The case involves StealthGenie, a spy app for iPhones, Android phones and Blackberry devices that until last week was marketed primarily to people who suspected their spouse or lover of cheating on them but it also could be used by stalkers or perpetrators of domestic violence to track victims. The app secretly recorded phone calls and siphoned text messages and other data from a target's phone, all of which customers of the software could view online until the government succeeded to temporarily close the Virginia-based site (.pdf) that hosted the stolen data.

Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, on Saturday in Los Angeles following his indictment in Virginia on federal wiretapping charges (.pdf), which include conspiracy to market and sell a surreptitious interception device.

"StealthGenie has little use beyond invading a victim’s privacy," U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case. "Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners."

Although it's not uncommon for the makers of illicit tools used in criminal hacking to be charged with illegal activity, it's often the case that the developers of such tools are also its surreptitious users or benefit from its illegal use to steal credit card numbers or other valuable data.

The case against Akbar, however, is remarkable for its focus on the seller of a commercial software program---that is openly marketed on the internet---rather than on its users. "The government is trying to say it's not enough that the users are responsible, but that the maker is an enabler of this privacy invasion and are potentially liable," says Hanni Fakhoury, staff attorney for the Electronic Frontier Foundation. A Justice Department spokesman told WIRED there are currently no additional charges filed over StealthGenie. But that's not to say customers won't eventually be charged as well.

Either way, groups like the National Network to End Domestic Violence say they hope the indictment signals more aggressive efforts by the government to crack down on those who distribute tools that, more than a privacy invasion, are often used by stalkers and perpetrators of domestic violence to track their victims.

Despite the U.S. attorney's statement about aggressively pursuing the sellers of spyware, Cindy Southworth of the NNEDV says the government has been extremely slow in going after distributors of such tools, despite their illegal nature, their sometimes life-threatening implications, and the brazen marketing campaigns of some sellers. One seller, she notes, once marketed its product with a photo of a woman whose face was marked with ugly abrasions and whose forearm was held in the grip of a man.

"This [kind of spying] has been illegal since the eavesdropping laws have been passed," says Southworth, who testified to lawmakers this summer about the sale of such software. "We've had spyware on the market for a decade. But domestic violence isn't a priority [for law enforcement]."

StealthGenie, created in 2010 and sold by Akbar's firm InvoCode, is designed to secretly record mobile phone calls and siphon text messages. It also allows users to read email sent and received through a phone, turn on the phone's microphone to monitor conversations up to 15 feet away and view the address book, calendar entries and photos and videos.

Although other commercial spyware for monitoring computer users is legally sold to employers, schools and parents, the manufacturers of those programs assume the person doing the monitoring has authorized access or ownership of the targeted device. The person being monitored also generally knows the software is installed on their device, or the program is easily detectable.

StealthGenie, however, was designed to be covert and was specifically marketed to those who did not own the targeted device or have permission to access its private data, according to the indictment against Akbar. Authorities say that in a marketing plan created for his program he and associates anticipated that 65 percent of their customers would be people looking to surreptitiously monitor their spouse or romantic partner. Although installing the app required having physical access to the device, once that was accomplished, siphoned data was sent to a StealthGenie web portal, where users could view it without the victim's knowledge.

Akbar apparently believed liability for the use of his app fell to customers, not his firm. "When the customer buys the product, they assume all responsibility," he allegedly wrote in a 2011 e-mail, according to authorities. "We do not need to describe the legal issues."

Carlos Perez-Melara, the alleged created of Lover Spy.

courtesy of the FBI via the Associated Press.

He had good reason to believe this was the case, given that only one other maker of such spyware had been indicted before, and that was nearly a decade ago. In 2005, Carlos Perez-Melara, a San Diego college student from El Salvador, was indicted on wiretapping charges for creating and selling an $89 software program called "Lover Spy" and "Email PI". The tool, designed to “catch a cheating lover,” was sent to victims as an electronic greeting card that, when opened, secretly installed a keystroke logger and data-gleaning software. The program captured e-mail and text messages, passwords, browser histories, and also allowed someone to spy on victims through their webcam. Perez-Melara vanished after his indictment, however, and remains a fugitive. He was placed on the FBI's list of most wanted cybercrime suspects last year with a $50,000 bounty on his head.

Akbar was targeted under the same wiretapping law because StealthGenie intercepted calls in real-time, violating federal laws prohibiting the manufacture, advertising and distribution of any system designed to surreptitiously intercept oral or electronic communications in real time. According to the indictment, StealthGenie also transmitted siphoned data to the StealthGenie server in "close-to-real time," giving customers the ability to monitor communications "almost immediately."

Wiretapping isn't the only law authorities could use to go after commercial spyware makers, however. They could also conceivably file conspiracy charges under the Computer Fraud and Abuse Act or use the Stored Communications Act, in situations where stolen data isn't intercepted in real time, according to EFF's Fakhoury, who says it will be interesting to see how the government moves forward with other cases in this vein. But criminal liability for the sellers of spyware, he says, may depend on whether, and to what extent, there are other legitimate uses for a spyware program and on how the maker of the tool markets it.

"In this case, the spyware that these [StealthGenie] guys are marketing is clearly illegal," he says. "You can't legally hack into people's phones and intercept phone calls. There's no scenario where that is legal." Similarly, he says, "If your marketing materials are 'If you want to know who your ex-girlfriend is talking to,' that will add to the proof that this is for an illegitimate purpose. If your marketing, however, is, 'Never use this on unsuspecting users and always get notice and consent,' that's a different state of affairs."

There are, for example, well-known security tools like Metasploit, a penetration tool used by system administrators to determine if their systems are vulnerable to hacking, that are also popular for hackers to use to break into systems. But HD Moore, the security researcher who developed Metasploit, has never faced indictment for creating the program, and the company he works for, Rapid7, does not market the product to hackers.

But even legitimate uses and careful marketing may not be enough to protect some sellers of spyware in the future. Fakhoury notes that FedEx, the giant package-delivery firm, was recently indicted amid accusations it failed to prevent online pharmacies from sending drugs to customers who didn't have a prescription for them.

"This is not a clandestine shipping operation," he notes. "They got indicted in federal court because their oversight of online pharmaceuticals is lax, and that is a novel theory of imposing liability on the middleman between one user and another [who] are engines in criminal activity."

With this in mind, it seems these days that the safest bet for the makers of spyware to avoid criminal charges might be to market their tools to law enforcement and government intelligence agencies. Surveillance software like Hacking Team's DaVinci program and Gamma's FinFisher do the same kind of spying as programs like StealthGenie and Lover Spy.

But "when it's used by law enforcement," says Chris Soghoian, chief technologist for the American Civil Liberties Union, "it magically becomes lawful and appropriate software."