FTC Settles With Spyware Firm

The Federal Trade Commission announced this week that it had reached a settlement agreement with CyberSpy Software over its RemoteSpy spyware.

According to a statement released by the FTC, the settlement "bars the sellers of the 'RemoteSpy'' keylogger from advertising that the spyware can be disguised and installed on someone else's computer without the owner's knowledge." In addition, it "requires that the software provide notice that the program has been downloaded and obtain consent from computer owners before the software can be installed."

The FTC first filed suit against CyberSpy and its owner, Tracer Spence, in 2008, alleging that they were breaking the law by advertising and selling "100% undetectable" software offering to "Spy on Anyone. From Anywhere."

What further caught regulators' attention was when CyberSpy, according to documents filed with the court, "provided their clients with detailed instructions explaining how to disguise the spyware as an innocuous file, such as a photo, attached to an e-mail," said the FTC. "When the e-mail recipient clicked on the attachment, the RemoteSpy program was downloaded and installed without the victim's knowledge."

A description of the RemoteSky product -- currently featured on the CyberSpy website -- touts its ability to be installed remotely, and to then "record all website visits, instant message conversations, keystrokes, documents opened and more." Purchasers then visit a CyberSpy-hosted website to review the data captured by the software.

As part of the settlement, the FTC said that CyberSpy cannot provide its customers "with the means to disguise the product as an innocent file or e-mail attachment," must take steps to prevent the software from being used in that manner and police their affiliates accordingly. The company also must warn that using the software may break state or federal laws. Finally, the FTC is requiring CyberSpy to "remove legacy versions of the software from computers on which it was previously installed."

"CyberSpy, of course, isn't the only business working in this apparent 'grey' area between legitimate and illegitimate software," said Graham Cluley, senior technology consultant for Sophos, writing on the company's blog. "Often the products are marketed as a way for wives to spy on philandering husbands, or for concerned parents to keep an eye on what their babysitter is up to, rather than more traditional identity theft -- but it's clear that they can be used with a wide variety of motives."