The U.S. Federal Trade Commission (FTC) has upheld its ban on Scott Zuckerman, the founder behind notorious stalkerware applications like SpyFone and SpyTrac. The decision denies Zuckerman’s recent petition to overturn a 2021 order that prohibits him from operating within the surveillance industry, a ban originally imposed following a significant data breach that exposed the personal information of both his customers and their surveillance targets.
FTC Rejects Appeal from Stalkerware Founder
On Monday, the FTC announced its denial in a press release, responding to Zuckerman’s July petition requesting the federal watchdog to rescind or modify the original ban. Zuckerman, who founded consumer spyware company Support King and its subsidiaries SpyFone and OneClickMonitor, will therefore remain barred from selling invasive surveillance software.
The 2021 FTC order specifically banned Zuckerman from “offering, promoting, selling, or advertising any surveillance app, service, or business,” effectively preventing him from launching another stalkerware venture. The agency also mandated that Zuckerman delete all data collected by SpyFone, undergo frequent audits, and implement robust cybersecurity practices across his businesses.
“SpyFone is a brazen brand name for a surveillance business that helped stalkers steal private information,” stated Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection. “The stalkerware was hidden from device owners, but was fully exposed to hackers who exploited the company’s slipshod security.”
Zuckerman's Claim of Financial Hardship
In his petition, Zuckerman argued that the FTC order’s stringent security requirements were financially impacting his other, unrelated businesses. He claimed these costs were burdensome despite Support King no longer being operational, and his current ventures reportedly include a restaurant and planned tourism projects in Puerto Rico. Zuckerman declined to comment when contacted via email, referring questions to his lawyer.
The 2018 Data Breach That Led to the Ban
The FTC ban originated from a 2018 incident where a security researcher discovered an Amazon S3 bucket belonging to SpyFone. This bucket left extremely sensitive data — including selfies, text messages, chat app messages, audio recordings, contacts, location data, hashed passwords, and logins — exposed online and accessible to anyone. The breach involved 44,109 unique email addresses and, according to the researcher, affected at least 2,208 “customers” and thousands of photos and audio files from 3,666 phones with SpyFone installed.
Allegations of Ban Violation
Less than a year after the 2021 FTC order, TechCrunch reported that Zuckerman appeared to be operating another stalkerware company, SpyTrac. A trove of breached data from SpyTrac revealed that the app was run by freelance developers with direct ties to Support King, suggesting an attempt to circumvent the FTC’s ban. Furthermore, the leaked data included records from SpyFone, which Zuckerman had been ordered to delete, and keys to access the cloud storage of OneClickMonitor, another of his stalkerware apps.
Expert Reaction
Eva Galperin, a leading expert on stalkerware and director of cybersecurity at the Electronic Frontier Foundation, welcomed the FTC’s decision.
“Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about the reasons why the FTC issued a ban not only against the company, but against him specifically,” Galperin told TechCrunch.
Galperin added that TechCrunch’s 2022 revelation regarding Zuckerman’s apparent violation of the FTC ban “suggests that Zuckerman did not learn his lesson.”
Broader Stalkerware Risks
Stalkerware apps enable their users to secretly monitor the phones and devices of others, often facilitating potentially illegal activities. Beyond these ethical and legal concerns, the industry has a troubling history of security failures. Over the past eight years, at least 26 stalkerware companies have either been hacked or left sensitive data exposed online, according to TechCrunch’s analysis. These repeated incidents underscore the consistent failure of these companies to protect the privacy of both their customers and the individuals they target for surveillance.
