Last week, the New York Attorney General secured a $410,000 fine from Patrick Hinchy and 16 companies that he runs which produce and sell spyware and stalkerware. In addition, he and his companies must modify their stalkerware to alert victims that their devices have been compromised. This sends a clear message to app developers who make their money by surreptitiously installing software to spy on the devices of others: the State of New York will not tolerate your actions.
EFF has long championed the fight against stalkerware: our Director of Cybersecurity Eva Galperin helped found the Coalition Against Stalkerware three years ago. In this time, we’ve urged legislators and rule-makers to take the threat stalkerware poses to the safety and privacy of its victims just as seriously as other forms of malware.
Stalkerware, a type of commercially-available surveillance software, is installed on phones without device users’ knowledge or consent to secretly spy on them. The apps track victims’ locations and allow abusers to read their text messages, monitor phone calls, see photos, videos, and web browsing, and much more. It’s being used all over the world to intimidate, harass, and harm victims, and is a favorite tool for stalkers and abusive spouses or ex-partners.
In a press release announcing the fine, New York’s Attorney General Letitia James put it in no unclear terms: “These apps and products put New Yorkers at risk of stalking and domestic abuse, and were aggressively promoted by Patrick Hinchy through 16 different companies. Today’s agreement will block these companies from allowing New Yorkers to be monitored without their awareness, and will continue our ongoing fight to protect New Yorkers’ rights, safety, and privacy.”
In the past few years, we’ve seen a shift in the way stalkerware is perceived by regulators. In a groundbreaking ruling in September 2021, the Federal Trade Commission (FTC) banned the Android app company Support King and its CEO Scott Zuckerman, developers of SpyFone, from the surveillance business. Almost a year ago, Maryland’s legislature unanimously passed a bill requiring law enforcement agencies to learn to recognize the common tactics of electronic surveillance and the laws around such activities. The double-penalty imposed in New York is a welcome way not only to disincentivize would-be stalkerware developers, but also to start to redress some of the damages caused by this shady industry.
Welcome as it is, more work remains. The business of selling spyware and stalkerware still presents lucrative opportunities to those unconcerned by the harms they cause, and many of its players aren’t as easy to impose penalties on or even identify. Last year, we urged the FTC to investigate a stalkerware app network which was the subject of TechCrunch report. Our call on the FTC to investigate this dangerous network still stands.
We applaud the state of New York for standing up for the victims of this harmful and invasive industry. We hope other states will follow the example New York has set in protecting its own citizens from these harms.