The U.S. Federal Trade Commission has rejected a petition to lift its ban on Scott Zuckerman, effectively keeping the former stalkerware developer out of the surveillance software industry. Zuckerman, who founded Support King and its subsidiaries SpyFone and OneClickMonitor, had requested the FTC rescind or modify its 2021 order that prohibited him from selling surveillance applications following a significant data breach.
Background of the Ban
The original ban came after a 2018 security incident exposed highly sensitive information collected by Zuckerman’s surveillance applications. A security researcher discovered an unsecured Amazon S3 bucket containing intimate data from thousands of devices, including selfies, text messages, audio recordings, location data, and contact information. The breach compromised 44,109 unique email addresses and affected at least 2,208 customers, exposing surveillance data from 3,666 monitored phones.
In 2021, the FTC took decisive action by prohibiting Zuckerman from ‘offering, promoting, selling, or advertising any surveillance app, service, or business.’ The order also required him to delete all data collected through his applications and implement strict cybersecurity measures for his future business ventures.
Petition for Relief Denied
In July 2023, Zuckerman petitioned the FTC to lift or modify the restrictions, claiming the security requirements imposed financial hardships on his current businesses. According to his petition, Support King is no longer operational, and Zuckerman now operates a restaurant and plans tourism ventures in Puerto Rico.
The FTC announced its denial of this request on Monday, maintaining the original restrictions that prevent Zuckerman from returning to the surveillance software industry. When contacted for comment, Zuckerman declined to respond directly and referred inquiries to his legal representative.
Evidence of Continued Violations
Notably, TechCrunch reported in 2022 that Zuckerman appeared to be circumventing the FTC’s ban by operating another stalkerware company. Journalists received breached data from a stalkerware application called SpyTrac, which revealed connections between freelance developers and Support King. The data also contained records from SpyFone that should have been deleted under the FTC order, along with access keys for cloud storage belonging to OneClickMonitor.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation and a recognized expert on stalkerware, commented on the decision: ‘Mr. Zuckerman was clearly hoping that if he laid low for a few years, everyone would forget about the reasons why the FTC issued a ban not only against the company, but against him specifically.’ She added that the 2022 revelations ‘suggests that Zuckerman did not learn his lesson.’
The Broader Stalkerware Problem
Stalkerware applications enable users to covertly monitor others’ devices without consent, potentially facilitating illegal surveillance activities. These applications typically allow access to text messages, call logs, photos, location data, and sometimes even camera and microphone feeds. Beyond their inherently invasive nature, these applications have demonstrated persistent security vulnerabilities.
Over the past eight years, at least 26 stalkerware companies have experienced security breaches or exposed sensitive data online, according to TechCrunch’s documentation. These repeated incidents highlight a systemic failure within the industry to protect the privacy and security of both their customers and the individuals being monitored without consent.
Implications of the FTC’s Decision
The FTC’s refusal to lift Zuckerman’s ban sends a clear message to other surveillance software developers about regulatory consequences for privacy violations and security failures. This enforcement action represents one of the more significant penalties imposed against a stalkerware developer, establishing a precedent that the FTC is willing to issue lifetime industry bans for particularly egregious violations.
Privacy advocates have praised the decision, viewing it as an important step in combating the proliferation of invasive surveillance tools. The case highlights the growing tension between surveillance technology developers and privacy regulations, particularly as these applications can be misused for stalking, harassment, and domestic abuse.
Industry-Wide Security Failures
The persistent security problems plaguing stalkerware companies extend well beyond Zuckerman’s operations. The pattern of data breaches in this sector creates a particularly troubling scenario where highly sensitive surveillance data collected without consent is subsequently exposed through inadequate security practices.
This double violation—first monitoring individuals without their knowledge, then exposing their private information through negligent data protection—underscores why regulators have increasingly targeted this industry. The FTC’s continued enforcement against Zuckerman demonstrates a commitment to addressing both the privacy invasion inherent in stalkerware and the security negligence common among its providers.