The FTC recently settled with a surveillance app operator over allegations that the company facilitated the secret harvesting of personal information. According to the FTC, the main users of Support King, LLC’s “SpyFone” app were bad actors who used the tool to remotely monitor users’ physical and digital activities. The FTC dismissed the company’s argument that the users were employers and parents as a “pretext.” It felt neither group would want to use the product, which to install required minimizing the device’s security settings and potentially voiding the device warranty.

Service King failed to take reasonable steps, the FTC felt, to make sure the app was used for legitimate reasons and not by potential stalkers. The FTC also found the company’s practices deceptive. Namely, the company said it “took all reasonable precautions” to protect personal information. The FTC disagreed. Instead, it said, the company’s insufficient security practices resulted in a 2018 data breach. The company also -according to the FTC- deceptively indicated that it had “coordinated with law enforcement authorities” and “leading data security firms” on the incident, when in fact it had not done so.

As part of the settlement, Support King has agreed to cease marketing and selling its app, to delete personal information collected from its software, and to notify affected individuals. The company also agreed to create an information security program and obtain regular third-party assessments.

Putting it into Practice: This case, which arose after a data breach, is a reminder that when products facilitate tracking and monitoring users, the FTC will take a careful look at a company’s practices. This includes examining the typical users of such products.