Stalkerware Purveyor Hit With $410,000 Fine By New York Attorney General But Will Still Be Allowed To Sell Spyware
Bad people selling terrible things to even worse people has been around since long before the debut of smartphones. But now it's just so much easier to bring these two parties together to inflict misery on others.
What's considered to be just a good investigative tool when wielded by government agencies (looking at you, NSO Group and competitors) is a nasty invasion of privacy when deployed by ex-spouses, stalkers, and serial harassers.
Efforts have been made to combat this smartphone-centric menace, but fines and bans haven't done much to deter malicious people from whipping up new spyware under an assortment of legitimate-sounding company names. This is not to say the war against stalkerware isn't worth fighting, even if victories are rare and sometimes extremely fleeting.
Fortunately, the EFF is on the case. Its director of cybersecurity, Eva Galperin, formed the Coalition Against Stalkerware three years ago and since then has been working with legislators and law enforcement to hunt down and shut down stalkerware sellers. Those efforts have led to another hefty fine being leveled against a malware merchant.
Last week, the New York Attorney General secured a $410,000 fine from Patrick Hinchy and 16 companies that he runs which produce and sell spyware and stalkerware. In addition, he and his companies must modify their stalkerware to alert victims that their devices have been compromised. This sends a clear message to app developers who make their money by surreptitiously installing software to spy on the devices of others: the State of New York will not tolerate your actions.
The agreement [PDF] between Hinchy and the AG's office provides more details on the stalkerware creator, including the fact that Hinchy has been engaged in this business since 2011. Hinchy offered stalkerware under multiple brand names and operated websites suggesting his malware should be used by people who suspected their partners of cheating (under headlines using some form of the phrase relationship advice").
Once installed, the apps hid themselves (or did up until Apple and Android OS changes made this impossible to do) and began collecting tons of data.
Information copied and transmitted by Respondents' Spyware Apps includes: call logs (including phone number, date, and call duration); text messages (including message content, date, and recipient); camera images and videos (including the image or video itself and date taken); location (including current latitude and longitude of the device); Gmail data (including an excerpt/snippet of the email message content, email subject, sender and recipient email address, and date); WhatsApp messages (including message text, sender, and date); Skype data (including message content, sender, and date); Facebook, Instagram, and Twitter data (including direct message content, date, and sender); and Google Chrome data (including browser history with URL and dates visited).
Unbelievably, all of this data went back to sites and servers operated by Hinchy. Users logged into their personal stalkerware dashboards" to view the surreptitiously obtained data and communications. In addition, Hinchy's companies provided customer assistance for users, instructing them how to hide the apps or assisting them in accessing login info for cloud storage accounts.
The agreement says Hinchy and his companies must cut off all access to snooped-on phones, as well as prevent them from connecting to data via their dashboards." Weirdly, this will only affect users who aren't willing to lie about using this malware to spy on their kids.
The Affirmation flow shall conclude with an advisory that, unless the Customer selected that they intend to use the Spyware Product(s) to monitor a minor dependent child (as set forth in Paragraph 87.f.iii above) and completed the additional necessary steps regarding the monitoring of a minor child (as set forth in Paragraph 103 below), the Spyware Product(s) will notify the Target Device Holder and/or Target Account Holder that (a) the Spyware Products have been installed on their Mobile Device and/or connected to their Target Accounts and (b) the Spyware Product(s) may be used to monitor their Mobile Device activity (the Notification").
That's an odd concession to be made. On the plus side, Hinchy is obligated to modify his spyware so it informs device owners about the presence of the malware as well as what's being harvested from the phone. There's a lot of wiggle room here, which may tempt Hinchy to get back to doing what he's done best for more than a decade. There's no ban in this agreement, just an uneasy truce between Hinchy and the state Attorney General.
Maybe the $410,000 fine will be the more effective deterrent. The agreement and the AG's statement provide no details on how profitable Hinchy's unsavory business was. If the fine's big enough, it may encourage Hinchy to find a better use for his time. If not, we should probably expect more of the same from this malware seller in the future.