The New York Attorney General ('AG') published, on 2 February 2023, Assurance of Discontinuance No. 23-005 ('the Assurance'), in which it came to a settlement of $410,000 with Patrick T. Hinchy and 16 companies in which he has a controlling interest, including Powerline Group Inc., ILF Mobile Apps Corp., and Highster Data Services LLC., ('the Respondents') for violation of § 63(12) of Article 5 of the Executive Law of New York and §§ 349 and 350 of the General Business Law of New York, following an investigation.

Background to the settlement

In particular, the AG noted that the Respondents sold software products that allowed users to secretly monitor activity on another device, including call logs, text messages, photos, videos, locations, Gmail activity, WhatsApp and Skype messages, social media activity, and browsing activity.

Findings of the AG

Following its investigation, the AG highlighted that the Respondents openly promoted spyware products as tools for covertly monitoring the device of another adult, and that the terms and conditions on most of the Respondents' websites acknowledged such use violated state and federal criminal statutes. Furthermore, the AG detailed that in some cases the Respondents' customer support staff even assisted customers with hacking into the accounts of their partners, to activate a spyware product. Likewise, the AG reported that the Respondents owned and operated several websites that misleadingly identified themselves as purveyors of independent, unbiased product reviews, but were in fact owned and controlled by the Respondents for the purpose of endorsing their own spyware products.

In addition, the AG outlined that the Respondents failed to disclose the need to perform an invasive procedure on consumer devices, known as 'rooting' on Android or 'jailbreaking' on Apple devices. Similarly, the AG specified that similar false claims were made regarding the data security of information obtained by spyware products.

Outcomes

As a result of the abovementioned violations, the AG stated that the Respondents must, among other things:

• within 60 days of the effective date, post on all websites hosted, operated, or controlled by the Respondents monitoring without consent, instructions on how individuals can remove spyware apps and change their iCloud credentials, as well as links to resources for the National Domestic Violence Hotline;
• ensure that the installed spyware app on all target devices display an icon identified with the name of the product or service, and that, when opened, the spyware app states the functions of the spyware app, and that the mobile device is being monitored;
• within 60 days of the effective date, post on all websites hosted, operated or controlled by the respondents, a clear and conspicuous statement on how spyware products can only be used for legal purposes;
• not engage in any advertising, marketing, or otherwise create any promotional material for their spyware product that suggests spyware products should be installed or used on a mobile device on another's device without their knowledge or consent; and
• develop and maintain a comprehensive written data and information security program that is consistent with § 899-bb of the General Business Law of New York, including reasonable technological, administrative, and physical safeguards designed to secure the private information of customers.

Finally, the AG imposed the aforementioned penalty of $410,000.

You can read the announcement here and the Assurance here.