Serial spyware founder Scott Zuckerman wants the FTC to unban him from the surveillance industry

The founder of a spyware company who was banned from the surveillance industry following an earlier data breach is now seeking to undo the ban, according to the Federal Trade Commission. 

In a notice on Friday, the federal watchdog said Scott Zuckerman sought to rescind or modify the 2021 ban imposed by the FTC on his company Support King and its subsidiaries. 

The ban included a provision requiring Zuckerman to maintain certain cybersecurity practices and undergo frequent audits for any of his businesses, after his spyware subsidiary SpyFone in 2018 spilled thousands of people’s private phone data, including photos, messages, and location data, to the public web.

The FTC’s then five commissioners unanimously voted to ban Zuckerman and Support King from offering, selling, or promoting any phone-monitoring app, preventing him from operating in the surveillance industry. 

Zuckerman now claims the order imposed an “unnecessary burden” because the financial costs needed to comply with the order made it more difficult for him to expand his other businesses.

The review of Zuckerman’s petition is expected to be closely watched by privacy advocates and critics of the surveillance industry and could signal one of the first major cybersecurity tests for the Republican-controlled federal agency. If the agency moves to modify the order or vacate it entirely, it would pave the way for a surveillance vendor with a history of data breaches to legally operate again unimpeded.

Despite the ban taking effect in 2021, Zuckerman was caught involved in another spyware operation less than a year later. 

In 2022, TechCrunch received a cache of breached data from the servers of a phone spyware app called SpyTrac, which revealed it was being run by a group of freelance developers with direct ties to Support King, likely to skirt the FTC’s ban. The breached data also contained records from SpyFone, despite the FTC’s order requiring the company to delete the data it illegally obtained from victims’ phones. SpyTrac went offline soon after we contacted Zuckerman for comment.

Zuckerman’s petition is already facing criticism from the security community.

“I think this petition should be opposed loudly and vigorously. Mr. Zuckerman has repeatedly shown himself to be a bad actor, flouting the FTC by continuing to run his stalkerware company even after the ban was issued,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation, told TechCrunch.

“There is no doubt that both the ban and the continued reporting requirements are personally burdensome to him, but I would argue that that is the point,” said Galperin. “I have no doubt that Mr. Zuckerman would start up another stalkerware company the minute he thought he could get away with it.” 

It’s not clear how the FTC will vote on Zuckerman’s petition, nor did the agency set a date. A spokesperson for the FTC did not comment when reached by TechCrunch. The FTC is required by law to seek comments on petitions to undo the agency’s orders. 

The public can leave feedback on Zuckerman’s petition until August 19.

The FTC is chaired by Trump-appointed Andrew Ferguson, who serves alongside two other Republicans, Mark Meador and Melissa Holyoak. Democratic commissioner Rebecca Kelly Slaughter was reappointed to the FTC last week after the Trump administration attempted to fire her. The remaining fifth commissioner seat remains vacant. 

In his petition, Zuckerman appealed to Ferguson directly and the commission’s “current enforcement philosophy,” which Zuckerman told TechCrunch was about “making sure regulations actually provide a positive impact for consumers and the public.”

Galperin, meanwhile, said it was important to maintain the reporting requirements on Zuckerman’s future ventures if they are “in any way connected to the internet because he has repeatedly demonstrated that he cannot secure sensitive user data.”

Adblock test (Why?)