Senator Al Franken re-introduced a stalled bill to ban what he calls “stalking apps” on Wednesday. The proposed legislation seeks to protect survivors of domestic and other victims of abuse, from cyberstalkers.
The bill targets apps that track the location data of other users' cell phones. In a statement, Franken said these apps are “unconscionable — but perfectly legal”.
The Location Privacy Protection Act of 2015 is cosponsored by Senators Chris Coons (D-Del.) Elizabeth Warren (D-Mass.), Richard Blumenthal (D-Conn.), Dick Durbin (D-Ill.), Dianne Feinstein (D-Calif.), and Ed Markey (D-Mass.). (Disclaimer: This reporter is related through marriage to Senator Blumenthal.)
Some apps – such as mSpy, FlexiSPY, and ePhoneTracker – are even more intrusive, and enable users to intercept and record calls, track device location, and even “bug a room” through a device when the device owner is not using the phone. FlexiSPY even boasts on its website that it can capture the passwords of any Android, iPhone or iPad, “so you can access their services directly.”
The apps are unlike Remote Access Trojans (RATs); the mobile devices tracked by these apps are not infected by a remote network. Rather, the apps are downloaded directly onto the phone. Once downloaded, they are capable of nearly all of the surveillance activities as a RAT.
It is already illegal to use spyware apps without the knowledge of the device owner, yet because the apps include a disclaimer stating that use of the apps for “illegal purposes” is prohibited, the companies that make these apps a shielded from legal responsibility. Cases in which companies face repercussions are seldom enough so as not to deter spyware creators.
Franken would like this legislation to change that. He introduced similar legislation in 2014, but the bill failed to garner enough support, amidst criticism that it was too broad and would affect legitimate companies.
The new draft of the bill would require companies to get explicit consent from users before collecting location data; mandate companies to publicly disclose the data they're collecting, what they do with it, and who they share it with, and would prohibit companies from developing and operating “GPS stalking apps”. In addition, it would allow law enforcement to seize the proceeds of the sales of “stalking apps.”
In speaking with SCMagazine.com, Justin Harvey, chief security officer at Fidelis Cybersecurity, said Franken's bill is a necessary “first step towards classifying personally sensitive identifying information.” The legislation must include who will have access to data and for what purposes, he added.
“I also look forward to governing access to personally identifying information,” Harvey said.