A U.S. software entrepreneur once barred from the surveillance industry is again under scrutiny after regulators revealed he may have attempted to re-enter the stalkerware market through new ventures. The case has reopened long-standing concerns about abusive monitoring tools, weak data security and the limited reach of federal oversight.
A Banned Stalkerware Maker Tries to Return
When the Federal Trade Commission announced this week that it had denied a petition to lift a surveillance ban on Scott Zuckerman, it revived a case that had come to symbolize the risks of a loosely regulated stalkerware industry. Zuckerman, the founder of the spyware company Support King and its subsidiaries SpyFone and OneClickMonitor, was prohibited in 2021 from offering or promoting any consumer surveillance tool after a series of data breaches left intimate information of thousands of people exposed online.
Despite that order, the FTC said Zuckerman sought permission earlier this year to resume operating in the sector. In its denial, the commission said the ban was necessary to prevent further harm, particularly given the scale of the earlier breach, which exposed photos, text messages, chat logs, audio recordings, locations and passwords from the devices of both stalkerware users and the individuals being monitored.
The petition’s rejection underscores the government’s growing worry over surveillance apps that enable customers to covertly track partners, family members or employees tools that cybersecurity experts say remain both widespread and insecure.
A History of Data Breaches and Regulatory Action
Long before the FTC stepped in, privacy researchers had been sounding alarms about stalkerware’s porous security practices. TechCrunch, which has tracked breaches across the industry for eight years, reports that at least 26 stalkerware companies have either been hacked or left sensitive user data publicly exposed.
Zuckerman’s companies were among the most prominent examples. In 2018, a security researcher discovered an unprotected Amazon S3 bucket belonging to SpyFone that contained more than 44,000 unique email addresses and data from at least 3,666 phones running the app. The files included thousands of images, audio clips and messages all accessible to anyone who knew where to look.
Regulators later described the company’s security as “slipshod.” Samuel Levine, then acting director of the FTC’s Bureau of Consumer Protection, called SpyFone “a brazen brand name for a surveillance business that helped stalkers steal private information,” adding that the app was hidden from phone owners while remaining fully exposed to hackers. Those findings prompted the 2021 FTC order mandating that Zuckerman delete the data, undergo years of independent audits and exit the surveillance industry entirely
New Allegations Surface Despite the Ban
Less than a year after the FTC’s order, TechCrunch reported that Zuckerman appeared linked to another stalkerware operation, SpyTrac. Data leaked from that app revealed it was run by freelance developers with direct ties to Support King. The trove also included records from SpyFone which Zuckerman had been ordered to erase and digital keys to access OneClickMonitor’s storage system.
Eva Galperin, a prominent advocate working to curb stalkerware, said the new revelations suggested that Zuckerman “did not learn his lesson.” Galperin, director of cybersecurity at the Electronic Frontier Foundation, said Zuckerman seemed to hope that lying low for a few years would cause regulators and the public to forget the seriousness of the FTC’s earlier findings.
The resurfacing of Zuckerman’s name attached to leaked databases, only a short time after the surveillance ban, added to concerns that individuals barred from the industry may still find ways to work behind the scenes.
A Struggle Over Compliance and Accountability
In his petition, Zuckerman argued that the FTC’s compliance requirements had imposed substantial financial burdens and interfered with his ability to run other ventures, including a restaurant and tourism projects in Puerto Rico. Support King is no longer operating, he said, and therefore the ban should be eased.
Regulators rejected that argument. They noted the ongoing risks posed by surveillance tools and the repeated security lapses of companies tied to Zuckerman. When contacted by TechCrunch for comment, he declined to respond, referring inquiries to his attorney.
For cybersecurity experts, the case reflects a larger, unresolved question: how to enforce accountability in an industry whose products are designed for secrecy, offer little transparency and have a long record of exposing highly sensitive information.
As one of the highest-profile figures to be barred from the stalkerware market, Zuckerman’s attempts to return have become a test of the system’s capacity to prevent repeat offenses and of how far regulators can go to protect the privacy of those whose data is captured without their knowledge.
