First stalkerware maker prosecuted since 2014 receives no jail time

A slap on the wrist for a digital menace

In a decision that has drawn sharp criticism from privacy advocates and security experts, a San Diego federal judge has sentenced Bryan Fleming, the creator of the stalkerware application pcTattletale, to a mere $5,000 fine and two years of supervised release. The sentence includes no additional prison time beyond the single day he had already served. This case marks the first federal criminal prosecution of a stalkerware developer in the United States in a decade, and its outcome raises serious questions about the legal system's ability to deter the creation and distribution of tools used for tech-facilitated abuse.

Fleming pleaded guilty in October 2023 to one count of accessory after the fact to computer intrusion, a charge stemming from his role in creating and selling software that enabled thousands of users to covertly monitor the devices of others. The lenient sentence stands in stark contrast to the profound harm his product facilitated, leaving many to wonder if justice was truly served.

Background: From civil action to criminal charges

The legal pursuit of pcTattletale began not with the Department of Justice (DOJ), but with the Federal Trade Commission (FTC). In September 2022, the FTC filed a civil complaint against Fleming and his company, alleging that pcTattletale illegally spied on individuals by secretly collecting vast amounts of sensitive data. The FTC's action resulted in a settlement that banned Fleming from the surveillance app industry and required him to delete all collected data and notify victims that their devices had been compromised.

While the FTC's civil actions can dismantle a company's operations, they lack the punitive weight of criminal charges. The subsequent criminal case brought by the DOJ was therefore seen as a significant step. It was the first of its kind since 2014, when Hammad Akbar, the CEO of a similar spyware company called StealthGenie, was prosecuted. Akbar also received a relatively light sentence of time served and a fine, establishing a concerning precedent that the Fleming case has now reinforced.

The decade-long gap between these prosecutions highlights the legal and technical challenges in holding stalkerware creators criminally accountable. These developers often operate in a legal gray area, marketing their products under the guise of legitimate parental or employee monitoring tools, while building features explicitly designed for stealth and non-consensual surveillance.

Technical details: How pcTattletale worked

Unlike malware that exploits software vulnerabilities to gain access, stalkerware like pcTattletale typically relies on a different vector: physical access. An individual would need to install the application directly onto a target's computer or smartphone, often without their knowledge or consent. Once installed, the software was designed to be difficult to detect, running silently in the background.

Its capabilities were extensive and deeply invasive:

• Continuous Screen Capture: The software recorded everything happening on the screen, essentially creating a video log of all activity, including private messages, banking information, and personal photos.
• Keystroke Logging: It captured every keystroke, revealing passwords, search queries, and the content of every typed message or document.
• Live Viewing: The person who installed the software could watch the target's screen in real-time from a remote dashboard.
• Data Exfiltration: All this captured information was uploaded to pcTattletale's servers, where the purchaser could access it at any time.

The application's core design principle was stealth. It did not create desktop shortcuts or appear in standard application lists, making it difficult for a non-technical user to discover. This covert nature is what firmly places it in the category of stalkerware, a tool frequently weaponized by abusers in domestic violence situations to monitor, harass, and control their partners.

Impact assessment: A failure of deterrence

The primary victims of pcTattletale were thousands of individuals whose digital lives were laid bare without their permission. Stalkerware is a key instrument in tech-facilitated abuse, enabling perpetrators to maintain psychological control, isolate victims from support networks, and even stalk them physically. The FTC noted in its initial complaint that such apps are "often used by abusers to spy on their partners."

The sentence has been met with dismay by those on the front lines of the fight against digital abuse. Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation (EFF), described the outcome as "deeply disappointing" in a statement to The Record. She argued that the sentence "sends the wrong message" and fails to create a meaningful deterrent for other stalkerware developers. When the potential profit from selling these malicious tools far outweighs a $5,000 fine, the penalty becomes little more than a minor cost of doing business.

This case underscores a critical disconnect between the severe real-world harm caused by stalkerware and the legal consequences faced by its creators. For victims, the outcome may feel like a dismissal of the violation and fear they experienced. For the broader security community, it signals that the legal framework for prosecuting these cases remains inadequate.

How to protect yourself

Protecting yourself from stalkerware requires a combination of good digital hygiene and situational awareness. Because these apps often require physical access to install, securing your devices is the first line of defense.

• Secure Your Lock Screen: Use a strong, complex passcode or biometric authentication (fingerprint or face ID) on all your devices. Never share your passcode with anyone you do not trust completely.
• Be Mindful of Physical Access: Do not leave your devices unattended, especially around individuals who may wish to monitor you.
• Review Device Administrators and Profiles: On Android, check Settings > Security > Device admin apps. On iOS, check Settings > General > VPN & Device Management. Remove any profiles or apps you do not recognize.
• Scan Your Device: Install and run a reputable mobile antivirus or anti-malware application. These tools are often capable of detecting and flagging known stalkerware apps.
• Watch for Warning Signs: Be alert to sudden and unexplained battery drain, excessive data usage, or your device running unusually hot or slow. These can be indicators of a malicious app running in the background.
• Use Privacy-Enhancing Tools: While it won't remove existing stalkerware, using a VPN service can help protect your internet traffic from being snooped on over unsecured networks, adding a layer of encryption to your online activities.

Important Note for Potential Victims: If you suspect you are a victim of stalking and find suspicious software on your device, do not remove it immediately. Doing so could alert your abuser and potentially escalate the situation. Instead, contact a domestic violence support organization, such as the National Network to End Domestic Violence (NNEDV), to help you create a safety plan before taking any action.

The pcTattletale case is a stark reminder that while technology evolves, the legal and social frameworks to manage its misuse lag behind. A $5,000 fine for enabling widespread, intimate surveillance is not justice; it is an invitation for the next developer to try their hand, knowing the risks are low and the profits are high.