Stalkerware sales treated lightly by US court

For years, he sold and supported stalkerware under the name pcTattletale. He openly advertised it for the secret surveillance of adults and provided support for it. He was arrested in December 2022, but released the next day. Now, the US District Court surprises with a mild penalty for Bryan Fleming: he has to pay 5,100 US dollars, with no interest.

According to the indictment and confession, the American possessed, advertised, and distributed eavesdropping devices from 2017 to 2022. However, the Wayback machine of the Internet Archive shows that stalkerware for Windows was offered under the domain pctattletale.com at least since 2013, and for macOS at the latest since 2008. A YouTube video archived there also shows the perpetrator announcing his spyware for Android in 2016.

His lawyer stated to the court that the man did not know stalkerware was illegal until his arrest on December 7, 2022. However, according to Techcrunch, he only stopped his business in mid-2024. And it was not a paragon of IT security. As early as 2021 and again in 2024, the screenshots taken by the spyware were found unprotected online.

Subsequently, a third party managed to get Fleming to hand over the keys to his AWS (Amazon Web Services) account. This was followed by a website defacement and the exposure of the perpetrator. Only then did pcTattletale cease operations. According to the intruder's report, the illegal service had 138,000 customers at the time, over 300 million stored screenshots, and had apparently been a victim of an undiscovered backdoor itself since 2011. Fleming, on the other hand, stated in the proceedings that he had only gained around 1,200 customers per year.

Victims not involved

The offense theoretically carries a sentence of up to 15 years in prison. After accounting for the confession and his prior clean record, sentencing guidelines suggested up to six months. The judge of the US District Court for the Southern District of California left it at "timed served", meaning the one day Fleming spent in custody in December 2022, as well as the aforementioned fine. Furthermore, the assets associated with the crime will be forfeited.

It is possible that the fact that not a single victim submitted a so-called victim impact statement in the criminal proceedings played a role. These are personal reports on the effects of the crime, which the court must consider when determining the sentence. The extent of the efforts made by the investigating US Department of Homeland Security to notify the victims is not evident from the court file.

Numerous providers advertise their stalkerware online. What is unusual about this case is that the perpetrator lives in the USA and appeared openly. According to Techcrunch, it is the first conviction for distributing stalkerware in the USA in twelve years.

The case is called USA v Bryan Fleming and was conducted at the US District Court for the Southern District of California under file number 3:26-CR-00019.

• The Stalkerware Confession

(ds)