The creator of Loverspy, software to surreptitiously observe individuals’ online activities, has been indicted for allegedly violating U.S. federal computer privacy laws, local and federal authorities announced Friday.
If convicted, Carlos Enrique Perez-Melara, could face a maximum sentence of 175 years in prison and fines of up to US$8.75 million. His current whereabouts are unknown.
Four individuals who purchased Loverspy to illegally spy on others were also indicted.
“This federal indictment — one of the first in the country to target a manufacturer of ‘spyware’ computer software — is particularly important because of the damage done to people’s privacy by these insidious programs,” John Richter, acting assistant attorney general of the U.S. Department of Justice’s Criminal Division, said in a statement. “Law enforcement must continue to take action against the manufacturers of these programs to protect unsuspecting victims and seek punishment for those responsible for wreaking havoc online.”
Perez-Melara, 25, was indicted on 35 counts of manufacturing, sending and advertising a surreptitious interception device (the Loverspy program), unlawfully intercepting electronic communications, disclosing unlawfully intercepted electronic communications and obtaining unauthorized access to protected computers for financial gain. Each count carries a maximum penalty of five years in prison and a maximum fine of $250,000.
His indictment was returned on July 21 by a federal grand jury sitting in the U.S. District Court for the Southern District of California in San Diego, but the indictment was only unsealed Friday.
Perez-Melara advertised and sold Loverspy and EmailPI software over the Internet for $89 a copy to people looking to secretly monitor an individual’s e-mail, passwords, chat sessions, instant messages and the Web sites they visited. Purchasers of the program could log into a Loverspy Members Area on the Loverspy or EmailPI Web sites and choose an e-card and greeting that would be sent to the victim.
Loverspy would arrive hidden inside the e-card and would launch when the victim opened the card. After being installed, Loverspy would send regular reports collating the victim’s online activities either directly to the purchaser of the spy software via e-mail or to Perez-Melara, who would then forward the reports on to the purchaser. The spyware also enabled the purchaser to remotely control the victim’s computer to the extent of altering and deleting files and being able to surreptitiously turn on any Web camera hooked up to the victim’s computer.
From around July 1, 2003, until Oct. 10, 2003, approximately 1,000 individuals in the U.S. and abroad bought Loverspy and sent e-cards containing the application to around 2,000 people, according to the authorities. Around half of those 2,000 are known to have had their computers compromised and their communications intercepted, the indictment stated. The antivirus software of the day didn’t identify Loverspy as dangerous, so it didn’t block the program’s installation, the indictment noted. Perez-Melara’s operations were shut down after the U.S. Federal Bureau of Investigation executed a federal search warrant on his San Diego apartment on Oct. 10, 2003.
The victims named in the indictment are located in California, Hawaii, Missouri, New Hampshire, North Carolina, Pennsylvania and Texas.
The four other individuals indicted with Perez-Melara by the federal grand jury in San Diego are John Gannitto of Laguna Beach, California, Kevin Powell of Long Beach, California, Laura Selway of Irvine, California, and Cheryl Ann Young of Ashland, Pennsylvania. They are each charged with two counts — unauthorized access to protected computers [via Loverspy] in furtherance of other criminal offenses and illegally intercepting the electronic communications of their victims. Each of the two counts carries a maximum penalty of five years in prison and a maximum fine of $250,000.
Other purchasers of Loverspy have been prosecuted by federal authorities in Charlotte, North Carolina, Dallas and Honolulu. Prosecutions are going ahead in Kansas City, Missouri, and Houston. All known Loverspy victims have been notified by e-mail that they were targeted by the program, according to the authorities.
