'Loverspy' program creator indicted, on the run

Spyware developer skips town when faced with $12m fine and 175 years in jail

The creator of Loverspy, software to surreptitiously observe individuals' online activities, has been indicted for allegedly violating US federal computer privacy laws.

If convicted, Carlos Enrique Perez-Melara, could face a maximum sentence of 175 years in prison and fines of up to US$8.75 million (NZ$12.62 million). His current whereabouts are unknown.

Four individuals who purchased Loverspy to illegally spy on others were also indicted.

"This federal indictment — one of the first in the country to target a manufacturer of 'spyware' computer software — is particularly important because of the damage done to people's privacy by these insidious programs," John Richter, acting assistant attorney general of the US Department of Justice's Criminal Division, said in a statement. "Law enforcement must continue to take action against the manufacturers of these programs to protect unsuspecting victims and seek punishment for those responsible for wreaking havoc online."

Perez-Melara, 25, was indicted on 35 counts of manufacturing, sending and advertising a surreptitious interception device (the Loverspy program), unlawfully intercepting electronic communications, disclosing unlawfully intercepted electronic communications and obtaining unauthorised access to protected computers for financial gain. Each count carries a maximum penalty of five years in prison and a maximum fine of US$250,000.

His indictment was returned on July 21 by a federal grand jury sitting in the US District Court for the Southern District of California in San Diego, but the indictment was only unsealed on Friday.

Perez-Melara advertised and sold Loverspy and EmailPI software over the internet for $89 a copy to people looking to secretly monitor an individual's email, passwords, chat sessions, instant messages and the websites they visited. Purchasers of the program could log into a Loverspy Members Area on the Loverspy or EmailPI websites and choose an e-card and greeting that would be sent to the victim.

Loverspy would arrive hidden inside the e-card and would launch when the victim opened the card. After being installed, Loverspy would send regular reports collating the victim's online activities either directly to the purchaser of the spy software via email or to Perez-Melara, who would then forward the reports on to the purchaser. The spyware also enabled the purchaser to remotely control the victim's computer to the extent of altering and deleting files and being able to surreptitiously turn on any web camera hooked up to the victim's computer.

From around July 1, 2003, until October 10, 2003, approximately 1,000 individuals in the US and abroad bought Loverspy and sent e-cards containing the application to around 2,000 people, according to the authorities. Around half of those 2,000 are known to have had their computers compromised and their communications intercepted, the indictment states. The antivirus software of the day didn't identify Loverspy as dangerous, so it didn't block the program's installation, the indictment notes. Perez-Melara's operations were shut down after the US Federal Bureau of Investigation executed a federal search warrant on his San Diego apartment on October 10, 2003.

The victims named in the indictment are located in California, Hawaii, Missouri, New Hampshire, North Carolina, Pennsylvania and Texas.

Four other individuals indicted with Perez-Melara by the federal grand jury in San Diego. They are each charged with two counts: unauthorised access to protected computers [via Loverspy] in furtherance of other criminal offences and illegally intercepting the electronic communications of their victims. Each of the two counts carries a maximum penalty of five years in prison and a maximum fine of US$250,000.

Other purchasers of Loverspy have been prosecuted by federal authorities in Charlotte, North Carolina, Dallas and Honolulu. Prosecutions are going ahead in Kansas City, Missouri and Houston. All known Loverspy victims have been notified by email that they were targeted by the program, according to the authorities.