'Loverspy' program creator indicted, on the run

The creator of Loverspy, software to surreptitiously observe individuals' online activities, has been indicted for allegedly violating federal computer privacy laws, local and federal authorities announced Friday.

If convicted, Carlos Enrique Perez-Melara, could face a maximum sentence of 175 years in prison and fines of up to $8.75 million. His current whereabouts are unknown.

Four individuals who purchased Loverspy to illegally spy on others were also indicted.

"This federal indictment -- one of the first in the country to target a manufacturer of 'spyware' computer software -- is particularly important because of the damage done to people's privacy by these insidious programs," John Richter, acting assistant attorney general of the U.S. Department of Justice's Criminal Division, said in a statement. "Law enforcement must continue to take action against the manufacturers of these programs to protect unsuspecting victims and seek punishment for those responsible for wreaking havoc online."

Perez-Melara, 25, was indicted on 35 counts of manufacturing, sending and advertising a surreptitious interception device (the Loverspy program), unlawfully intercepting electronic communications, disclosing unlawfully intercepted electronic communications and obtaining unauthorized access to protected computers for financial gain. Each count carries a maximum penalty of five years in prison and a maximum fine of $250,000.

His indictment was returned on July 21 by a federal grand jury sitting in the U.S. District Court for the Southern District of California in San Diego, but the indictment was only unsealed Friday.

Perez-Melara advertised and sold Loverspy and EmailPI software over the Internet for $89 a copy to people looking to secretly monitor an individual's e-mail, passwords, chat sessions, instant messages and the Web sites they visited. Purchasers of the program could log into a Loverspy Members Area on the Loverspy or EmailPI Web sites and choose an e-card and greeting that would be sent to the victim.

Loverspy would arrive hidden inside the e-card and would launch when the victim opened the card. After being installed, Loverspy would send regular reports collating the victim's online activities either directly to the purchaser of the spy software via e-mail or to Perez-Melara, who would then forward the reports on to the purchaser. The spyware also enabled the purchaser to remotely control the victim's computer to the extent of altering and deleting files and being able to surreptitiously turn on any Web camera hooked up to the victim's computer.

From around July 1, 2003, until Oct. 10, 2003, approximately 1,000 individuals in the U.S. and abroad bought Loverspy and sent e-cards containing the application to around 2,000 people, according to the authorities. Around half of those 2,000 are known to have had their computers compromised and their communications intercepted, the indictment stated. The antivirus software of the day didn't identify Loverspy as dangerous, so it didn't block the program's installation, the indictment noted. Perez-Melara's operations were shut down after the FBI executed a federal search warrant on his San Diego apartment on Oct. 10, 2003.

The IDG News Service is a Network World affiliate.