... but the battle goes far beyond mobile monitoring apps

Stalkerware is only one of the tools used as a tactic for abuse

Apps that exist for monitoring purposes are available within seconds of a quick search on Google. All you need is access to a device to install it.

Take Spyic – software that describes itself as a “remote monitoring app” that’s compatible with both Android and iPhone operating systems.

It costs a mere $100 for a year’s subscription, which provides the user with the call logs, real-time location, text messages, and effectively the entire contents of the device on which it is installed. A keylogger is available with a premium subscription.

Knowing where a child is, or making sure that employees are steering clear of porn sites, are some supposedly legitimate reasons for purchasing the software package. However, a blog post published by the company highlights how it is being marketed for far more sinister purposes.

“Each of Spyic’s features is designed so you can keep an eye on your spouse and catch her cheating,” the post, written by an unnamed author, reads.

“When you are using Spyic, your spouse will never know that they are being monitored (unless you tell them yourself).”

Tech-enabled abuse

Technology has aided in facilitating abuse long before the proliferation of the smartphone and GPS location trackers. Car odometer readings, for example, were used by some to monitor the distance travelled, thus becoming a means of exerting control over another individual without their knowledge or consent.

Erica Olsen is the director of the Safety Net Project at the National Network to End Domestic Violence (NNEDV), the largest non-profit in the US focused on providing support to those impacted by intimate partner abuse.

Between 2003-2012 the Department of Justice (DoJ) estimates (PDF) that intimate partner violence accounted for 15% of all violent crime in the US. There are no statistics related to how digital devices enable this crime to occur.

“Technology can appear overwhelming and scary, but it’s not something that’s unusual in intimate partner abuse scenarios,” Olsen told The Daily Swig, explaining that nearly all cases of intimate partner violence typically contain an online element of abuse.

“The tactics are the same and are about controlling, monitoring, and terrifying someone else, whether it’s online or offline.”

But technology like Spyic has caught the attention of US Congress and the global cybersecurity industry alike – not least for the app’s ability to remain hidden without the target’s knowledge that they are being spied on.

Dangerous precedent

In October 2018, the Federal Trade Commission (FTC) brought its first case against a developer of so-called ‘stalkerware’ tools, with Retina-X Studios ultimately being banned from distributing three apps designed to remotely monitor devices.

The case initially came to the attention of the FTC after Retina-X disclosed a major data breach as part of a series of cyber-attacks on the spyware manufacturer market.

At the time, Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement: “This is our first action against a so-called ‘stalking app’. Although there may be legitimate reasons to track a phone, these apps were designed to run surreptitiously in the background and are uniquely suited to illegal and dangerous uses.

“Under these circumstances, we will seek to hold app developers accountable for designing and marketing a dangerous product.”

Retina-X Studios, which had marketing itself much as a service like Spyic – to be used for child or employee monitoring purposes – was forced to alter its apps so that they would display a visible icon on the device where it had been installed.

The FTC ruling was welcomed by consumer advocate groups like the Electronic Frontier Foundation (EFF), but this did little to stop the ever-expanding market of surveillance tools, and made the consumer protection agency look as powerful as law enforcement does when it comes to policing the Google Play store.

Slipping through the cracks

According to David Ruiz, a privacy advocate with Malwarebytes, the patchwork of laws and the complexity of the stalkerware landscape has let these apps slip through the cracks, leaving victims with no real legal protection from their abuser, and law enforcement with too few resources to put a case together.

“When it comes to stalking and cyberstalking, the state laws are different,” Ruiz told The Daily Swig.

“Some bundle them into the same offence and some say that cyberstalking, at a certain level, is only a misdemeanour, whereas stalking could rise to the occasion of a felony.”

At the end of 2019, Ruiz helped launch the Coalition Against Stalkerware – an organization of cybersecurity vendors and charities, uniting to work towards eradicating abusive technology and software from society.

The coalition aims to “improve awareness of stalkerware and define industry best practice for detection methods,” Ruiz said.

“Or at least have a better understanding of what constitutes stalkerware and what doesn’t, so that the industry can collectively start protecting all users on a better level,” he said.

When it comes to ‘cyberstalking’, however, an offense that is not recorded in the FBI’s Internet Crime Report, the digital tools that are used tend to be emails, text messages, calls, and voicemails, as stated in a 2016 report (PDF) about online harassment and digital abuse in the US by the non-profit Data&Society.

The majority of intimate partner violence cases, Olsen explained, are perpetuated by a former or current partner, with abuse being wielded through the devices and online platforms that are used in the home every day.

“There is definitely a significant impact on survivors and there is a lot of concern about these products,” Olsen said.

“In most cases, it’s likely that the stalkerware is just one additional tool being used as a tactic of abuse.”

Trust and consent

The issue of technology-facilitated abuse, in the view of Olsen, goes much further and raises questions that strike at the heart of our entire digital ecosystem, where consent is automatically given and trust, more often than not, is taken for granted.

Stalkerware apps are not the only software used to monitor victims of intimate partner abuse

“Some people think stalkerware is on their phone, but it turns out that they’re misusing something else,” Olsen said. “[Such as] a Find My Phone feature, or they’re connected to the Cloud.”

The Safety Net Project continues to provide technical input to the design teams of big tech companies, pushing for products that are designed with privacy at the forefront. This includes education around the amount of personal data that exists online without a person’s knowledge.

“We have also been doing some work with smart home technologies, and things to harass, monitor, and control survivors,” Olsen said.

Late last month, the UK government proposed a law that would require IoT manufactures to ship out devices designed with security in mind, including the removal of default passwords to reflect industry best practice.

While some have criticized the practicality of the new rules that would require consumers to likely manage a number of complicated passwords across their devices, for an individual in a domestic violence situation, every unique password generated is another assurance of survival.

“It always comes back to access,” Olsen said.

“What’s the access level [of the device, account, or platform], who had access to the account, and who had access to the device.”

The Safety Net Project of the NNEDV has been running since 2000. If you are a victim of domestic violence in the US, you can contact the National Domestic Violence Hotline for guidance and support.

YOU MIGHT ALSO LIKE Human rights charity leads campaign to stamp out privacy-busting Android apps