Technology, Thoughts & Trinkets

Touring the digital through type

Category: Mobiles (page 1 of 10)

A Predator in Your Pocket : A Multidisciplinary Assessment of the Stalkerware Application Industry

With a series of incredible co-authors at the Citizen Lab, I’ve co-authored a report that extensively investigates the stalkerware ecosystem. Stalkerware refers to spyware which is either deliberately manufactured to, or repurposed to, facilitate intimate partner violence, abuse, or harassment. “A Predator in Your Pocket” is accompanied by a companion legal report, also released by the Citizen Lab. This companion report is entitled “Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications,” and conducts a comprehensive criminal, civil, regulatory, and international law assessment of the legality of developing, selling, and using stalkerware.

A Predator In Your Pocket: Executive Summary

Persons who engage in technology-facilitated violence, abuse, and harassment sometimes install spyware on a targeted person’s mobile phone. Spyware has a wide range of capabilities, including pervasive monitoring of text and chat messages, recording phone logs, tracking social media posts, logging website visits, activating a GPS system, registering keystrokes, and even activating phones’ microphones and cameras, as well as sometimes blocking incoming phone calls. These capabilities can afford dramatic powers and control over an individual’s everyday life. And when this software is used abusively, it can operate as a predator in a person’s pocket, magnifying the pervasive surveillance of the spyware operator.

Intimate partner violence, abuse, and harassment is routinely linked with efforts to monitor and control a targeted person. As new technologies have seeped into everyday life, aggressors have adopted and repurposed them to terrorize, control, and manipulate their current and former partners. When National Public Radio conducted a survey of 72 domestic violence shelters in the United States, they found that 85% of domestic violence workers assisted victims whose abuser tracked them using GPS. The US-based National Network to End Domestic Violence found that 71% of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware. In Australia, the Domestic Violence Resources Centre Victoria conducted a survey in 2013 that found that 82% of victims reported abuse via smartphones and 74% of practitioners reported tracking via applications as often occurring amongst their client base. In Canada, a national survey of anti-violence support workers from 2012 found that 98% of perpetrators used technology to intimidate or threaten their victims, that 72% of perpetrators had hacked the email and social media accounts of the women and girls that they targeted, and that a further 61% had hacked into computers to monitor online activities and extract information. An additional 31% installed computer monitoring software or hardware on their target’s computer.

Spyware that possesses powerful surveillance capabilities are routinely marketed to consumer audiences to facilitate intimate partner surveillance, parent-child monitoring, or monitoring of employees. When these powerful capabilities are used to facilitate intimate partner violence, abuse, or harassment, we refer to such spyware as stalkerware.

Across a range of use-cases, spyware can easily transform into stalkerware. Perhaps most obviously, spyware that is explicitly sold or licenced to facilitate intimate partner violence, abuse, or harassment, including pernicious intrusions into the targeted person’s life by way of physical or digital actions, constitutes stalkerware by definition. However, spyware can also operate as stalkerware when surveillance software that is sold for ostensibly legitimate purposes (e.g., monitoring young children or employees) is repurposed to facilitate intimate partner violence, abuse, or harassment. To be clear, this means that even application functions which are included in mobile operating systems, such as those which help to find one’s friends and colleagues, can constitute stalkerware under certain circumstances.

“The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry” is a report that was collaboratively written by researchers from computer science, political science, criminology, law, and journalism studies. As befits their expertise, the report is divided into several parts, with each focusing on specific aspects of the consumer spyware ecosystem, which includes: technical elements associated stalkerware applications, stalkerware companies’ marketing activities and public policies, and these companies’ compliance with Canadian federal commercial privacy legislation.

Part 1 discusses the harms which are associated with a person being targeted by stalkerware, the full range of marketed capabilities associated with such malicious software, and lays out our justification for conducting research into a small handful of companies: in short, we found that the following companies appeared to be the most popular in the commercial markets in Canada, the United States, and Australia, and so we directed our resources on examining:

1) FlexiSPY;
2) Highster Mobile;
3) Hoverwatch;
4) Mobistealth;
5) mSpy;
6) TeenSafe;
7) TheTruthSpy; and
8) Cerberus.

The rest of Part 1 provides a literature review for the subsequent Parts of the report, and makes clear where our research is meant to fill gaps in the published literature, or otherwise to reconfirm or retest results which have been published by other researchers. We posed a series of research questions based on assessments of relevant disciplinary literatures which are taken up in each of the following Parts of the report.

Part 2 undertakes a technical assessment of specific stalkerware applications. We focused on Android applications because Android-based stalkerware involves actually installing malware on a targeted person’s devices. This process stands in contrast to stalkerware for iOS, which routinely depends on obtaining a targeted person’s iCloud password to exfiltrate information for the person’s iCloud backups. In the course of our research, we examined network activity, measured protection from commercial anti-virus products as well as Google’s Play Protect system, and determined the extent to which stalkerware applications’ self-update mechanisms might expose targeted persons to digital security risks in excess of those exclusively associated with the violence, abuse, and harassment from the operator of the stalkerware. Emergent from this research, we found that:

  • Stalkerware we examined depends on intermediaries, principally located in the United States, Netherlands, and Hong Kong;
  • Antivirus products generally identify stalkerware apps as being malicious;
  • Google Play Protect can block stalkerware installation and remove installed stalkerware but it may not protect against the newest versions of stalkerware applications until a period of time after they are released; and
  • Stalkerware developers insecurely implemented software update systems.

In Part 3, we evaluated how companies which sold stalkerware, and software which could be repurposed as stalkerware, marketed their products to prospective customers. We used marketing intelligence methods, as well as content analysis, to conclude that many of the companies studied were actively promoting their software for the purposes of facilitating stalking and, by extension, intimate partner violence, abuse, and harassment. More specifically, we found that:

  • Consumer spyware companies’ blog and search engine optimization content revealed that most companies had extensive references to spousal monitoring;
  • One company, mSpy, encoded concealed HTML text which advertised spousal spying on their website as a way to make their products more easily discoverable by people searching for ways to conduct intimate partner surveillance;
  • Few companies significantly purchased Google Ads as part of their search engine optimization strategies, with the exception of mSpy;
  • The substance of paid Google Ads tended to favour the use of the tools for general spying, hacking, or tracking, and did not include adwords that might help persons targeted by stalkerware to detect or remove the respective companies’ software; and
  • Individual organic searches that related to the spyware companies in our sample overwhelmingly favoured terms that identified the general use of the tools for spying, hacking, or tracking, and explicitly noted the circumvention of security features of products associated with the broader digital ecosystem.

Part 4 of the report undertook a content assessment of companies’ user-facing public policies. We interrogated companies’ respective privacy policies, terms of service documents, and End User Licence Agreements using a structured question set. This methodology let us better understand the policies which the companies adopted concerning the collection, processing, and storage of personal information
associated with stalkerware operators as well as with the persons targeted by these operators. Emergent from this assessment, we concluded that the companies:

  • Failed to make it clear how the victims of stalkerware can have their data deleted when they have not meaningfully consented to the collection;
  • Failed to fully account for the personally identifiable information that can be captured when operating the software, thus circumventing the purpose and rationale of privacy policies to educate those affected by software to understand how it operates and collects such information; and
  • Failed to adopt policies to notify persons targeted by stalkerware in the case of data breaches, or even individuals contracting for the services.

In Part 5, we conducted an assessment of stalkerware companies’ business practices through the lens of Canada’s federal commercial privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Our assessment examined the extent to which companies are accountable to PIPEDA and their corresponding obligations. We ultimately concluded that:

  • Stalkerware companies should be found accountable under PIPEDA for the collection and processing of targeted persons’ personal data on the basis that the companies collect personal information, engage in relevant commercial activities, and collect, use, or disclose targeted persons’ data;
  • Given the potential for stalkerware companies to argue that they are exempt from PIPEDA’s obligations, the OPC should issue an interpretation bulletin or additional accompanying statement to the Guidelines for obtaining meaningful consent or Guidance on inappropriate data practices that specifically address stalkerware, or the use of spyware in abusive contexts. Additionally, Parliament should consider reforming commercial sector data protection legislation to close loopholes that we have identified;
  • Stalkerware companies ought to be obligated under PIPEDA to have extremely stringent data security practices based on the sensitivity of the data that they collect, process, disclose, and store; this pertains when these applications are used for ostensibly “legitimate” purposes and, as such, should apply to the collection of intimate data in the course of products being (re)purposed for stalkerware; and
  • PIPEDA and the European Union’s General Data Protection Regulation (GDPR) identify significant obligations that are imposed upon companies which sell products that have features enabling them to be used as stalkerware. The strength of the GDPR is ultimately found in the significant financial penalties which can be assigned to companies which fail to comply with the law. This is a strength that Parliament should add to PIPEDA by way of enabling the Privacy Commissioner of Canada to impose administrative monetary penalties and directly enforce its recommendations on companies.

Notably, PIPEDA only applies to the activities undertaken by business and organizations; as such, our assessment does not attend to the broader Canadian criminal law, tort law, privacy law, product liability, consumer protection, intellectual property, and intermediary liability law that are attached to the legality of using, creating and developing, selling, or facilitating the distribution of stalkerware applications. A broader legal assessment of stalkerware, as well as a set of recommendations for legal and policy reform to address some of the harms that stalkerware engenders, can be found in a companion report entitled “Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications.”

In Part 6, we collect our major findings from our multidisciplinary research and propose a range of recommendations that would mitigate some of the harms associated with stalkerware companies’ practices and products. We focused on issues associated with consent, accountability and redress by jurisdiction, as well as data security and data protection. Specifically, our major findings included:

  • There were significant and disturbing failures by the companies in this study to obtain meaningful and ongoing consent, which seriously increased the risks and threats faced by those who operators target with stalkerware. This omission was further marked by failures to ensure that targeted persons could exercise their data access and deletion rights under Canadian privacy law;
  • While these companies were accountable under Canadian consumer privacy law, the limited ‘bite’ of that law may impede its ability—and, by extension, that of the Office of the Privacy Commissioner of Canada—to establish preemptive deterrence or ex post remedy and enforcement;
  • Not all of the companies in this study indicated that data security was a meaningful element in their privacy policies, despite Canadian law imposing data security obligations; and
  • Google’s Play Protect service in tandem with antivirus applications appeared, in initial testing, to relatively reliably identify stalkerware. However, more long-term testing is required to further confirm these results.

Ultimately, the availability of stalkerware applications is the result of broader social conditions that either lead developers to believe it is appropriate to create software designed for stalking or, alternately, to create applications for ostensibly legitimate purposes that can be repurposed to facilitate surreptitious intimate partner surveillance. The recommendations that we propose in this report might, if adopted, rebalance stark information asymmetries between the operator and target(s) of stalkerware. This rebalancing would address a core aspect of how stalkerware works as a tool to facilitate intimate partner violence, abuse, and harassment: by mitigating the potential for operators to engage in pervasive and surreptitious surveillance. Adopting these recommendations would also ensure meaningful and ongoing consent to any individuals that might use these tools for ostensibly legitimate purposes.

These recommendations are, however, only part of a much broader series of technical and social transformations which are required to remedy the wider, and pervasive, issues that give rise to forms of gender-related violence, abuse, and harassment. While the technical and legal remedies outlined in this report might provide important relief in the context of consumer spyware, the ongoing struggle to transcend patriarchal gender inequalities, misogyny, and corrosive societal norms around controlling, abusive, and violent behaviour directed at women, girls, non-binary persons, and children is an undertaking that requires critical and supportive communities at its core. We hope that this report provides insight into some of the deleterious manifestations of these norms, and that the structural recommendations which we provide help to alleviate some of these long-standing social harms.

Download “The Predator in Your Pocket: A Multidisciplinary Assessment of the Stalkerware Application Industry”

The (In)effectiveness of Voluntarily Produced Transparency Reports

Payphones by Christopher Parsons (All Rights Reserved)

I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.

Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.

A pre-copyedited version of the paper, titled, “The (In)effectiveness of Voluntarily Produced Transparency Reports,” is available at the Social Sciences Research Network.

Curated Canadian IMSI Catcher Resources

‘Untitled’ by Andrew Hilts

IMSI Catchers enable state agencies to intercept communications from mobile devices and are used primarily to identify otherwise anonymous individuals associated with a mobile device or to track them. These devices are also referred to as ‘cell site simulators’, ‘mobile device identifiers’, and ‘digital analyzers’, as well as by the brandnames such as ’Stingray’, DRTBox’, and ‘Hailstorm’. These surveillance devices are not new – their use by state agencies spans decades. However, the ubiquity of the mobile communications devices in modern day life, coupled with the plummeting cost of IMSI Catchers, has led to a substantial increase in the frequency and scope of IMSI Catcher use by government and non-government agents alike. The devices pose a serious threat to privacy given that they are highly intrusive, surreptitious, and subject to limited controls in relation to their licit and illicit sale or operation.

One of the challenges with understanding the current policy landscape around IMSI Catchers in Canada stems from different government agencies’ deliberate efforts to prevent the public from learning about whether agencies use such devices. Journalists and academics have tried to determine whether and how the devices are used over the course of approximately a decade; this means that information concerning their operation has unfolded over a significant length of time. Without a centralized resource to curate the successes and failures of these investigations it is often challenging for non-experts to understand the full context and history of IMSI Catchers’ operation in Canada.

Only recently have journalists, advocacy groups, and academics in North America learned about how their respective governments have historically, and presently, operated IMSI Catchers. Such revelations began around four years ago in the United States and within the past year and a half in Canada. Such revelations are the culmination of extensive preparatory work: though news articles and research reports appear more frequently, now, their existence today is predicated on the hidden labour that took place over the prior years.

For Canadians, the release of select court documents enabled more informed analysis of how these devices were used by federal, provincial, and municipal agencies. Such information was drawn on to prepare a report on IMSI Catchers that I wrote with Tamir Israel last year, in which we canvassed, collated, and analyzed what was technically understood about how IMSI Catchers operate, as well as the challenges Canadians have faced using freedom of information request to learn more about the technology. That report also included legal analyses of different ways of authorizing the devices’ operation and the Charter implications of their operation. Furthermore, in recent weeks the RCMP finally admitted to the public that it has used IMSI Catchers after previously claiming that any revelation of whether and how they used the devices would infringe on national security or ongoing investigations. Many other agencies have since followed suit, also informing the public whether they possess and operate IMSI Catchers in the course of their investigations.

To help interested members of the public, journalists, advocacy and activist groups, and fellow academics, I have collated a list of IMSI Catcher-related resources that pertain to the Canadian situation. This listing includes the most important primary and secondary documents to read to understand the state of play in Canada. Some of the resources are produced by academics and technologists, some focus on technology or policy or law, and others encompass the major news stories that have trickled out about IMSI Catchers over the past several years. If you believe that I have missed any major documents feel free to contact me.

Access the IMSI Catcher in Canada Resources

Pleading the Case: How the RCMP Fails to Justify Calls for New Investigatory Powers

'RCMP' by POLICEDRIVER2 (CC BY 2.0) https://flic.kr/p/sEM7W5

‘RCMP’ by POLICEDRIVER2 (CC BY 2.0) https://flic.kr/p/sEM7W5

A pair of articles by the Toronto Star and CBC have revealed a number of situations where the authors report on why authorities may be right to ask for new investigatory powers. A series of cases, combined with interviews with senior RCMP staff, are meant to provide some insight into the challenges that policing and security agencies sometimes have when pursuing investigations. The articles and their associated videos are meant to spur debate concerning the government’s proposal that new investigatory powers are needed. Such powers include a mandatory interception capability, mandatory data retention capability, mandatory powers to compel decryption of content, and easy access to  basic subscriber information.

This post does not provide an in-depth analysis of the aforementioned proposed powers. Instead, it examines the specific ‘high priority’ cases that the RCMP, through a pair of journalists, has presented to the public. It’s important to recognize that neither the summaries nor underlying documents have been made available to the public, nor have the RCMP’s assessments of their cases or the difficulties experienced in investigating them been evaluated by independent experts such as lawyers or technologists. The effect is to cast a spectre of needing new investigatory powers without providing the public with sufficient information to know and evaluate whether existing powers have been effectively exercised. After providing short commentaries on each case I argue that the RCMP has not made a strong argument for the necessity or proportionality of the powers raised by the government of Canada in its national security consultation.

Continue reading

« Older posts