Stopping stalkerware: What needs to change?
Article by Lysa Myers, WeLiveSecurity
Regardless of whose statistics you read, a disturbingly high percentage of women and men will experience intimate partner violence or harassment in their lifetime. Worryingly, technology is being used more and more frequently as a tool to coerce and intimidate victims, with social media, smart phones and smart home devicesbeing among the most popular tools for these purposes. This will continue to be the case until we change how technology is developed and implemented.
One of the first articles I wrote upon joining ESET in 2013 was about how domestic violence survivors could help protect themselves. While I had helped friends defend themselves against ongoing surveillance by domestic partners before writing that article, I hadn’t realized until researching it how incredibly challenging it can be to deal with a more technically enabled abuser.
That article is also one of a very small handful of articles I’ve ever been asked to update with more current information, because the issue it describes continues to be such a huge problem for so many people. This is clearly not a problem that’s getting better without a much stronger effort on the part of a lot of different people, including anti-malware vendors.
There are many challenging aspects to combating harassment, due in large part to the failure of legislation in keeping up with technology, as well as the failure of technology manufacturers in designing products to prevent misuse. This makes it hard for defenders to address these problems, which has allowed them to pile up.
Laws combating stalking and domestic violence have been woefully inadequate and slow in being adopted at all, much less enforced. As such, it should be no surprise that laws surrounding “digital versions” of these crimes are almost non-existent, and law enforcement all too often has little capability to pursue crimes committed over the Internet.
Manufacturers of legitimate devices and services that have not been designed to prevent misuse, which are then used to harass or stalk people, shrug their way past complaints of their products being used for harm. Companies that create products that are designed to monitor people in a way that’s legally acceptable (such as employee or child trackers) shake off questions about their products, when they are designed in such a way that they can also be used for questionable legal purposes (such as surreptitiously surveilling a spouse).
The existence of these legal grey areas has the knock-on effect of hamstringing organizations that seek to defend victims. It’s a whole lot harder to fight against something that’s probably legal, even if it’s being used in ways that are at least deeply unethical if not illegal.
Tools as weapons
If you’ve been through a security line in an airport in the last decade or so, you’re probably aware of the occasionally perplexing list of items that are prohibited in carry-on luggage. Objects that are designed as weapons, such as guns and knifes, are obviously prohibited. But sporting equipment, hand tools, crafting implements like knitting needles, and even large quantities of liquids are also prohibited on most flights.
Air travel is now one of those situations where public sentiment is generally in favor of very stringent methods of excluding access to potentially dangerous items, even when they’re considered innocent in 99% of our daily activities. Most people don’t use screwdrivers for harmful or illegal purposes, but the risk of misuse is considered too great when a bunch of people are locked into a metal tube at 35,000 feet, so we have collectively agreed not to allow access to these items while we’re in flight. But in almost every other situation, screwdrivers are totally unregulated, and you’d be hard pressed to find anyone who would argue that it should be otherwise.
Airports have set up special infrastructure that allows them to apply a higher level of scrutiny, where they can exclude items that are usually considered innocent. Outside the airport, you have to use different techniques to protect yourself against harm from traditional weapons as well as tools that can also be used as weapons.
For most people, during most of their lifetime, an appropriate level of caution dictates being vigilant against traditional weapons rather than being worried about the presence of hand tools or sporting goods. People who’re in the midst of a harassment or domestic violence situation, however, are entirely reasonable to consider the possibility of ordinary household items being used as weapons.
Paranoia as a powerful defense
Anti-malware vendors are in an interesting place, with their products being used by people in ordinary threat scenarios as well as by those who are in very extraordinary threat scenarios. Most people would find it somewhere between bothersome and extremely problematic to be warned about every bit of code on their devices that could be used for harmful purposes. There would be a lot of alerts if you were to be warned about the presence of every figurative screwdriver, frying pan, or baseball bat in your midst.
But it’s entirely reasonable for you to want those warnings sometimes, especially if the context of your situation warrants an extra degree of caution. Each company that makes a security product has to decide on what an appropriate level of caution is, for their customer base.
That decision is generally arrived at based on the specific capabilities or aims of their products, as well as using feedback from their customers. Each company strikes a balance so that people get the best level of protection, without being so inundated with warnings that they get alert-fatigue. And over time, that balance inevitably shifts as product capabilities and the threatscape changes.
One tactic that a lot of security companies have taken is to allow some customizability within their products. The default level of protection is what should be appropriate for the largest number of customers; you can tweak individual settings to increase or decrease protection if your situation requires something different.
If you’re in a situation where extra caution is warranted – especially in the case of domestic violence or stalking – it’s a good idea to lock your system down as much as possible. This includes enabling the most paranoid settings on your security software.
In anti-malware software, this usually means enabling scanning for potentially unsafe or unwanted applicationsor using advanced detection mechanisms that will alert you to the presence of files that may pose a threat. If possible, contact your security vendor’s technical support so they can help you change your settings to those most appropriate to your situation.
The tricky thing about stalking and domestic violence is that it begins subtly: victims may not know they’re being targeted until it reaches a truly dangerous level. Technology makers must keep this in mind, so we can maintain a balance that helps protect our customers.
Changes from technology makers
The changes that need to happen to protect people in extraordinary circumstances against harmful code and devices are not just on users. Technology makers are an absolutely crucial part of this process as well. The expectation is not that companies can completely prevent harm from people misusing their products, but that the currently very high risk of misuse should be decreased.
Phone service providers and smart phone makers should enable devices so we can block numbers to quickly, completely, and permanently prohibit contact, including both calls and messages. Other communication media – including email, instant messaging, and social networking sites – need this functionality as well; if your platform offers a way to contact someone, there needs to be a way to rescind this ability for selected individuals.
This is not a perfect solution, as persistent abusers can usually find ways to create new accounts to resume their torment. Service providers that can apply anti-fraud protections should be able to somewhat limit this activity.
App stores need to specifically address what activities are acceptable for apps, and specifically prohibit products that operate in stealth mode such that they cannot be easily detected once the product has been installed. They need to prohibit searches related to illegal activities, especially those relating to domestic abuse. And they need to be consistent in enforcing these policies regardless of the size of the app developer.
Device and app manufacturers should be designing with privacy and security in mind, not bolting protections on after the fact. These companies need to have privacy policies in place that are published in highly visible places, as well as instructions regarding how to report security issues, including the relevant contact information. Internally, they should also have incident response plans in place so that they can quickly address reported problems.
And last, but certainly not least, security vendors need to play their part. We need to have consistent policies about what spyware and stalkerware products will be detected with default settings, as well as which products will be detected with advanced settings. We also need to continue innovating ways of offering more flexible options for people to increase detection when their threat model is different from what is typical.