Making Strides to Stop Stalkerware

/

Exciting news… In the past couple of months, there has been some significant movement in the work against stalkerware. The term stalkerware, AKA spyware, refers to apps, software, or devices that allow someone to monitor or record the activity of another person’s phone or computer without their consent or knowledge. For many years, the term spyware has been used to describe the type of monitoring and surveillance these types of apps and software have prided themselves on. However, as advocates and technologists have come to better understand just how these programs and apps work, we have identified that the characteristics of these types of apps and programs are stalking behaviors. In recent years, there has been a shift in the work to identify and call these types of problematic programs and apps what they really are, which is stalkerware. This technology is incredibly sneaky and is used by abusers and stalkers as a tool to monitor, surveil, intimidate, harass, and control someone. While stalkerware still remains a significant issue for survivors of abuse, tedious but necessary work has been happening to curb both the existence of these products and their misuse.

Buh bye…

Last week the Federal Trade Commission (FTC) announced their first case against a developer of stalking apps. Their investigation of and settlement with Retina-X Studios, LLC has ended with the company’s three stalking apps - MobileSpy, PhoneSheriff, and TeenShield – taken off the market and the company prohibited from selling apps that monitor devices unless they take steps to ensure they will only be used for legitimate purposes. These include not requiring jailbreaking or rooting of the device to function, acquiring written verification from the purchaser that the app will only be used for legal purposes, ensuring a visible icon remains on the device that can provide the user with information, and deleting all personal information previously collected by the apps. Prior to the settlement, all three of Retina-X’s apps required the purchaser to circumvent the phone’s security features by either jailbreaking or rooting the phone and then allowed the person to monitor the phone remotely without any notice to the owner of the device.

When the apps were taken off the market, they had more than 15,000 subscriptions. Anyone doing this work knows that a large number of those subscriptions were likely used for abusive purposes and likely brought much harm in the time they were used. We are grateful to the FTC for their leadership on this and for bringing us in during the process prior to the announcement. We worked closely with the FTC to create graphics to accompany their announcement and provided feedback on the notification language they were crafting.

Clues that stalkerware may be on device

Clues that stalkerware may be on device

Building Partnerships

Today, the announcement was made about the creation of the Coalition Against Stalkerware and the new resource, StopStalkerware.org. We are a member of this Coalition, which is made up of technology companies and advocacy organizations. Leading up to this, we have been working with several anti-spyware companies to learn more about stalkerware, the options to prevent and detect it, and ensure that the experiences of survivors are understood. The Coalition will work together to create industry-wide standards for defining and detecting stalkerware, strategies to increase education and awareness about the issue for survivors, and potential solutions to eliminate spyware completely. Many of the companies involved have been conducting research and increasing education for prevention for many years, and we are enthusiastic to be able to share and collaborate on this effort.

 We also recently participated in Virus Bulletin’s Annual Conference alongside Kaspersky. This event is focused on international threat intelligence and it was a meaningful opportunity to bring the voices of advocates and survivors into that space. We learned a great deal about this work and provided training around the misuse of stalkerware apps and their implications for survivors of abuse.

New Resources

Because of the swift momentum of these growing partnerships and the urge to ensure helpful information is available to survivors, we have worked diligently to update our own materials around spyware/stalkerware within the Survivor Technology and Privacy Toolkit. 

We are excited to be a part of the changing landscape in both government and technology spaces in terms of holding spyware/stalkerware companies and abusers accountable. This work will require many partners and approaches to ensure that the products being created do not intentionally harm survivors and will be a critical piece to the broader goal of addressing abuse.

Keeping Survivors in the Driver’s Seat: Our Focus on Confidentiality 

/

As professionals and experts in the field, advocates go to work every day helping survivors reclaim their lives. But it can be easy to get caught up in the day-to-day rush of the work, and sometimes we forget that we aren’t the driver of this journey - we’re just passengers along for the ride. When we get off track, we start to think a survivor should automatically give us the information we ask for, that they should trust us to collect and share their information as we see fit because we’re experts and we know what’s best. But we have to put the brakes on that thinking, and remember that survivors are the experts of their own experience. It’s our job to help educate them about their options, and the potential impacts and outcomes of their choices, so that they can make an informed decision. When we do this, we’re giving them the keys, ensuring they’re the ones who are in control and driving the bus,* and that we’re doing our job by helping them navigate!

Safety Net kept very busy over the summer and early fall of 2019, working to help organizations across the field improve their understanding and practice of confidentiality. To help agencies ensure they’re providing survivor-driven services and developing policies that support a survivor’s right to privacy, we hosted four national webinars, facilitated a listening session for state and territorial coalitions on mandated reporting, launched new materials, and held an outstanding two-day conference– Strictly Confidential: Protecting Survivor Privacy in Federally Funded Programs.  

Summer 2019 Highlights

Webinars:
For anyone who missed the webinars, and for those who’d like to revisit them, you can check them out using the links below:  

 

Resources:
Newly-created materials, which were all added to our Confidentiality Toolkit, include:

National Conference:
The 2019 Strictly Confidentiality conference was in such high demand that we had to make a wait list and get creative with seat set-up! We loved seeing everyone so interested and engaged in wanting to learn more about survivor-centered best practices. Advocates, attorneys, court officials, and others came from across the country to learn more about how they can ensure they’re providing survivor-driven services. The conference content was designed to help advocates navigate complex federal confidentiality obligations, through in-depth analysis, peer sharing, and scenario problem solving. Participants explored the many layers of privacy, confidentiality obligations, and their intersections with technology in a tangible way. Topics included:

  • Understanding and applying legal confidentiality obligations

  • Navigating the mandated reporting and confidentiality overlap

  • Building community collaborations while maintaining confidentiality

  • Upholding confidentiality in emergency situations

  • Navigating language access and confidentiality

  • Handling official third party demands for survivor information

  • Selecting and using databases

  • Implementing best practices for agency use of technology

  • Minimizing risk via intakes and data retention policies

  • Understanding data breach notification laws

  • Ensuring valid releases of information.

We hope all this new content is helpful to service providers and we look forward to hearing your feedback so we can continue to improve this work. We’re also grateful to our grant partners at Danu Center’s Confidentiality Institute, to our funders at the Office on Violence Against Women, and to the advocates who are out there doing this work every day. When we provide services based on confidentiality best practices, we’re helping survivors understand they have a right to privacy, that they remain in control of that privacy, and they can make the decisions that work best for them.

*The “survivor drives the bus” phrase was coined by our grant partner, Alicia Aiken, Director of Danu Center’s Confidentiality Institute :)

Cyber Safety for Survivors of Domestic Violence

/
cyber_safety.jpg

Did you know October was both Domestic Violence Awareness Month AND Cybersecurity Awareness Month? Do you know where your devices are and if they are locked? Read on for some great tips as these two issues are more connected than some may think!

For survivors of domestic and sexual violence, the Internet can quickly become a scary place to interact. Concerns about privacy invasion, stalking, harassment, impersonation, non-consensual intimate image sharing, and other threats can leave people feeling like they have no choice but to avoid online entirely. It’s easy to feel vulnerable and exposed online, so we’ve put together some tips for those who might be looking to feel safer while still staying connected. As Domestic Violence Awareness Month and National Cybersecurity Awareness Month end, we thought it would be a good time to offer some thoughts and tips for survivors to think about.

Adjust Social Media Settings

While online sharing continues to rise in popularity, so do social media security risks. Staying on top of social media account settings can help reduce some of those risks to safety and privacy. By switching your accounts to private mode, you can help prevent other users from viewing your personal information and profile without your permission. Almost all social media platforms also allow you to block people as well; this can be especially helpful if there are people in your life that you don’t want to interact with on social media, or as a remedy to help stop harassment on that platform. A simple “block” can make a big difference. But before blocking someone, consider how this may impact your ability to know if their abusive behavior is escalating, and your ability to document their abusive behavior. Once you block someone, you won’t be able to see what messages and comments they are trying to send you.

If you’re especially concerned about online privacy, you may also want to consider refraining from posting in real-time, or posting anything that may give an indication of your location. For instance, if you’re at a restaurant, you may want to wait to post about it when you get home, or you may decide that posting about it would be putting more information out about your general location than you are comfortable with. These are simple ways to avoid any potential interactions with people who happen to see your social media and will try to show up where you are, or to prevent them from getting any idea about your location. You may also want to avoid tagging specific locations of restaurants, bars, houses, neighborhoods, etc. as these can leave a trail about your daily patterns for someone looking for clues of it on your social media profile.

Protect Your Devices While on The Go

It’s no lie – many of us don’t go anywhere without our phones, and sometimes even our laptops go everywhere we go. They’re in our bags, our pockets, and our hands. Sometimes we're using our own data plan, but other times we need to connect to public WiFi. When we do this, it’s important to understand how vulnerable our devices can be while connected to a public Internet connection. For example, while working in a cafe on your laptop, that free Wi-Fi you’re connected to is not as safe as you think. If you can afford investing in a virtual private network (VPN), it can help give you the security you need while on the go. A VPN creates a private network within a public Internet connection. VPN’s mask your IP address, which helps keep your web browsing hidden.

If a VPN isn’t an option you can currently invest in, making sure to only browse sites that use https: protocol can help increase your privacy. While someone may still be able to snoop and see you are on a specific site, they wouldn’t be able to see the details of what you are doing on that site, or what you are looking at on that site.

Arm Your Home Network

Many people might think to lock their doors and windows at home, but may not know how to keep their Internet connection secure. Secure internet connections start with the router. The router communicates between the Internet and all of the devices in your home to deliver a Wi-Fi connection.

When purchasing and setting up a Wi-Fi router there are several things to keep in mind. Do you have any fireplaces or thick walls that will block a signal or weaken signal strength? These structures can block or intercept your Internet connection. Also, make sure the router you’re going to buy is the right size for your home and the amount of devices that will be connecting to it. Security is another important topic to be mindful of as you choose a router. Routers that aren’t secure are vulnerable to being hacked, and once hacked, someone can potentially install viruses or malware onto any of your devices. Find a router that has network level protection, including automatic updates, signed firmware updates, and device quarantine. Last but not least, find a router that is easy to navigate and control. Look for other features that might be helpful to those who are using it in your home. This includes parental controls, guest networks, and network management. Don’t skimp on a router - it helps more than you think. For more on WiFi security, check out our resource WiFi Safety & Privacy: Tips for Victim Service Agencies & Survivors.

Enable Additional Authentication

When logging into online accounts, or even some phones and devices themselves, there’s often an option for an additional form of authentication. This is known as two-factor authentication, and it allows the user to add an extra layer of protection to their account or device by not only creating a complex and difficult password, but allowing a special code to be sent to their phone every time a login occurs. This means that if someone is trying to login to your account or device and it isn’t you, you’ll know about it and be able to stop them from going any further. This is especially important for email accounts where you might have more personal or financial information that you wouldn’t want others accessing. For more on password security and two factor authentication check out our resource Passwords: Simple Ways to Increase Your Security