A deep dive into stalkerware’s creepy marketing, illegal privacy invasions, and terrible security

Stalkerware — spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc — is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women.

To make matters worse, many security companies refuse to treat stalkerware as malware, and cops around the world make liberal, illegal use of it.

Now, the University of Toronto’s Citizen Lab (previously) has released an interdisciplinary report into the stalkerware industry, which systematically affirms that the stalkerware industry markets itself explicitly to abusive men who want to target women (including ex-partners and stalking targets); that its information security practices put all the data gathered via its products at risk of being breached and dumped; and that it is violently out-of-compliance with Canadian law (as the report dryly notes, “there were significant and disturbing failures by the companies in this study to obtain meaningful and ongoing consent”).

In some ways, there’s nothing new in this report; but it’s fantastic to have all these scattered reports of the problems with stalkerware summarized in a single report, with extensive references and accompanying legal and security analysis.

Intimate partner violence, abuse, and harassment is routinely linked with efforts to monitor and control a targeted person. As new technologies have seeped into everyday life, aggressors have adopted and repurposed them to terrorize, control, and manipulate their current and former partners. When National Public Radio conducted a survey of 72 domestic violence shelters in the United States, they found that 85% of domestic violence workers assisted victims whose abuser tracked them using GPS. The US-based National Network to End Domestic Violence found that 71% of domestic abusers monitor survivors’ computer activities, while 54% tracked survivors’ cell phones with stalkerware. In Australia, the Domestic Violence Resources Centre Victoria conducted a survey in 2013 that found that 82% of victims reported abuse via smartphones and 74% of practitioners reported tracking via applications as often occurring amongst their client base. In Canada, a national survey of anti-violence support workers from 2012 found that 98% of perpetrators used technology to intimidate or threaten their victims, that 72% of perpetrators had hacked the email and social media accounts of the women and girls that they targeted, and that a further 61% had hacked into computers to monitor online activities and extract information. An additional 31% installed computer monitoring software or hardware on their target’s computer.

The Predator in Your Pocket [Christopher Parsons, Adam Molnar, Jakub Dalek, Jeffrey Knockel, Miles Kenyon, Bennett Haselton, Cynthia Khoo, and Ron Deibert/Citizen Lab]