“He knew where I was at all times, who I was talking to on email, text messages, social media—all of it. He could see everything. I had no privacy,” says Anna (not her real name).
Anna’s experience is not an isolated one: it’s a daily reality for thousands of people, most of them women.
That’s because, usually without their knowledge, their partners have installed stalkerware on their devices—apps that let someone spy on your smartphone activity. Sometimes these apps require access to the person’s device, but some of them just require you to send someone an innocuous-seeming download. As soon as your victim has clicked through, you’re in. You now have access to everything.
In Anna’s case, stalkerware was disguised as a picture message, sent to her by the man she was dating (let’s call him David), just a few weeks after they met. She was then under constant surveillance for about two years until she escaped the increasingly violent relationship in June 2016, in fear for her life.
She didn’t start to suspect David until two months after they started dating. “He made a comment about something I’d only shared privately, in Facebook Messenger, with a relative. After that I realized he was tracking everything,” Anna says.
Before she met him, the idea that someone would track her had never crossed her mind. “I didn’t even know it was possible,” she says.
There have been very few studies on stalkerware or attempts to grasp its scale, so it’s hard to know how big this problem truly is. One of the few papers on the phenomenon, written by researchers at Cornell University and published in October 2018, found dozens of overt stalkerware tools. However, the authors warned that the majority are “dual use” apps masquerading as child safety or anti-theft tools, which can easily be repurposed for spying on a partner. This ambiguity seriously complicates the task of tackling their proliferation.
“People think this problem is niche, but that’s not true,” says Rahul Chatterjee, a computer science researcher at Cornell and coauthor of the study. “It’s one in three women and one in six men [who have experienced an abusive relationship]. That’s millions and millions of people in the US alone. We can’t ignore this any longer.”
Last year, security company Kaspersky found and removed 58,000 instances of stalkerware after people downloaded its antivirus app to run scans. It’s likely the true figure is much higher, says David Emm, the company’s principal security researcher.
Plenty of these apps can be downloaded from Google’s Play Store and Apple’s App Store (both still host the Saudi government app Absher, which lets men track and restrict the movement of women under their “guardianship”). Even those that can’t be accessed that easily are usually only a quick Google search away. Some stalkerware apps are even openly promoted online, as in this advert on Twitter (below). (It’s now been deleted after a backlash.)
The growing role of technology in partner abuse isn’t just confined to stalkerware. The domestic-violence charity Refuge estimates that around 95% of its cases involve some form of technology-based abuse, whether by means of parental control apps, employee tracking, or even just obsessive tracking of a partner’s location using Google Maps or Find My Friends. As the world changes, so do abusers’ methods.
So what can be done? There is unfortunately no single, quick fix. Antivirus products are, finally, starting to flag when stalkerware is present on users’ devices, after an 18-month campaign by the Electronic Frontier Foundation’s director of cybersecurity, Eva Galperin. But that requires smartphone users to have antivirus protection switched on, when the reality is that most don’t. Most victims are unaware they’re being tracked, or don’t know how to stop it once they are.
While some domestic-violence charities will analyze victims’ devices and try to help them identify if and how they’re being tracked, there are currently no best practices available on how to discover, analyze and mitigate tech issues, says Diana Freed, a PhD student in information science at Cornell University. Freed and her colleagues are creating tools and resources to try and make this kind of service scalable and far more accessible to more people.
Many believe that Google, Apple, and other companies can and should also do more to keep stalkerware apps out of their app stores. “If an app is designed to run covertly or be invisible to the person using the device, it’s immoral, unethical, and in some cases illegal,” Galperin says.
“They should set the bar, and those which don’t adhere to their standards shouldn’t be there,” agrees Sam Havron, a privacy researcher at Cornell University. The vetting process needs to be beefed up to incorporate the question “How could this be used for abuse?” A checklist for the app developers themselves might help, too. Google and Apple did not respond to a request for comment.
Smartphone makers and operating system providers could also offer more notifications about which apps are needlessly accessing the device’s camera, GPS, or messaging features. This would, in fact, just be good security practice in general, he says.
The potential that their products might be used for abuse likely doesn’t even cross the mind of most people working in tech, says Leonie Tanczer, a lecturer in international security and emerging technologies at University College London. The proliferation of internet-connected devices and smart-home products provides yet more avenues for people seeking to control their partners, she warns.
Some victims of domestic violence have been forced to become security-savvy thanks to their experiences. Anna became an infosecurity professional as a direct result of her years of abuse. She now has some advice for others:
“The second you have solid evidence your partner is surveilling you, get out. Don’t even talk to them about it. Leave and get them out of your devices as swiftly as possible.”