Ms. Tech; Original photo: Pexels
Ms. Tech; Original photo: Pexels

Computing / Cybersecurity

NYC has hired hackers to hit back at stalkerware

A New York City government pilot program is bringing technologists and domestic abuse victims together for good.

Aug 14, 2019
Ms. Tech; Original photo: Pexels

The crime of domestic abuse has entered the 21st century.

Abusers leverage high-tech tools in the oldest of crimes, stalking their victims through tools like Facebook Messenger and Apple Maps. They spy on their targets through stalkerware apps and Amazon Alexas. But hackers are now teaming up with victim advocates to catch up.

In a pilot study the New York City government has been running since 2018, technologists work in collaboration with the Mayor’s Office to End Domestic and Gender-Based Violence to offer practical computer security and privacy services to survivors of intimate partner violence.

The program, which involves a team of academics from Cornell Tech and New York University, has already seen early success and is growing, Cornell Tech’s Sam Havron said on Wednesday at the USENIX Security Symposium in Santa Clara, California. 

There are hundreds of apps sold on the market today that stalkers use to track a victim’s location, secretly record voice audio, steal text messages, or engage in other illegal surveillance.

Since November 2018, the New York–based technologists have met with 44 clients and have discovered that 23 of them may have been targeted by spyware, account compromise, or exploitable misconfigurations. Over half the victim cases have connections to digital abuse, according to a newly published paper, “Clinical Computer Security for Victims of Intimate Partner Violence.”

Victims working with the city government typically see lawyers and case managers who are not properly equipped to handle the myriad cybersecurity and privacy problems they may face. 

“There is an unmet need for additional computer security and privacy expertise,” Havron said. “We need experts to help navigate abuse.” 

After finding that existing anti-malware tools too often failed to detect and alert victims to the presence of stalkerware, the academic team working with New York City created ISDi (Intimate Partner Violence Spyware Discovery), a downloadable tool that detects whether apps that abusers can exploit are installed on a client’s mobile devices.

Digital abuse often goes deeper than stalkerware. Labyrinthine privacy settings in modern apps can be difficult for even cybersecurity experts to fully understand. Beyond that, abusers can threaten physical violence if victims do something as simple as changing passwords to regain privacy. Abusers can also use indirect methods of access: for example, a child’s tablet might have access to a family data plan that lets an abuser see a victim’s location, photos, or social-media presence.

Victims face a complex mix of digital and physical threats that can become difficult to untangle. They often don’t even know how or where the digital abuse and stalking starts.

“How can we help victims?” Havron said. “As technologists, our first inclination might be to try to fix various software flaws and designs that exacerbate tech abuse like victims being locked out of accounts by abusers. But it’s naive to think improvements to technology would completely mitigate tech abuse. We need socio-technological interventions.”

Family Justice Centers have reported positive and helpful results from the field study. Demand for the tech consultations is increasing.

The team was recently awarded a $1.2 million grant from the National Science Foundation to continue work on digital abuse and intimate partner violence.