EFFecting Digital Freedom

by Jason Kelley

It's Time to End Stalkerware

Someone with unfettered access to our phones or computers essentially has unfettered access to our lives.  For many, computers and phones contain not only private information, but the contents of our very thoughts.  We text our friends and family and partners our feelings, we take notes, we talk about plans; and this is on top of data about where we travel, websites we visit, and who we're talking to.  That's why we absolutely must put an end to stalkerware.

Stalkerware, also known as spouseware, is software that is installed covertly on a user's phone to collect and share information with another person without that user's knowledge - essentially, to digitally stalk someone.  By sharing personal details about who someone has called or texted, pictures they've taken, where they've traveled, or even what they have discussed in private conversations, apps like these let abusers menace and torment their victims.  This technology is often used for domestic violence against spouses, children, and exes.  The people who end up with this software on their phones can become victims of physical abuse - and worse.  By design, these apps are secretive, and even if users suspect that they might exist on their device, it's often difficult to know how to take action or how to protect themselves.

For years, stalkerware has often been ignored by many anti-virus (AV) companies and malware scanning tools.  App stores like Apple's have allowed the software, which is often advertised as a way to monitor a child or an employee.  But in practice, it's nearly impossible for an app developer to establish or monitor its users' relationships to their targets, or to ensure that they will use the app how they say they will.  A product designed for covertly monitoring children's activity could just as easily be installed on a partner's phone.  There are simply no legitimate purposes for secret stalking apps.

But we're fighting back.  A new coalition of anti-virus companies and human rights groups, including EFF, have joined together to create the Coalition Against Stalkerware, which will work to address the use of stalkerware and raise bring leaders in AV together to establish best practices for ethical software development.  The coalition also provides online resources and help for stalkerware victims at stopstalkerware.org.

AV companies have already gotten the message.  Several, including Kaspersky and Malwarebytes, have improved their flagging of stalkerware, and the FTC took action against stalkerware developer Retina-X (albeit for poor security, leaving open the unfortunate possibility that Retina-X could continue to offer its software in the future).

This flurry of activity is thanks in part to EFF's director of cybersecurity, Eva Galperin.  In 2018 she offered assistance on Twitter to any woman who was sexually abused by a hacker who threatened to compromise their devices, and when hundreds responded, she began working to help - and she began to fight the problem on a larger scale by pushing antivirus companies to flag the malicious software.  Her work and the work of survivor groups has propelled the battle into the limelight, and helped to begin the dismantling of the industry.

It won't be an easy fight.  According to Kaspersky, the number of its anti-virus users finding stalkerware on their devices rose by 35 percent in 2019, up to 37,532 from 27,798 in 2018.  The varieties of stalkerware have increased as well, with Kaspersky detecting 380 various forms of it in the wild in 2019 - 31 percent more than a year ago.  But all of this work has already made an impact.  The coalition wouldn't have been possible a year ago, and a year from now, with the group working together to protect people from stalkerware and hold vendors and abusers accountable, we're that much closer to eradicating this entire industry.

There is simply no acceptable use case for running a consumer spying app covertly on someone's device.  Having access to someone's phone is akin to having access to their mind, and no one should be able to peer into your mind without your consent: not the government, not a company, and not an abuser.  It's time to end the development and sale of these privacy violating tools.