Somebody’s Watching Me: The Crackdown on Stalkerware

Episode Transcript

This is a computer-generated transcript. While our team has reviewed it, there may be errors.

Morgan Sung: Hello, do you like these deep dives? Do you want more? Then please rate and review Close All Tags on Spotify, Apple Podcasts, or wherever you listen to the show. And tell your friends, post about it on Instagram, Blue Sky, X, Discord, Reddit, the comments of whatever random recipe blog you start arguments in. Basically, it would be a huge help to just get the word out. Okay, let’s get to the show.

Just a note, this episode contains mentions of sexual assault and domestic violence, so listen with care. Eva Galperin is the Director of Cybersecurity at the Electronic Frontier Foundation. In some circles, she’s reluctantly known as the privacy pope.

Eva Galperin: People would come to me telling me about incredibly privacy invasive stuff that they had done as if they were looking to confess their sins and hoping that I would bless them. And the whole point of this is, in fact, that I am not the privacy pope.

Morgan Sung: Eva may not be the privacy pope, but she has been working to protect the privacy of vulnerable people for years. In the early 2010s, she was a security researcher. She compiled information on governments that use surveillance malware to target journalists and activists.

Eva Galperin: And in late 2017, it came out that the primary person with whom I was doing all of this security research was a serial rapist.

Morgan Sung: Eva had been working with his colleague for years. He was a fellow researcher, known for defending human rights activists and journalists in repressive countries. Behind closed doors, he had been secretly abusing and assaulting women for over a decade, and he kept them quiet with a threat of hacking. In a series of articles in The Verge in 2018, many of his survivors explained why they were so afraid to come forward.

Eva Galperin: It really struck me how much they all described themselves as really scared of what he might do to their devices, because apparently he had threatened to compromise their devices if they came out and said anything about him.

Morgan Sung: The survivors were scared of stalkerware, that software that’s often covertly installed on a device to track and record the user’s activity. It goes further than location sharing. This is software that the user is not aware of and doesn’t consent to. Stalkerware can log messages, internet history, photos, and pretty much any sensitive activity or information. The person who installed it can then turn around and use this information to harass, monitor, and coerce their target. That’s what the victims of this former colleague were so afraid of.

Eva Galperin: It was very upsetting. And as with anything, when you suddenly discover that someone is not the person that you think they are, you go back and think about incidents and go, oh, there were signs I should have known. And you spend a lot of time beating yourself up. But I decided that beating myself up is not best use of my time. And that helping people is the best use my time. I was so mad. So I did what most people did in the year 2018 when they got very angry.

Morgan Sung: What Eva did next started a chain reaction, one that led her to build a network aimed at taking down a massive shadowy industry of illegal software developers creating surveillance tools for tech savvy abusers. Today, we’re diving into the fight against stalkerware. What the software really does, how Eva and others have been working together to protect survivors, and the legal gray areas that make this industry so hard to take down.

I’m Morgan Sung and this is Close All Tabs. Ready?

Okay, before we get into the fight, we need to understand what we’re dealing with. And for that, we need open a new tab: What is stalkerware?

Stalkerware is a form of tech-enabled abuse, the umbrella of digital tools and tactics that abusers use to control, harass, and intimidate their victims. A common version might look like parental monitoring apps that can run in the background and provide live access to the device’s location, text messages, and social media activity. Eva said that stalkerware works differently depending on the operating system. Androids and iPhones have different security measures. If you have an Android, the abuser needs to actually download an app onto your phone. To do that, they need to have your phone’s password. Eva says this isn’t the barrier you might think it is.

Eva Galperin: This whole idea of like, well, just don’t give the abuser your password. Uh, you know, I’ve got news for you about how abuse works. So it is very common for abusers to have physical access to the device, to have the password for the device. And when the survivor isn’t looking, when they have their back turned, when they’re in the other room, uh, they download the app.

Morgan Sung: Stalkerware generally isn’t allowed on Google’s Store, so a lot of these apps are downloaded from websites. They don’t appear as normal apps do. They’re hidden. If you don’t know that it’s there, then you don’t know to delete it.

Eva Galperin: The stalker then logs into a website usually and they pay money to the company for access to the portal which gives them information about what is happening on your phone. Sometimes that can be your SMS messages, your WhatsApp messages, all of your passwords. There can be a keylogger on there so just like every key that you hit could possibly be logged, photos being shared. You can sometimes remotely access the camera without setting off a little light that tells you the camera is on, or remotely set off the microphone for recording, which is also very invasive.

Morgan Sung: Most people carry their phones everywhere they go, which means that stalkerware that tracks real-time location and sends out GPS data is particularly prevalent. If you use an iPhone, the process looks a little different. Abusers typically steal their victim’s Apple ID password.

Eva Galperin: Again, a thing that you can get if you are an abuser because that’s how abuse works.

Morgan Sung: And they may also need physical access to the phone, which abusers likely already have.

Eva Galperin: And then the stalkerware, which is using the Apple ID, then just makes covert full backups of the phone. You will not get real-time information, but you will essentially get information about once every 24 hours if you are spying on an iPhone.

Morgan Sung: Stalkerware, for the most part, is illegal across the world, but it’s a tricky field to regulate, especially in the U.S. 

Eva Galperin: Writing stalkerware is not illegal, you know, code is speech, it’s protected by the First Amendment. However, if you buy this stuff and you install it on somebody else’s device and you use it to exfiltrate data from that device, you are violating many different laws at once. Up to and including the CFAA, the Computer Fraud and Abuse Act.

Morgan Sung:  To exfiltrate data means to move sensitive information to another location without permission.

Eva Galperin: If you are listening in on somebody’s conversations, especially in a two-party consent state, you could be violating the Wiretap Act, which is a state-by-state basis kind of situation. You could also be violating various state laws around stalking, especially if you are tracking somebody’s physical location. Additionally, there are other laws that are potentially being broken. By the company that is selling you the app. Because writing stalkerware, again, not illegal. However, if you write it and then you sell it and market it specifically for the purpose of doing things that are illegal, like installing the app on somebody else’s device, specifically in a way that they cannot see it in order to spy on the things that they’re doing, that’s illegal.

Morgan Sung: So this is obviously super illegal in multiple jurisdictions. In 2018 specifically, when you were first kind of really getting involved, how did people keep getting away with it then?

Eva Galperin: I mean, there are a bunch of different reasons. One of the big problems that I have in my advocacy is that when I describe a problem, often what people say their first reaction is ‘there ought to be a law.’ Law is meaningless if the law does not get implemented. If there are no consequences for breaking the law, why have a law in the first place? Frequently stalking is one of those crimes that very rarely sees consequences. We do not have a lot of support for survivors of domestic abuse or for people who are stalked or spied on in this country. And the fact that people do it so often without consequences leaves other people with the impression that this is fine and legal.

Morgan Sung: So then what do you do about stalkerware? That’s a new tab. But first, we wanted to remind you that Close All Tabs depends on listeners like you to keep us going. You can support us by becoming a member at donate.kqed.org/podcasts. Okay, we’ll get back to Eva’s story and the fight against stalkerwear right after this break. Stay with us.

Welcome back. So let’s open that new tab: What do you do about stalkerware? Okay, let’s go back to 2018. Eva found out that one of her colleagues, someone she trusted, was not only a serial rapist, but had also leveraged his position as a security and privacy expert to silence the women he abused.

Eva Galperin: I don’t have any evidence that he actually broke into anybody’s phones or computers as retaliation for this. This is a fear that these people were expressing at the time that they were speaking out against him in public in the press. But he did have a history of breaking into other people’s phones and computers. And also, he had been working for Google for many years and had been publishing security research. In which he was studying the ways in which governments were doing exactly the kind of thing that we were talking about. And this was the research that he and I published together for years.

Morgan Sung: The threat of tech abuse is often enough to silence victims of intimate partner violence.

Eva Galperin: It worth making the point that often when an abuser threatens to engage in this sort of tech-enabled abuse, one of the things that they do is they try to leave their target or the survivor with the impression that they’re omniscient and they’re omnipotent, that they are comfortable with technology and therefore they might be capable of anything. And so the survivor often comes to me imagining all kinds of very technically complicated scenarios in which their privacy or security has been compromised. And let me tell you, almost every time that I actually catch an abuser compromising an account or a device or successfully learning where somebody is located or getting access to the contents of their communications, it’s pretty low tech.
Abusers are lazy, abusers are honestly not terribly competent. And part of that is that they don’t have to be. If they cultivate an aura of, ‘I could do anything at any moment,’ often it’s enough to cause the survivor to censor themselves and to chill their speech and to not go places simply because they’re scared. And they do the abuser’s work for them in this way.

Morgan Sung: After discovering the truth about her abusive colleague, Eva was enraged. She took her anger to Twitter, posting, “If you are a woman who has been sexually abused by a hacker who threatened to compromise your devices, contact me and I will make sure they are properly examined. “And then I went to lunch. And I came back and my phone was vibrating and it wouldn’t stop vibrating. The notifications poured in, likes, retweets, comments, and then hundreds of messages.

Eva Galperin: Well, I was flooded with demands. Basically, a lot of people came to me and told me the stories about the worst things that had ever happened to them. And this went on for months and then years. The most common kind of thing that I would get is that people would reach out to me and say that, “hi, I’m in a relationship with a person who is very technically adept and highly abusive. And now I am seeing behavior that leads me to believe that my devices have been compromised. What do I do?”

Morgan Sung: Evo was working as a kind of one-woman security helpline, assisting survivors with regaining control of hacked accounts and scouring their devices for stalkerware.

Eva Galperin: That sort of thing is absolutely not sustainable. Not even that it’s not sustainable for one person, but it wouldn’t even be sustainable for a team of people. This was not a problem where we could effectively fix it, you know, sort of one survivor at a time. And so I spent a lot of time thinking about how to fix the problem in a broader way, kind of, how to punch above my weight.

Morgan Sung: Eva helped to form the Coalition Against Stalkerware, which includes digital rights groups like the Electronic Frontier Foundation, as well as academics who are leading cybersecurity research at universities around the world. The Coalition also includes companies that make antivirus software. Eva said that it was important that these security companies learn to work with their competitors.

Eva Galperin: One of the reasons why some of these companies are relatively good at detecting stalkerware is because now these people talk to one another, and that is really helpful.

Morgan Sung: When the collective was founded in 2019, a lot of antivirus software was not able to detect stalkerware. It often flew under the radar. Eva said that back then a lots of researchers just didn’t prioritize it. They weren’t as concerned as they were with spyware that could be remotely installed, which was often used by state-sponsored hacking groups to surveil activists and journalists. Part of the fight against stalker ware was getting industry leaders to recognize the scope of the problem. That’s why the coalition also includes groups that do direct support work for survivors of domestic abuse.

Eva Galperin: These are the people who deal with, like, where the rubber meets the road every single day and they give us the most insight into the state of the problem and whether or not the mitigations that we are rolling out are effective. They also alert us to, you know, new problems and new ways in which survivors are being subjected to tech-enabled abuse so that we can come up with mitigations for those.

Morgan Sung: And so far, the coalition’s work is paying off. Eva has been working with this company called AV Comparatives to test various antivirus products to see how well they can detect stalkerware. They’ve done a few rounds of testing over the years.

Eva Galperin: But we recently did this testing again last year, and we found a couple of really interesting things. One is that overall, the performance of antivirus in detecting the stalkerware samples that we gave it improved. Almost everyone did better. We also found that the number of stalkerwear products out there is slightly lower. In the time when I first did my testing we tested 20 different Android stalkerware products. And when I did my most recent testing, I could only find 17. So the market’s getting smaller.

Morgan Sung: Detection is just one solution. This software shouldn’t be installed in the first place. How do you prevent it? To answer that, we’re honing in on the U.S. In one last tab: The crackdown on stalkerware.

Eva Galperin: A lot of the times, stalkerware is marketed as a way of monitoring your employees. And if you are an employer, and you have employees who are using your network and your devices, and you install software that allows you to see what is happening on that network and on those devices. That’s legal. This is why it’s generally understood that if you are using your employer’s devices, you should not be using them for anything personal. The other way in which these things are marketed is as a way of providing safety for your children. The idea, of course, being that your children, of course do not have their own devices. You know, your family’s devices belong to you, the person who purchased them. And then one of them goes to your kid and as a condition of having the device, they agree to share a whole bunch of information about where they are and what they are doing.

Morgan Sung: In 2020, Google banned advertising for apps that track another person’s activity without their consent, but made an exception for apps that help parents monitor their underage children. These apps are perfectly legal, which is why stalkerware can be so difficult to crack down on. A lot of stalkerwear apps masquerade as parental control software. And if you’ve been listening to this show for a while, you may notice a pattern. Child safety in tech is a very hot-button topic. As soon as any issue includes protecting kids online, it can be very difficult to have nuanced conversations about it. Parental control apps will not be banned anytime soon, even if abusers use them to stalk their partners. But many stalkerware companies share a critical flaw, one that, ironically, can land them in legal trouble.

Eva Galperin: They’re often not built very well. They often have privacy and security problems. And building a site where you have essentially left the exfiltrated data vulnerable and it is leaked and you are made aware of this leak and then doing nothing is also illegal. And so this is one of the reasons why the FTC has, in the past, taken actions against stalkerware companies. Often the action is not for making stalkerware, but for making stalkerware badly.

Morgan Sung: Take SupportKing. It’s a consumer spyware company that made an app called Spyphone. It marketed itself as an app to, quote, connect you with your family with features like GPS tracking, call and message logs, and internet history monitoring. The premium version of the app included a keylogger and live screen viewing. All of that data, text messages, selfies, location data was collected and stored in an unsecured Amazon cloud server. Terabytes of unencrypted, identifiable information from over 2,000 users was just floating around online. So in 2021, in an unprecedented move, the FTC banned not only Spyphone, but also its CEO Scott Zuckerman, from ever running another surveillance business again.

Eva Galperin: This is actually the very first time that we’ve ever seen the FTC ban a stalkerware company. And they went to this extra trouble of specifically banning the CEO so that he could not do what he later did, which was essentially abandon the business as bankrupt and then start new businesses. And so he ended up under a consent decree which placed a lot of limitations on what kind of business he could start up if he wanted to start up another business. And had a bunch of requirements regarding the kind of privacy and security reporting that he would need to do in order to be allowed to start up new businesses.

Morgan Sung: But Scott would not take the L. Just a year after his initial FTC ban, TechCrunch reported that he was caught running another stalkerware company. And last July, he petitioned the FTC to vacate the consent order.

Eva Galperin: Saying that, listen, this ban is really a drag. It is impeding my ability to go off and start new companies. And it’s really inconvenient for me, a former stalkerware merchant, to have to do all of these reporting requirements with my new businesses, which have nothing to do with stalkerware.

Morgan Sung: His new businesses, according to the petition he filed, included running a restaurant and other tourism ventures in Puerto Rico. Eva was not about to let it slide. When the FTC solicited comment she jumped in.

Eva Galperin: And I pointed out that the inconvenience is the point. This guy has, has definitely proved that he does not care about protecting user data or about user privacy. And so he should not be allowed to have businesses in which he is storing people’s private data. That seems bad.

Morgan Sung: Zuckerman’s petition was not approved. And Spyphone is just one of many battles in the fight against this industry. Eva said the coalition against stalkerware has been making some pretty big strides.

Eva Galperin: One of the things about the, you know, kind of hydra metaphor is that, you know, you take down one head, you know, three heads come up, but instead, it’s been the other way around. We take down one head, three heads come down. And we have not managed to completely eliminate stalkerware, but we have managed to dramatically reduce the number of companies that are involved. And I think that that is a big victory. And, I think that as long as we can continue to create consequences for running one of these companies that it will look less and less appealing to continue to do so because the people who run stalkerware companies are businessmen. These are people who are out to get a buck. And the moment getting that buck is no longer easy, they will go find something else to do.

Morgan Sung: Earlier, Eva mentioned that stalkerware detection has improved since she started this work, and stalkerwear companies aren’t able to operate as brazenly anymore. Since the Spyphone case in 2021, several stalkerware companies have been prosecuted, shut down, and forced to notify victims that their devices have been compromised. It’s a huge leap from where the industry stood when Eva first started this fight. But there are more avenues for tech-enabled abuse than ever before, and stalkerware is just one part of it.

Eva Galperin: A few years ago we saw a real kind of cratering in the use of stalkerware. We saw stalkerware use go down and stalkerware detections go down. And for a moment, I celebrated. I’m like, haha, we’re winning. This is really great. But this happened somewhere around like, late 2020, early 2021. And my theory is not that the amount of stalking has gone down, but that people switched to using Apple AirTags. And so I have spent a lot of time working on the problem of people being stalked through Bluetooth enabled trackers, not just AirTags, but also, you know, Samsung SmartTags and Chipolos and Tiles. And part of the reason for that is because this is a small, cheap, easy way to keep track of somebody’s location without ever needing to get your hands on their phone and without ever having to worry about whether or not their phone can detect it.

Morgan Sung: Yeah. Even lower tech, and lazier, even.

Absolutely. I think that really the most important thing for people to understand about tech-enabled abuse is that it’s not the survivor’s fault. One of the things that I hear most often when we talk about tech enabled abuse is like, well, why didn’t you just leave? Or, you know, well why did you give the abuser your password? Or why did let the aboser back into your house? And I think, that that is such a cruel and counterproductive way in which to face the problem and it really just it’s not even that it doesn’t help anyone it just helps abusers.

Morgan Sung: The fight against tech-enabled abuse doesn’t end with only holding companies accountable.  There’s a social element too.

Eva Galperin: I think that one of the big things that we need to change is we need for people to call each other out when they see this kind of behavior and say this is abusive. This is not okay. It’s not cool. Put that thing down. You know, if you think your partner is cheating, go talk to your partner. And if you can’t talk to you partner, maybe it’s time to break up. It is not time to spy on them.

Morgan Sung: Eva is not the privacy pope. She will not dole out individualized blessings and hold confession to absolve you of your privacy-violating sins. There is one thing she will give her blessing for: calling out abusive behavior. It can start with a one-on-one conversation with a peer or, if you’re Eva, an angry tweet turned years-long collective action to take down an industry-wide issue. But for most people, just learning about this issue and recognizing when to step in is already helping.

If you suspect that your devices have been compromised and that you’re a victim of tech-enabled abuse, we’ll link to some resources in the show notes. We’ll also have resources for stalkerware detection, removal, and prevention. Okay, let’s close all these tabs.

Close All Tabs is a production of KQED Studios, and is reported and hosted by me, Morgan Sung. This episode was produced by Maya Cueva and edited by Chris Egusa, who also composed our theme song and credits music. The Close All Tabs team also includes editor Chris Hambrick and audio engineer, Brendan Willard. Additional engineering help from Brian Douglas and additional music by APM. Audience engagement support from Maha Sanad. Jen Chien is our director of podcasts, And Ethan Toven-Lindsey is our Editor-in-Chief.

Some members of the KQED podcast team are represented by the Screen Actors Guild, American Federation of Television and Radio Artists, San Francisco, Northern California Local.

This episode’s keyboard sounds were submitted by Alex Tran and recorded on his white Epomaker Hi75 keyboard with Fogruaden red samurai keycaps and gateron milky yellow pro v2 switches. Thanks for listening.