Skip to content

Stalkerware: Violates Privacy & Perpetuates Digital Abuse

By Joanne Kim

Google has started sweeping their search engine clean of products promoting intimate partner surveillance as part of an update to their Enabling Dishonest Behavior policy. While the company’s decision to reduce stalkerware ads is worth applauding, the impact of the new policy may not be as far-reaching as suspected.

Google explicitly states that ads for private investigation services and child-monitoring technology are here to stay, leaving major loopholes within the system that could still allow stalkerware advertisements to show up in search results. As Shannon Vavra at CyberScoop reported, stalkerware companies have a tendency for deceptive, and often exploitative, marketing practices as a means of avoiding legal repercussions and catering to their most probable consumer—a domestic violence abuser.

But perhaps even more horrific than stalkerware disguised as a child-safety app is the spyware industry’s failure to securely store the personal data that their tools invasively and secretly collect. It’s obvious that this industry and these technologies require robust regulation in order to protect and deliver justice to domestic violence victims who often face multiple iterations of physical and digital trauma.

Every minute, 24 people suffer incidents of rape, physical violence, or stalking by an intimate partner. 760 people are ultimately murdered by their partners each year. The human lives behind these statistics now face additional forms of violence, with stalkerware handing abusers dangerous monitoring capabilities; abusers can mentally and emotionally traumatize their victims at all hours of the day. Unwanted phone calls, threatening messages, and physical stalking have exponentially increased in recent years with the use of stalkerware.

Although varied in functionality, most stalkerware gives abusers complete control over the digital devices and exchanges of their victims. Texts, calls, social media apps, online purchases, GPS locations, and photos are just some of the information abusers can constantly track and see. For many victims, technology, such as stalkerware, has become a dangerous enabler of several forms of digital and physical stalking, harassment, surveillance, and abuse. 

In a recent survey, 85% of crisis shelters reported working with victims whose abusers tracked them using GPS; similarly, 50% of those shelters have a policy against using Facebook. While the company has released a guide for survivors of abuse, the platform still has certain features that can prove dangerous to victims. Facebook tracks their users’ locations by default, the platform’s messenger allows for pinpoint location, and victims may appear in the abuser’s “People You May Know” feature (of which users are currently unable to opt out). One innocent tag by a friend or an automatic check-in at a location could cost a victim their life. These digital devices and platforms are ultimately exposing victims whose very survival depends on privacy and the security of their data. 

Some shelters have even resorted to extreme digital detox programs to prevent any sensitive or comprising data from reaching abusers. The detoxes usually mean going cold turkey and deleting apps, such as Facebook, entirely. Ultimately, in response to a scary, often life-or-death reality, victims are the ones forced to give up their online communities and unplug from the digital world in an increasingly digitized society.

Giving consumers, particularly abusers, such easy access to stalkerware already raises several red flags. Unfortunately, the privacy issues only proliferate from there. It seems that abusers aren’t just collecting intimate and sensitive data for themselves; several hackers have attested to the poor security practices employed by spyware companies. Many have commented on the unprotected nature and dismal storage of the data and the dangerous impact it has on victims. The lack of data security ironically also poses a great risk to the abuser, whose sensitive and personal information may also be stored by spyware companies. 

Just between 2017 and 2018, hackers were able to breach the data of eight different spyware providers: FlexiSpy, Retina-X, TheTruthSpy, Mobisteath, Spy Master Pro, Spyfone, and SpyHuman. Since then, more hackers have exposed details of the painfully low security measures put in place by these companies. Some have set their cloud storage buckets to public, while others have exposed their HTML code for back-end access. Still, other spyware companies have maintained completely unprotected APIs or left passwords out on the internet for anyone to retrieve. 

According to L.M., a pseudonymous hacker, spyware companies simply “don’t care about a victim’s privacy or securing their data,” leaving videos of children, audio recordings, contact information, browser histories, and more completely open on the Internet or easily accessible via simple data breaches. While many of the aforementioned hackers were merely attempting to display the privacy concerns posed by spyware companies and their products, there arises a serious consideration of the risks that could result from a malicious data breach. Victims, and even possibly their abusers and other third parties, could suffer from identity theft, financial extortion, and an infringement of their personal privacy and data—all without their knowledge. Some hackers warned that even identifying just one password could have serious consequences on the victim since most people reuse the same password for various accounts. Malicious actors could potentially utilize one password to compromise other accounts and information to threaten individuals as a form of ransomware

While severe reform is necessary to regulate the use and production of stalkerware, there are immediate steps that should be taken to reduce the privacy concerns posed by spyware companies. These companies should provide public transparency reports and administer third-party assessments of their security measures, per the FTC’s recommendations in a previous investigation. Further, other private sector corporations should follow in Google’s footsteps and devise an even more robust ad-reviewing process and internal checklists that limit the reach of spyware companies and their stalkerware products in the consumer market. Allowing these tools to remain available and unregulated doesn’t produce some theoretical harm—it very tangibly enables emotional, mental, physical, and in some cases, even lethal violence.

Joanne Kim is the Co-President of Ethical Tech.