{"id":16910,"date":"2019-11-18T08:10:05","date_gmt":"2019-11-18T16:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/18\/news-10647\/"},"modified":"2019-11-18T08:10:05","modified_gmt":"2019-11-18T16:10:05","slug":"news-10647","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/18\/news-10647\/","title":{"rendered":"Stalkerware\u2019s legal enforcement problem"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 18 Nov 2019 15:47:58 +0000<\/strong><\/p>\n

Content warning: This piece contains brief descriptions of domestic violence and assault against women and children.<\/em><\/p>\n

In the past five years, only two stalkerware developers, both of whom designed, marketed, and sold tools favored by domestic abusers to pry into victims\u2019 private lives, have faced federal consequences for their actions. Following a guilty plea in court, one was ordered to pay $500,000<\/a>, and his app was subsequently shut down. The other was ordered to change his apps if he wanted to keep selling them. <\/p>\n

The dearth of meaningful legal enforcement against stalkerware makers extends to another realm\u2014stalkerware users<\/em>. Those who install stalkerware with the intent to monitor, control, harass, or otherwise abuse their victims typically get away with it, avoiding legal penalty even if there\u2019s plenty of evidence to suggest their guilt.<\/p>\n

To blame is a frustrating yet human struggle that includes low awareness, police mistrust, limited law enforcement resources, scant data, furtive advertising schemes, and a criminal justice system that must rely on currently-available statutes\u2014some decades old\u2014to bring charges against alleged criminals who utilize a modern, evolving cyberthreat. <\/p>\n

This is stalkerware\u2019s legal enforcement problem. The invasive cyberthreat can be installed on unsuspecting users\u2019 mobile devices to gain access to their text messages, emails, call logs, browser activity, GPS location, and even their microphone and camera. It is entangled deeply in cases of stalking, harassment, and assault\u2014then muddied by its relationship with cybercrime and technology abuse, two little-understood and vastly under-resourced areas of criminal justice.   <\/p>\n

Erica Olsen, director of the Safety Net program at the National Network to End Domestic Violence (NNEDV), summed up the difficulties. <\/p>\n

\u201cThere\u2019s generally a lack of motivation on this issue and a consistent minimization of this type of abuse,\u201d Olsen said. \u201cThat\u2019s complicated further when the numbers on this type of abuse are hard to track, since many people are going the route of a factory reset or a new device, and because police either don\u2019t have access to the forensic software to test, are unwilling to use it in these cases, or survivors don\u2019t want to.\u201d<\/p>\n

She continued: \u201cThat can make it seem like this isn\u2019t happening as much as it is.\u201d  <\/p>\n

Large problem, limited action<\/strong><\/h3>\n

In October, the US Federal Trade Commission (FTC) became the latest government body to launch a new front against stalkerware. <\/p>\n

Following an investigation into the company Retina-X Studios and its owner, James N. Johns Jr., the FTC said it found multiple violations of the Children\u2019s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, which prohibits businesses from deceiving their customers. The FTC\u2019s consent agreement told a story of broken data security promises, repeated data breaches, user privacy invasions, and compromised device security<\/a>. <\/p>\n

Per the agreement with the FTC, Retina X and Johns Jr. can no longer develop, promote, or advertise their apps\u2014PhoneSheriff, MobileSpy, and TeenSafe\u2014unless significant changes are made to the apps\u2019 designs and functionalities. The same restrictions apply to any stalkerware-type app that the company and its founder work on in the future. Because of limitations of the FTC Act, the FTC could not issue a fine to Retina-X and Johns Jr. on their first violation.<\/p>\n

At the time of the settlement agreement, Electronic Frontier Foundation Cybersecurity Director Eva Galperin, a staunch advocate against stalkerware, told Business Insider<\/a>: \u201cI\u2019ll take what I can get.\u201d <\/p>\n

The problem, Galperin said, is that the FTC\u2019s settlement only precluded Retina-X and Johns Jr. from working on stalkerware apps that were not for \u201clegitimate\u201d purposes\u2014an inherently flawed premise.<\/p>\n

\u201cThere are simply no legitimate purposes <\/em>for secret stalking apps,\u201d Galperin wrote together with EFF Associate Director of Research Gennie Gebhart<\/a>. <\/p>\n

The FTC\u2019s settlement represented a change in enforcement, though\u2014it was the first federal action against a stalkerware maker in five years. <\/p>\n

In 2014, the FBI indicted a man who allegedly conspired to sell and advertise the stalkerware app StealthGenie,<\/a> which could, without a user\u2019s consent, monitor their text messages and phone calls, and peer into their online browsing behavior. The man, who was then 31 years old, pleaded guilty to the charges and received a $500,000 fine. A US District Judge later permanently shut down StealthGenie\u2019s operations<\/a>. <\/p>\n

When Malwarebytes reached out to the FBI to better understand how it is tracking stalkerware, a spokesperson said that the bureau\u2019s Internet Crime Complaint Center, which receives complaints about app-related crimes, has not received many complaints about stalkerware itself. The spokesperson said that stalkerware could be part of complaints being made in other categories, though, like personal data breach or malware-related activities.<\/p>\n

Though five years apart, the actions by the FBI and the FTC bear a striking similarity. The allegations against the two stalkerware developers dealt with the economics of stalkerware\u2014 selling, marketing, promoting, advertising. <\/p>\n

Upon the FBI\u2019s successful prosecution of StealthGenie\u2019s owner, then-Assistant Attorney General Leslie Caldwell affirmed this focus<\/a>:<\/p>\n

\u201cMake no mistake: Selling spyware is a federal crime, and the Criminal Division will make a federal case out if it.\u201d <\/p>\n

But sometimes, the federal crime of selling stalkerware is not enough to catch everyone who makes it, said NNEDV\u2019s Olsen. <\/p>\n

\u201cIf you look at the language and discussion of the Stealth Genie app conviction, it was all about the marketing and the product that they were selling,\u201d Olsen said. Unfortunately, countless stalkerware developers have changed their marketing tactics to position their products as more \u201cfamily-focused\u201d parental monitoring apps, but with the exact same, non-consensual spying capabilities<\/a>. These slapdash marketing changes make it difficult for government agencies to actually catch and stop stalkerware developers, Olsen said. <\/p>\n

\u201cThat change in their marketing makes it harder to hold them accountable because they can claim they are not responsible for people misusing or manipulating their product, but that their product is not meant to be used for illegal activity,\u201d Olsen said. <\/p>\n

What to do, then, if developers have faced few consequences, and an easy escape route\u2014retooled advertising\u2014is readily available? Easy, Olsen said. Go after the criminal users. <\/p>\n

\u201cIf they can\u2019t go after them for that,\u201d Olsen said, \u201cthen the accountability has to be on the person who knowingly misused it for a criminal purpose.\u201d<\/p>\n

Stalkerware\u2019s illegal uses<\/strong><\/h3>\n

The legal effort to stop stalkerware users is an uphill battle. Much of that is because stalkerware itself, and the ownership of it, is not a crime. <\/p>\n

Instead, it is how stalkerware is usedthat could violate various state and federal laws. Unfortunately, many of its use cases are grim, tied often into cases of domestic violence, sexual harassment, and assault. <\/p>\n

Danielle Citron, professor of law at Boston University School of Law, wrote about stalkerware-leveraged domestic violence in her 2015 paper \u201cSpying Inc.<\/a>\u201d<\/p>\n

\u201cA woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.\u201d<\/p>\n

When stalkerware isn\u2019t directly tied to violence, it can still be used in several ways that break multiple federal and state laws<\/a>. <\/p>\n

For example, a domestic abuser in California who uses stalkerware to record their partner\u2019s phone calls without their knowledge could be violating California Penal Code 632(a), which forbids recording a phone conversation without all parties consenting, along with the federal Wiretap Act. A domestic abuser in New York who uses stalkerware to track a survivor\u2019s movements through GPS tracking could be in violation of New York state\u2019s \u201cJackie\u2019s Law.\u201d<\/a> And a domestic abuser who jailbreaks someone\u2019s phone to install stalkerware onto the device could be in violation of the federal Computer Fraud and Abuse Act, a broad law that WhatsApp has claimed was violated by the Israelia spyware maker NSO Group<\/a>. <\/p>\n

Quite obviously, though, stalkerware use is most often bundled into complaints of stalking, cyberstalking, and online harassment\u2014statutes that cover a gamut of illegal behavior including intimidation, harassment, and bullying that happen in real life or online. <\/p>\n

But even when the US government receives cases that outline these crimes, the actual, successful prosecution against the alleged criminals is rare, according to data obtained by ThinkProgress<\/a>. <\/p>\n

In 2017, ThinkProgress reported that the US Department of Justice frequently failed to prosecute cyberstalking and online harassment cases from 2012 to 2016. During that time period, US Attorneys\u2019 offices prosecuted 321 cases of online harassment and stalking, which included 41 cases for cyberstalking. Of those 41 cases, 21 resulted in convictions. <\/p>\n

The numbers betray the reported volume of cyberstalking that was happening at the time. <\/p>\n

According to 2016 data from the Data & Society Research Institute and the Center for Innovative Public Health Research<\/a>, an astonishing 8 percent of all US Internet users had been cyberstalked at some time in their lives. Further, 14 percent of Internet users under the age of 30 reported they\u2019d been cyberstalked, which included 20 percent of women under 30. <\/p>\n

ThinkProgress wrote that the data it collected is not ironclad. The data represented cases in which cyberstalking or online harassment were the first charge listed in an indictment. Also, because of how the federal statute on cyberstalking is written, the prosecutions include cases in which stalking happened through more physical means, like through a phone or through the mail. <\/p>\n

Still, when ThinkProgress showed its data to Citron, she remarked: \u201cThat\u2019s pathetic.\u201d <\/p>\n

Mary Anne Franks, professor of law at the University of Miami School of Law and vice-president of the Cyber Civil Rights Initiative, echoed Citron\u2019s statements. <\/p>\n

\u201cAnecdotally, we\u2019ve definitely heard that law enforcement generally, and the FBI in particular, is not interested in the vast majority of cases,\u201d Franks told the outlet. <\/p>\n

The FBI, however, only investigates crimes with a federal nexus, and quite often, the potential crimes committed in tandem with the use of stalkerware break state laws, which are to be investigated by local police. <\/p>\n

There, different obstacles arise. <\/p>\n

Local breakdown<\/strong><\/h3>\n

As we\u2019ve seen, the federal response to stalkerware\u2014and to cyberstalking and online harassment\u2014is limited. Researchers claim that US Attorneys are uninterested in prosecuting charges of cyberstalking and online harassment, and federal agencies, like the FBI and FTC, have jurisdictional limits to their investigations. <\/p>\n

But what about at the state level, where victims can work with local police, who in turn can obtain evidence of illegal behavior, and then recommend charges and prosecution to a county\u2019s District Attorney office? <\/p>\n

When looking at how local law enforcement agencies respond to crimes in which stalkerware could play a role, human struggles emerge, said Maureen Curtis, vice president for the criminal justice and court programs for Operation Safe Horizon. Some of those struggles include: both victim and local law enforcement not understanding how stalkerware could be used in stalking situations, difficulty in collecting strong evidence of cyberstalking, and fear that contacting the police will make the situation worse. <\/p>\n

Curtis has worked with the New York Police Department to train countless officers on domestic violence victim safety, offender accountability, housing options, and the criminal justice response to domestic violence. She said that her office has seen a shift stalking behavior, from a previously physical crime to one today that includes text messages, GPS tracking, and calls made from spoofed phone numbers. <\/p>\n

It is, she said, much more \u201cinvisible,\u201d which makes it much harder to track and much harder to find evidence on.  <\/p>\n

\u201cWhen I think about domestic violence and sexual assault and the way the criminal justice responds, there are still crimes where the onus is on the victim to show they\u2019re a victim\u2014definitely with stalking,\u201d Curtis said. \u201cIt can be very difficult, particularly now, when it\u2019s more hidden and survivors don\u2019t have the understanding of it\u2014it leads to them not having the evidence they feel they need.\u201d <\/p>\n

But even when evidence is recorded, Curtis said, the reporting of this type of behavior depends on a tenuous relationship between domestic violence survivors and the police who patrol their communities. <\/p>\n

\u201cSome survivors don\u2019t want criminal prosecution\u2014they want the [violence] to stop, and they might think that contacting the police will escalate [the situation],\u201d Curtis said. She said that many survivors also have to consider the consequences of having their abuser arrested or sent to prison. <\/p>\n

\u201cIf the [abuser] is an immigrant, they could be deported. If they\u2019re working, they could lose their job,\u201d Curtis said. She said the concerns pile up for communities of color, too. \u201cHere in New York City, if I\u2019m a woman of color, I may be afraid of calling the police because I\u2019m afraid what might happen to my partner. Or I fear that, if I have children, and I call the police, they may call the child welfare authority and now I have another system involved in my life.\u201d <\/p>\n

Unfortunately, the frustrations can continue when a survivor decides to work with law enforcement to attempt to bring charges against an individual, Curtis said, because police can recommend charges be made, but they\u2019re not the ones to actually prosecute. That job falls to local district attorneys. <\/p>\n

\u201cThe police can get frustrated because, even if they write someone up, the district attorney may not feel there\u2019s enough evidence, so the police get declined prosecution, which frustrates the police department,\u201d Curtis said. \u201cIt\u2019s a vicious cycle.\u201d <\/p>\n

What to do? <\/strong><\/h3>\n

In 2015, then-Democratic Senator Al Franken reintroduced a federal bill to ban the development, use, and sale of GPS-stalking apps, creating a potential legislative solution to both the creation and <\/em>use of some types of stalkerware. <\/p>\n

At the time, Sen. Franken stressed the bewildering fact that many of the apps that enabled illegal activity were, themselves, not illegal.<\/p>\n

\u201c[The legislation] will help a whole range of people affected by cyberstalking, including survivors of domestic violence, and it would finally outlaw unconscionable\u2014but perfectly legal\u2014smartphone apps that allow abusers to secretly track their victims,” Sen. Franken said<\/a>. <\/p>\n

Introduced in the Senate, the bill was referred to the Judiciary Committee, where it stalled.  <\/p>\n

When asked if federal legislation was the right path forward to solving the many issues in catching stalkerware abusers, cyberstalkers, and online harassers, Curtis said that new laws might help, but she had separate advice: Get the industry to do its part. <\/p>\n

Years ago, Curtis\u2019 office had an arrangement with Verizon, she said, in which Operation Safe Horizon could work with the phone provider to get a domestic abuse survivor\u2019s phone number changed, free of charge. She also pointed to a free event at the New York City Family Justice Center, happening this year, in which Cornell University researchers are offering a \u201cdigital privacy check-up,\u201d which includes a scan for \u201cspyware.\u201d <\/p>\n

She said cybersecurity vendors could learn from that. <\/p>\n

\u201cI would imagine that, if there\u2019s a way of putting malware onto a device, the people who really understand the tech can find it and get rid of it,\u201d Curtis said. <\/p>\n

She stressed that any company that wants to help must remember to provide its services for free, as many domestic violence survivors suffer from limited resources. The best part about companies getting involved, Curtis said, is that it provides an entirely new, separate avenue for relief: <\/p>\n

\u201cIt will work whether you want to involve the criminal justice system or not.\u201d <\/p>\n

The post Stalkerware\u2019s legal enforcement problem<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Mon, 18 Nov 2019 15:47:58 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Those who install stalkerware with the intent to monitor, control, harass, or otherwise abuse their victims typically get away with it, avoiding legal penalty even if there\u2019s plenty of evidence to suggest their guilt.<\/p>\n

Categories: <\/p>\n