Stalkerware use can leave victims feeling alone, scared, and without help.

Stalkerware’s legal enforcement problem

Content warning: This piece contains brief descriptions of domestic violence and assault against women and children.

In the past five years, only two stalkerware developers, both of whom designed, marketed, and sold tools favored by domestic abusers to pry into victims’ private lives, have faced federal consequences for their actions. Following a guilty plea in court, one was ordered to pay $500,000, and his app was subsequently shut down. The other was ordered to change his apps if he wanted to keep selling them.

The dearth of meaningful legal enforcement against stalkerware makers extends to another realm—stalkerware users. Those who install stalkerware with the intent to monitor, control, harass, or otherwise abuse their victims typically get away with it, avoiding legal penalty even if there’s plenty of evidence to suggest their guilt.

To blame is a frustrating yet human struggle that includes low awareness, police mistrust, limited law enforcement resources, scant data, furtive advertising schemes, and a criminal justice system that must rely on currently-available statutes—some decades old—to bring charges against alleged criminals who utilize a modern, evolving cyberthreat.

This is stalkerware’s legal enforcement problem. The invasive cyberthreat can be installed on unsuspecting users’ mobile devices to gain access to their text messages, emails, call logs, browser activity, GPS location, and even their microphone and camera. It is entangled deeply in cases of stalking, harassment, and assault—then muddied by its relationship with cybercrime and technology abuse, two little-understood and vastly under-resourced areas of criminal justice.   

Erica Olsen, director of the Safety Net program at the National Network to End Domestic Violence (NNEDV), summed up the difficulties.

“There’s generally a lack of motivation on this issue and a consistent minimization of this type of abuse,” Olsen said. “That’s complicated further when the numbers on this type of abuse are hard to track, since many people are going the route of a factory reset or a new device, and because police either don’t have access to the forensic software to test, are unwilling to use it in these cases, or survivors don’t want to.”

She continued: “That can make it seem like this isn’t happening as much as it is.” 

Large problem, limited action

In October, the US Federal Trade Commission (FTC) became the latest government body to launch a new front against stalkerware.

Following an investigation into the company Retina-X Studios and its owner, James N. Johns Jr., the FTC said it found multiple violations of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, which prohibits businesses from deceiving their customers. The FTC’s consent agreement told a story of broken data security promises, repeated data breaches, user privacy invasions, and compromised device security.

Per the agreement with the FTC, Retina X and Johns Jr. can no longer develop, promote, or advertise their apps—PhoneSheriff, MobileSpy, and TeenSafe—unless significant changes are made to the apps’ designs and functionalities. The same restrictions apply to any stalkerware-type app that the company and its founder work on in the future. Because of limitations of the FTC Act, the FTC could not issue a fine to Retina-X and Johns Jr. on their first violation.

At the time of the settlement agreement, Electronic Frontier Foundation Cybersecurity Director Eva Galperin, a staunch advocate against stalkerware, told Business Insider: “I’ll take what I can get.”

The problem, Galperin said, is that the FTC’s settlement only precluded Retina-X and Johns Jr. from working on stalkerware apps that were not for “legitimate” purposes—an inherently flawed premise.

“There are simply no legitimate purposes for secret stalking apps,” Galperin wrote together with EFF Associate Director of Research Gennie Gebhart.

The FTC’s settlement represented a change in enforcement, though—it was the first federal action against a stalkerware maker in five years.

In 2014, the FBI indicted a man who allegedly conspired to sell and advertise the stalkerware app StealthGenie, which could, without a user’s consent, monitor their text messages and phone calls, and peer into their online browsing behavior. The man, who was then 31 years old, pleaded guilty to the charges and received a $500,000 fine. A US District Judge later permanently shut down StealthGenie’s operations.

When Malwarebytes reached out to the FBI to better understand how it is tracking stalkerware, a spokesperson said that the bureau’s Internet Crime Complaint Center, which receives complaints about app-related crimes, has not received many complaints about stalkerware itself. The spokesperson said that stalkerware could be part of complaints being made in other categories, though, like personal data breach or malware-related activities.

Though five years apart, the actions by the FBI and the FTC bear a striking similarity. The allegations against the two stalkerware developers dealt with the economics of stalkerware— selling, marketing, promoting, advertising.

Upon the FBI’s successful prosecution of StealthGenie’s owner, then-Assistant Attorney General Leslie Caldwell affirmed this focus:

“Make no mistake: Selling spyware is a federal crime, and the Criminal Division will make a federal case out if it.”

But sometimes, the federal crime of selling stalkerware is not enough to catch everyone who makes it, said NNEDV’s Olsen.

“If you look at the language and discussion of the Stealth Genie app conviction, it was all about the marketing and the product that they were selling,” Olsen said. Unfortunately, countless stalkerware developers have changed their marketing tactics to position their products as more “family-focused” parental monitoring apps, but with the exact same, non-consensual spying capabilities. These slapdash marketing changes make it difficult for government agencies to actually catch and stop stalkerware developers, Olsen said.

“That change in their marketing makes it harder to hold them accountable because they can claim they are not responsible for people misusing or manipulating their product, but that their product is not meant to be used for illegal activity,” Olsen said.

What to do, then, if developers have faced few consequences, and an easy escape route—retooled advertising—is readily available? Easy, Olsen said. Go after the criminal users.

“If they can’t go after them for that,” Olsen said, “then the accountability has to be on the person who knowingly misused it for a criminal purpose.”

Stalkerware’s illegal uses

The legal effort to stop stalkerware users is an uphill battle. Much of that is because stalkerware itself, and the ownership of it, is not a crime.

Instead, it is how stalkerware is usedthat could violate various state and federal laws. Unfortunately, many of its use cases are grim, tied often into cases of domestic violence, sexual harassment, and assault.

Danielle Citron, professor of law at Boston University School of Law, wrote about stalkerware-leveraged domestic violence in her 2015 paper “Spying Inc.

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

When stalkerware isn’t directly tied to violence, it can still be used in several ways that break multiple federal and state laws.

For example, a domestic abuser in California who uses stalkerware to record their partner’s phone calls without their knowledge could be violating California Penal Code 632(a), which forbids recording a phone conversation without all parties consenting, along with the federal Wiretap Act. A domestic abuser in New York who uses stalkerware to track a survivor’s movements through GPS tracking could be in violation of New York state’s “Jackie’s Law.” And a domestic abuser who jailbreaks someone’s phone to install stalkerware onto the device could be in violation of the federal Computer Fraud and Abuse Act, a broad law that WhatsApp has claimed was violated by the Israelia spyware maker NSO Group.

Quite obviously, though, stalkerware use is most often bundled into complaints of stalking, cyberstalking, and online harassment—statutes that cover a gamut of illegal behavior including intimidation, harassment, and bullying that happen in real life or online.

But even when the US government receives cases that outline these crimes, the actual, successful prosecution against the alleged criminals is rare, according to data obtained by ThinkProgress.

In 2017, ThinkProgress reported that the US Department of Justice frequently failed to prosecute cyberstalking and online harassment cases from 2012 to 2016. During that time period, US Attorneys’ offices prosecuted 321 cases of online harassment and stalking, which included 41 cases for cyberstalking. Of those 41 cases, 21 resulted in convictions.

The numbers betray the reported volume of cyberstalking that was happening at the time.

According to 2016 data from the Data & Society Research Institute and the Center for Innovative Public Health Research, an astonishing 8 percent of all US Internet users had been cyberstalked at some time in their lives. Further, 14 percent of Internet users under the age of 30 reported they’d been cyberstalked, which included 20 percent of women under 30.

ThinkProgress wrote that the data it collected is not ironclad. The data represented cases in which cyberstalking or online harassment were the first charge listed in an indictment. Also, because of how the federal statute on cyberstalking is written, the prosecutions include cases in which stalking happened through more physical means, like through a phone or through the mail.

Still, when ThinkProgress showed its data to Citron, she remarked: “That’s pathetic.”

Mary Anne Franks, professor of law at the University of Miami School of Law and vice-president of the Cyber Civil Rights Initiative, echoed Citron’s statements.

“Anecdotally, we’ve definitely heard that law enforcement generally, and the FBI in particular, is not interested in the vast majority of cases,” Franks told the outlet.

The FBI, however, only investigates crimes with a federal nexus, and quite often, the potential crimes committed in tandem with the use of stalkerware break state laws, which are to be investigated by local police.

There, different obstacles arise.

Local breakdown

As we’ve seen, the federal response to stalkerware—and to cyberstalking and online harassment—is limited. Researchers claim that US Attorneys are uninterested in prosecuting charges of cyberstalking and online harassment, and federal agencies, like the FBI and FTC, have jurisdictional limits to their investigations.

But what about at the state level, where victims can work with local police, who in turn can obtain evidence of illegal behavior, and then recommend charges and prosecution to a county’s District Attorney office?

When looking at how local law enforcement agencies respond to crimes in which stalkerware could play a role, human struggles emerge, said Maureen Curtis, vice president for the criminal justice and court programs for Operation Safe Horizon. Some of those struggles include: both victim and local law enforcement not understanding how stalkerware could be used in stalking situations, difficulty in collecting strong evidence of cyberstalking, and fear that contacting the police will make the situation worse.

Curtis has worked with the New York Police Department to train countless officers on domestic violence victim safety, offender accountability, housing options, and the criminal justice response to domestic violence. She said that her office has seen a shift stalking behavior, from a previously physical crime to one today that includes text messages, GPS tracking, and calls made from spoofed phone numbers.

It is, she said, much more “invisible,” which makes it much harder to track and much harder to find evidence on. 

“When I think about domestic violence and sexual assault and the way the criminal justice responds, there are still crimes where the onus is on the victim to show they’re a victim—definitely with stalking,” Curtis said. “It can be very difficult, particularly now, when it’s more hidden and survivors don’t have the understanding of it—it leads to them not having the evidence they feel they need.”

But even when evidence is recorded, Curtis said, the reporting of this type of behavior depends on a tenuous relationship between domestic violence survivors and the police who patrol their communities.

“Some survivors don’t want criminal prosecution—they want the [violence] to stop, and they might think that contacting the police will escalate [the situation],” Curtis said. She said that many survivors also have to consider the consequences of having their abuser arrested or sent to prison.

“If the [abuser] is an immigrant, they could be deported. If they’re working, they could lose their job,” Curtis said. She said the concerns pile up for communities of color, too. “Here in New York City, if I’m a woman of color, I may be afraid of calling the police because I’m afraid what might happen to my partner. Or I fear that, if I have children, and I call the police, they may call the child welfare authority and now I have another system involved in my life.”

Unfortunately, the frustrations can continue when a survivor decides to work with law enforcement to attempt to bring charges against an individual, Curtis said, because police can recommend charges be made, but they’re not the ones to actually prosecute. That job falls to local district attorneys.

“The police can get frustrated because, even if they write someone up, the district attorney may not feel there’s enough evidence, so the police get declined prosecution, which frustrates the police department,” Curtis said. “It’s a vicious cycle.”

What to do?

In 2015, then-Democratic Senator Al Franken reintroduced a federal bill to ban the development, use, and sale of GPS-stalking apps, creating a potential legislative solution to both the creation and use of some types of stalkerware.

At the time, Sen. Franken stressed the bewildering fact that many of the apps that enabled illegal activity were, themselves, not illegal.

“[The legislation] will help a whole range of people affected by cyberstalking, including survivors of domestic violence, and it would finally outlaw unconscionable—but perfectly legal—smartphone apps that allow abusers to secretly track their victims,” Sen. Franken said.

Introduced in the Senate, the bill was referred to the Judiciary Committee, where it stalled.  

When asked if federal legislation was the right path forward to solving the many issues in catching stalkerware abusers, cyberstalkers, and online harassers, Curtis said that new laws might help, but she had separate advice: Get the industry to do its part.

Years ago, Curtis’ office had an arrangement with Verizon, she said, in which Operation Safe Horizon could work with the phone provider to get a domestic abuse survivor’s phone number changed, free of charge. She also pointed to a free event at the New York City Family Justice Center, happening this year, in which Cornell University researchers are offering a “digital privacy check-up,” which includes a scan for “spyware.”

She said cybersecurity vendors could learn from that.

“I would imagine that, if there’s a way of putting malware onto a device, the people who really understand the tech can find it and get rid of it,” Curtis said.

She stressed that any company that wants to help must remember to provide its services for free, as many domestic violence survivors suffer from limited resources. The best part about companies getting involved, Curtis said, is that it provides an entirely new, separate avenue for relief:

“It will work whether you want to involve the criminal justice system or not.”

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.