
WHAT YOU NEED TO KNOW ABOUT STALKERWARE
15.07.21
WHAT'S IT ABOUT?
Overview from TED
"Full access to a person's phone is the next best thing to full access to a person's mind," says cybersecurity expert Eva Galperin. In an urgent talk, she describes the emerging danger of stalkerware - software designed to spy on someone by gaining access to their devices without their knowledge - and calls on antivirus companies to recognize these programs as malicious in order to discourage abusers and protect victims.

"What I learned is that data leaks. It's like water. It gets in places you don't want it. Human leaks. Your friends give away information about you. Your family gives away information about you."

Eva Galperin
Digital Security Expert
Eva Galperin is director of cybersecurity for the online security organization Electronic Frontier Foundation, safeguarding the privacy of vulnerable populations. Prior to her work for EFF, Galperin worked in security and IT in Silicon Valley. Her best-known work is protecting global privacy and free speech.


MY TAKE...
Eva Galperin’s TED Talk delves into the dark side of technology; one that many of us are aware of, but prefer not to think about. If you’ve ever felt like you’re being watched through your webcam, you’re not alone. Our paranoia stems from novels, TV shows and movies but in most cases, we have nothing to worry about. Others aren’t so fortunate.
Whilst devices can be monitored for a myriad of reasons (companies keeping tabs on employee emails, for instance, or parents checking their children’s browsing habits), Galperin’s presentation focuses on the sinister end of the spectrum: abusive relationships.
Her introduction covers her background, explaining that in 2017 she was working as a security researcher looking at ways in which advanced persistent threats (APTs) spy on journalists, activists, lawyers, scientists and “generally people who speak truth to power”.
It was during this period that she discovered her colleague – with whom she had worked on the APT project – was accused of being a serial rapist.
It was at this point in the talk that I spat out my coffee. I was not expecting that.
Many of the TED Talks I engage with focus on making improvements in x, y and z fields for the love of the work, the betterment of one’s self, the benefit of humanity or, sometimes, for the money. For a project to be born from such a shocking – and personal - revelation is rare to say the least. Kudos to Galperin for taking this stand and giving her voice to the voiceless.
She explains:
“In January of 2018, I read an article with some of his alleged victims. And one of the things that really struck me about this article is how scared they were. They were really frightened, they had, you know, tape over the cameras on their phones and on their laptops, and what they were worried about was that he was a hacker and he was going to hack into their stuff and he was going to ruin their lives. And this had kept them silent for a really long time.”
Her response? To tweet…
“If you’re a woman who has been sexually abused by a hacker who threatened to compromise your devices, contact me and I will make sure they are properly examined.”
This single tweet received close to nine thousand retweets and over 15K likes, with women and men from around the globe seeking Galperin’s advice and help. And so, the project was born…



PASSWORD PROTECT
The term “spy” typically conjures up images of James Bond, George Smiley or the cast of Spooks - not your ex-spouse, former partner or that awful Tinder date from July last year. Yet it is those who we were once close to who often pose the greatest threat.
Galperin expands:
“What I learned is that data leaks. It's like water. It gets in places you don't want it. Human leaks. Your friends give away information about you. Your family gives away information about you. You go to a party, somebody tags you as having been there.
“And this is one of the ways in which abusers pick up information about you that you don't otherwise want them to know. It is not uncommon for abusers to go to friends and family and ask for information about their victims under the guise of being concerned about their ‘mental health.’”
Compromised accounts – Gmail, Twitter, iCloud, Netflix, Apple ID – were commonplace in Galperin’s findings, many of which were accessed through shared passwords, easy-to-guess security questions, or simply by looking over the shoulder of the target as they tap in their smartphone passcode.
It’s a scary thought that serves to highlight the inadequacies of everyday security. Sure, you may know better than to let others see your pin number at the ATM machine, but did you think twice before adding “Smith” and “Fluffy” as your security question answers? Your mother’s maiden name or the name of your first pet aren’t enough to protect your privacy in this day and age. And hackers are taking advantage…
Galperin reminds us of the basics, something we all know but often fail to put into practice:
“Use strong, unique passwords for all of your accounts. Use more strong, unique passwords as the answers to your security questions, so that somebody who knows the name of your childhood pet can't reset your password. And finally, turn on the highest level of two-factor authentication that you're comfortable using. So that even if an abuser manages to steal your password, because they don't have the second factor, they will not be able to log into your account.”
You may have noticed more and more platforms – such as Amazon or your bank – are using one-time authentication codes (typically an alphanumeric code sent to your mobile) to grant access to your accounts. It may seem like a drag at the time, but these measures are in place for a reason: to compensate for our otherwise weak defences.
In August 2019, I published a video highlighting the dangers of so-called “credential stuffing”. The average number of online accounts held by internet users is around 200. It’s therefore not surprising that many users choose to re-use easy-to-remember passwords. But at what cost?
Having cracked a single password, hackers can automatically try to log in to hundreds of other websites using your stolen credentials. In as little as 3 minutes, they could access your bank account, smartphone email, images... it doesn’t bear thinking about. Even more so if said hacker plans to abuse you as a result – physically, emotionally or otherwise.
But it doesn’t stop there. According to Galperin, for as little as “40 bucks a month”, abusers can install stalkerware software on a victim’s device, enabling them access to emails, contacts, selfies – you name it!
What’s worse, stalkerware companies actively promote this heinous activity. Galperin shares a screenshot of Cocospy, complete with spiel on how to “spy on your wife with ease”… “You do not have to worry about where she goes, who she talks to or what websites she visits.” HelloSpy, another such product, talks about the prevalence of cheating and the importance of catching your partner in the act. Galperin laments:
“[HelloSpy’s marketing page includes] this fine picture of a man who has clearly just caught his partner cheating and has beaten her. She has a black eye, there is blood on her face. And I don't think that there is really a lot of question about whose side HelloSpy is on in this particular case. And who they're trying to sell their product to.”


PUTTING THE "I" IN PRIVACY
Thankfully, tech crusaders such as Galperin exist to help minimise the risks.
As things stand, it can be difficult for antivirus companies to recognise stalkerware as malicious. Galperin’s tests shows that only seven out of 60 platforms recognised the software she was using as stalkerware. A separate test achieved 10 out of 61. A shockingly poor result.
To combat this issue, Galperin has been working directly with antivirus companies to start marking stalkerware as malicious, in addition to forming the Coalition Against Stalkerware. She concludes:
"Our goal is both to educate people about these programs, but also to convince the antivirus companies to change the norm in how they act around this very scary software, so that soon, if I get up in front of you and I talk to you about this next year, I could tell you that the problem has been solved, and all you have to do is download any antivirus and it is considered normal for it to detect stalkerware. That is my hope."
And whilst now – more than a year on from this TED talk - there is still work to be done, great strides have been made in the fight against stalkerware.
In June 2020, the Coalition Against Stalkerware published a report detailing the improvements made between November 2019 and May 2020:
“There is a clear trend that anti-virus (AV) programs manage to react expeditiously to the emerging stalkerware threats. When comparing May 2020 to November 2019, nine out of ten AV products for Android improved their results in bringing awareness to their users about stalkerware installed on a device. When it comes to Windows OS, with no exception all software products showed an increase in detecting stalkerware.”
Here’s hoping it will be 10 out of 10 before long, putting the “i” in “privacy” once more.
For more entertaining, insightful and thought-provoking talks, visit TED.com