These apps represent "the democratisation of surveillance. It's incredibly intimate and invasive," says researcher Christopher Parsons. Photo /123rf
Jennifer's boyfriend said she wasn't allowed to put a password on her phone.
"He said I didn't need it if I trusted him," she said. But that didn't just mean he could go through her messages if she left the device lying around.
"He could see everything I was doing, no matter where I was. When we broke up, he started stalking me. I felt so violated when I found out."
Jennifer — not her real name — is one of the many victims of stalking who was helped by Operation Safe Escape, a US-based security group that works with victims of domestic violence, to identify and deal with powerful tracking software installed secretly on her phone. According to the group, this violation is not unusual.
Apps used for stalking and covert surveillance, which tread a fine legal line when it comes to data privacy, are hiding on thousands of phones, despite being banned by major app stores.
Apps such as mSpy, TheTruthSpy and FlexiSpy allow users to monitor someone else's phone activity, including their call logs, the contents of text and chat messages, GPS data and photos. Often billed as "parental control" or "employee monitoring" tools, many stalkerware apps also advertise themselves as a way to catch cheating partners — and note they can be installed invisibly on a target's phone.
54 per cent: The percentage of domestic abusers who track their victims' mobile phones using stalkerware, according to a 2014 study by the National Network to End Domestic Violence
Installation generally requires physical access to the device; users can then hide the app's icon and view the contents of the phone remotely, by logging into an online dashboard that monitors its activity.
Although these apps are secretive about user numbers and revenues, cyber-security company Kaspersky Labs said a growing number of people were being attacked by stalkerware.
Last year Kaspersky found and removed 58,000 instances of stalkerware after customers used its antivirus app, which looks for malicious code, to scan their devices. By July 2019 its specific anti-stalkerware product, which was released in April, had detected malicious apps on phones belonging to more than 7,000 customers worldwide.
Stalkerware "can be much more severe than other types of malware . . . because it is made to be used as a tool for the abuse of another person's privacy and is often used by domestic abusers", said security researcher Alexey Firsh.
Anti-spyware company Certo also said demand had "certainly increased in recent years".
'Illicit surveillance'
The cheap availability of personal surveillance apps can have devastating effects. In 2014 a survey by National Public Radio of 72 domestic violence shelters in the US discovered that 85 per cent had assisted victims whose abusers had tracked them using GPS. The same year, the National Network to End Domestic Violence found that 54 per cent of abusers had tracked their victims' mobile phones using stalkerware.
Last year, amid rising concerns, US senator Richard Blumenthal sought information from nine appmakers that offer tracking software, including mSpy and FlexiSpy, about how they ensured their products were not being used for "illegal purposes", such as stalking or "illicit surveillance".
Spyware is prohibited by most major app stores, including Apple's and Google's. In April Apple removed several parental control apps on the grounds that they were excessively invasive, and Google removed four stalkerware apps from its store this week after researchers at antivirus company Avast identified them.
However, apps such as mSpy can be downloaded directly on to Android phones via their internet pages. This can't be done on iPhones unless they are "jailbroken", a process that removes certain safety settings installed by Apple. Many spyware apps advertise downloads for jailbroken iPhones.
Some apps also offer an iPhone workaround, which requires the user to gain access to the target's iCloud login details. They can then remotely monitor all the information backed up to the iCloud account, though are unable to eavesdrop on calls or listen in to a phone's surroundings.
This workaround does not require the user to gain physical access to the phone, unless two-factor authentication — which asks iCloud account owners to approve logins on new devices — is in place.
While explaining this restriction, a representative of monitoring app Mobistealth provided a link to a webpage that explained how to disable two-factor authentication.
Since Apple is unable to determine whether someone with correct iCloud credentials is the account owner or a malicious actor, there is little they can do.
A spokesperson for mSpy said its technology was not spyware, but "parental control software" developed only for that purpose. Parents can hide the app's icon to prevent children from uninstalling it, they added. Although its app could be "misused", mSpy said it could not tell whether this was happening since user data are encrypted.
'Unlike anything in recent history'
In June researchers at the University of Toronto concluded in a study of stalkerware apps that some products were "openly designed specifically to circumvent the [victim's] privacy and control". They also suggested the apps were in breach of the EU's new privacy rules, in the General Data Protection Regulation.
The software "would not meet any of the GDPR conditions" relating to the collection and use of personal data, the researchers said. Given that victims of stalking and monitoring may not know an app is installed on their phone, they are unable to make choices about the collection and processing of their sensitive information — a key part of GDPR — they said.
FlexiSpy, which was named in the report, advertises services such as "spying" on texts, "even deleted messages", and says its "undetectable" software can help catch "cheating" spouses. Highster Mobile and Mobistealth also market their products as tools to catch unfaithful partners, while Hoverwatch stresses that its "stealth mode" function is useful when "you have to take the situation into your own hands".
TheTruthSpy even talks about its software as an alternative to "hacking" a "victim's cell phone".
All apps declined to comment. But their terms of use — some of which explicitly say they are GDPR-compliant — generally state that users must obtain consent from the owner of the target phone before installing the software.
"You are solely responsible for how you use the software, & for complying with all relevant laws," Flexispy's terms state. "If you install or attempt to install our software on to a phone which you do not own or have proper consent, we will co-operate with law officials to the fullest extent possible," Highster Mobile's say.
This is "disclaiming away their liability", said Cynthia Khoo, a researcher at Citizen Lab and one of the report's authors. "We didn't see evidence of these companies taking any proactive measures to prevent abuse or violence," she said.
In the event of a data breach, stalkerware apps would be obliged to notify their customers. But these people would not necessarily be the ones whose data were at risk. This is a "serious failing", said Christopher Parsons, the report's lead author.
Several other monitoring apps, including Family Orbit and Retina-X, have been the targets of "ethical hackers", who have broken into their systems and obtained sensitive data to demonstrate security weaknesses.
Claiming to be GDPR-compliant on the basis of consent, while passing on the responsibility for obtaining that consent and explicitly advertising systems for convert monitoring, seem to be "completely converse" and "contrary stances", said Paula Barrett, partner and co-lead of cyber security and data privacy at law firm Eversheds Sutherland.
The European Data Protection Board said no cases involving stalkerware had been escalated to its level, though it could not say whether any had been brought by national authorities.
The Canadian Privacy Commissioner, which helped to fund the Toronto report, said it was reviewing the findings. Some of the recommendations echoed "concerns and recommendations we've been raising for some time", a spokesperson said.
When asked why mSpy was not available on Google's Play store, a customer services representative said the store "doesn't like what we are doing here". When asked why, they said it "doesn't matter", and sent a link to a video showing how to download the software to Android phones.
These apps represent "the democratisation of surveillance unlike anything I can think of in recent history", said Dr Parsons. "It's incredibly intimate and invasive."
© 2019 The Financial Times Ltd.
The council has also been served with judicial review proceedings.