When it comes to electronic snooping, Big Brother has competition. Watch out also for little brother, jealous spouse, overbearing parent and suspicious business partner.
Software that is commonly known as spyware, or stalkerware, is easier than ever to obtain and provides would-be snoopers extraordinary – and often illegal – spying power.
Installed surreptitiously on a target’s smart phone, it can allow a user to eavesdrop on calls, capture photos, read messages, view browser history, and even remotely switch on a device’s microphone.
Dozens of companies in the booming spyware industry market the smart phone apps. Perhaps fittingly, the industry is also riddled with recent intrigue. Hackers have zeroed in on how these apps can facilitate domestic abuse by allowing spouses to track their victims. Recently, hackers breached two spyware companies and splashed internal documents into the public sphere.
“There’s certainly been a spyware gold rush over the last five years, when this industry kind of sprang up,” said Morgan Marquis-Boire, a Bay Area-based researcher of surveillance software who is affiliated with the Citizen Lab of the University of Toronto. “People think there’s a lot of money to be made.”
The cost of electronic espionage has dropped, and apps offer services that cost as little as $30 a month for a gamut of capabilities that were once a monopoly of governments.
The global market for “lawful interception” technology and software will soar to $1.3 billion by 2019, according to MarketsandMarkets, a research company based in Pune, India.
Governments have deployed mobile surveillance software for decades, and some of the technology spilled over to private vendors that have sold it to law enforcement agencies. Steadily, smaller companies have marketed more affordable consumer versions.
If you just Google ‘how to spy on your spouse,’ you’ll get hundreds if not thousands of hits.
Cindy Southworth of the National Network to End Domestic Violence
“If you just Google ‘how to spy on your spouse,’ you’ll get hundreds if not thousands of hits,” said Cindy Southworth, executive vice president of the National Network to End Domestic Violence.
Daniel E. Clement, a divorce and family law attorney in Manhattan, said he commonly finds himself counseling clients about whether they should plant spyware on a partner’s smart phone to learn if they are cheating.
“I tell them, be cautious. You may get an answer to the question you are asking, but you may break the law,” Clement said.
Both federal anti-wiretapping legislation and a myriad of differing state laws prohibit intercepting communications from devices belonging to a non-consenting party.
For a brief period in 2014, it looked like federal prosecutors were turning their sights hard on the spyware industry. They charged a Pakistani, Hammad Akbar, who was arrested at the Los Angeles airport, with conspiring to sell a spyware app, StealthGenie, in the United States that allowed clients to surveil mobile devices.
Akbar pleaded guilty in November 2014. He received no jail time and paid a $500,000 fine before he was expelled from the country.
“Selling spyware is not just reprehensible, it’s a crime,” Assistant Attorney General Leslie R. Caldwell said upon Akbar’s indictment. Two months later, U.S. Attorney Dana J. Boente said the Justice Department would “prosecute not just users of apps like this, but the makers and marketers of such tools as well.”
But there have been no federal prosecutions since, despite calls from groups fighting domestic violence who say the apps often facilitate intimate partner violence by allowing abusers to track their victims through GPS. One in four U.S. women experience severe physical violence by an intimate partner at some point in their lives, according to a landmark 2010 report by the Centers for Disease Control and Prevention.
“Prosecutions involving violence against women are not a high priority for the Feds,” Southworth said.
Many of the marketers of spyware apps, wary of breaking the law, tout the apps as a way to keep tabs on the location of employees or children, not for dominating spouses.
But the industry of spyware, also sometimes called creepware, continues to bear the stigma that it is marketing to jealous men even while appealing to parents.
Implanting smart phones with one of the simpler surveillance apps requires unlocking the targeted phone, downloading the app and following simple instructions. For more advanced features, the phone’s security mechanism must also be disabled, a process that security researchers call “jailbreaking” the phone. For many people, it is not hard to discern the targeted phone’s log-on procedure.
It’s not that difficult to shoulder-surf someone’s password.
Morgan Marquis-Boire, University of Toronto’s Citizen Lab
“It’s not that difficult to shoulder-surf someone’s password,” Marquis-Boire said, referring to peeking over the shoulder at someone else’s log-on.
It can take just a few minutes to install spyware on most iPhones and Androids, and most of the apps are hidden and undetectable.
“In case the iOS device (phone or tablet) is jailbroken, you will need 5-15 minutes of physical access to the device for successful installation,” mSpy says on its website. “Once fully installed, mSpy will begin sending monitored data logs to your personal Control Panel.”
“There isn’t a whole lot of difference between the consumer product and the product that’s sold to law enforcement and to governments,” said Kevin Livelli, director of threat intelligence for Cylance, a cybersecurity company based in Irvine, California.
Some turmoil hit sectors of the industry earlier this year when hackers acting separately breached the networks of two spyware companies, FlexiSPY and Retina-X.
The hacks coincided with a series of reports on the spyware industry in Motherboard, the technology site of Vice Media. One of the hackers got in touch with Motherboard and explained the factors that motivated him to conduct the breach of Retina-X.
I was kind of offended by how little they protect all this data.
Unnamed hacker who spoke to Motherboard
“Other than the creepiness of it, I was kind of offended by how little they protect all this data,” the hacker told Motherboard, referring to what he alleged was the vulnerability of servers that contained surveillance data.
“(P)arents and employers using this software need to know that it sucks up their children/employees’ private data (GPS logs, photos, SMS messages...) and stores it on pathetically insecure servers,” the hacker said.
In a blog post last month, FlexiSPY decried media portrayals of it as “a shadowy company enabling domestic violence being brought to justice by a noble cyber vigilante.”
“We are against domestic violence, stalking or any other nefarious use and the majority of our users subscribe for legitimate reasons,” the unsigned blog post says. A company spokesman did not immediately respond to an email.
Andrew Blaich, security researcher at Lookout, a San Francisco mobile security company, said the issue of how spyware app vendors guard the data siphoned off from tapped phones is significant. When their servers get breached, very intimate information spills out.
Those who buy and employ the spyware should consider, Blaich said, that “you end up compromising your target’s security in more ways than one. You’re not the only one who is able to see the data. People who are operating the servers can see the data.”
Clement, the Manhattan lawyer, said romantic partners are far from the only clients of the spyware. Workplace employees or those who live nearby may also be tempted to find answers to questions by planting the spyware in someone’s smart phone.
“Where’s the boss going? Where’s the pretty secretary or handsome assistant going? It could be the nosy neighbor. Wanna get really creepy? It could be a stranger,” Clement said.