Apps make it easy for domestic abusers to spy
By Melanie Lefkowitz
Thousands of apps that allow domestic abusers to secretly spy on their partners are simple to install, difficult to detect, and marketed through a murky web of online advertising, blogs and videos explaining how to use them for illegal purposes, according to a study led by Cornell researchers.
The apps include not only traditional spyware but software intended for more benign uses, such as finding phones or keeping track of children – making it all but impossible to use existing anti-spyware tools to protect against them.
Some apps were actively marketed to abusers, including one with a webpage titled “Mobile Spy App for Personal Catch Cheating Spouses” and an image of a man gripping the arm of a woman with scratches on her face.
But even some apps not overtly aimed at abusers, whose official websites refer only to uses like employee or child tracking, were found to use advertising search terms such as “track my girlfriend” or “how to catch a cheating spouse with his cell phone.”
“Thousands of these apps are available in the open market,” said lead author Rahul Chatterjee, a doctoral student in computer science at Cornell Tech. “You can easily find them, and existing anti-spyware apps don’t detect them, so intimate partner violence victims have no way to know they’re being spied on.”
The researchers reported their findings to Google, which in response stopped allowing advertisements for abuse-related searches and tightened policies in its Play Store.
The study, “The Spyware Used in Intimate Partner Violence,” grew out of work at the New York City Mayor’s Office to Combat Domestic Violence, where a team of students and faculty from Cornell Tech, Cornell Computing and Information Science and New York University is helping the city combat domestic violence with the tools of tech. Their research was presented May 21 at the 39th IEEE Symposium on Security and Privacy.
Intimate-partner violence affects around a third of all women and a sixth of all men in the United States. Victims of domestic abuse increasingly report online surveillance, which allows abusers to monitor their locations, conversations and more – sometimes leading to violent or even fatal confrontations. They are often unaware of the tracking until they notice that their partners have information or are showing up in places they otherwise wouldn’t.
Because abusers may have access to their partners’ phones or passwords, installation of even the most invasive apps can be easy. Starting with search terms like “track my wife” or “read SMS from another phone,” the researchers found blogs, videos or chat forums offering step-by-step instructions of how to do it.
Neither Google nor Apple allow overt spyware to be sold through their platforms, but some spying apps are sold elsewhere. Others, the researchers believe, describe themselves as legitimate apps so they can be found through Google and Apple but are also marketing themselves to abusers for illegal purposes. For example, blogs – some of them hosted on the apps’ own domains – discuss how helpful that particular app can be for intimate spying.
To gauge the attitudes of a company toward these abuses, researchers contacted customer support at 11 of the apps they examined to ask, “If I use this app to track my husband will he know that I am tracking him? Thanks, Jessie.” Of the nine who replied, all but one responded with some version of “No, he shouldn’t notice.”
The study was co-authored by computer science doctoral student Sam Havron; Cornell Tech information science doctoral student Diana Freed; Karen Levy, assistant professor of information science and associate member of the faculty of the Law School; Nicola Dell, assistant professor at the Jacobs Technion-Cornell Institute at Cornell Tech; Thomas Ristenpart, associate professor of computer science at Cornell Tech; and colleagues at the Technion-Israel Institute of Technology, New York University and Hunter College.
The problem is so large in scope that combating it won’t be easy. The researchers recommend a multipronged effort including greater vigilance from internet companies to ensure rules are followed, new solutions for how mobile operating systems notify users that their phones are being monitored, increased policing by the Federal Trade Commission and other government agencies, and improved anti-spying software.
Chatterjee said the Cornell and NYU team is working to create a better spyware-detection tool, but more intervention is needed.
“It’s not only technology that can solve this problem,” Chatterjee said. “We need people from social sciences; we need people from law. We want to reach out to many more people to let them know we are doing this work.”
The research was supported in part by grants from the National Science Foundation and gifts from Comcast, Google and Microsoft.