Content warning: This piece contains brief descriptions
of domestic violence and assault against women and children.
In the past five years, only two stalkerware developers, both of whom designed, marketed, and sold tools favored by domestic abusers to pry into victims’ private lives, have faced federal consequences for their actions. Following a guilty plea in court, one was ordered to pay $500,000, and his app was subsequently shut down. The other was ordered to change his apps if he wanted to keep selling them.
The dearth of meaningful legal enforcement against
stalkerware makers extends to another realm—stalkerware users. Those who
install stalkerware with the intent to monitor, control, harass, or otherwise
abuse their victims typically get away with it, avoiding legal penalty even if
there’s plenty of evidence to suggest their guilt.
To blame is a frustrating yet human struggle that includes
low awareness, police mistrust, limited law enforcement resources, scant data,
furtive advertising schemes, and a criminal justice system that must rely on
currently-available statutes—some decades old—to bring charges against alleged
criminals who utilize a modern, evolving cyberthreat.
This is stalkerware’s legal enforcement problem. The
invasive cyberthreat can be installed on unsuspecting users’ mobile devices to
gain access to their text messages, emails, call logs, browser activity, GPS
location, and even their microphone and camera. It is entangled deeply in cases
of stalking, harassment, and assault—then muddied by its relationship with
cybercrime and technology abuse, two little-understood and vastly under-resourced
areas of criminal justice.
Erica Olsen, director of the Safety Net program at the
National Network to End Domestic Violence (NNEDV), summed up the difficulties.
“There’s generally a lack of motivation on this issue and a
consistent minimization of this type of abuse,” Olsen said. “That’s complicated
further when the numbers on this type of abuse are hard to track, since many
people are going the route of a factory reset or a new device, and because
police either don’t have access to the forensic software to test, are unwilling
to use it in these cases, or survivors don’t want to.”
She continued: “That can make it seem like this isn’t
happening as much as it is.”
Large problem, limited action
In October, the US Federal Trade Commission (FTC) became the
latest government body to launch a new front against stalkerware.
Following an investigation into the company Retina-X Studios and its owner, James N. Johns Jr., the FTC said it found multiple violations of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act, which prohibits businesses from deceiving their customers. The FTC’s consent agreement told a story of broken data security promises, repeated data breaches, user privacy invasions, and compromised device security.
Per the agreement with the FTC, Retina X and Johns Jr. can
no longer develop, promote, or advertise their apps—PhoneSheriff, MobileSpy,
and TeenSafe—unless significant changes are made to the apps’ designs and
functionalities. The same restrictions apply to any stalkerware-type app that
the company and its founder work on in the future. Because of limitations of
the FTC Act, the FTC could not issue a fine to Retina-X and Johns Jr. on their
At the time of the settlement agreement, Electronic Frontier Foundation Cybersecurity Director Eva Galperin, a staunch advocate against stalkerware, told Business Insider: “I’ll take what I can get.”
The problem, Galperin said, is that the FTC’s settlement only
precluded Retina-X and Johns Jr. from working on stalkerware apps that were not
for “legitimate” purposes—an inherently flawed premise.
“There are simply no legitimate purposes for secret stalking apps,” Galperin wrote together with EFF Associate Director of Research Gennie Gebhart.
The FTC’s settlement represented a change in enforcement,
though—it was the first federal action against a stalkerware maker in five
In 2014, the FBI indicted a man who allegedly conspired to sell and advertise the stalkerware app StealthGenie, which could, without a user’s consent, monitor their text messages and phone calls, and peer into their online browsing behavior. The man, who was then 31 years old, pleaded guilty to the charges and received a $500,000 fine. A US District Judge later permanently shut down StealthGenie’s operations.
When Malwarebytes reached out to the FBI to better
understand how it is tracking stalkerware, a spokesperson said that the
bureau’s Internet Crime Complaint Center, which receives complaints about
app-related crimes, has not received many complaints about stalkerware itself.
The spokesperson said that stalkerware could be part of complaints being made
in other categories, though, like personal data breach or malware-related
Though five years apart, the actions by the FBI and the FTC
bear a striking similarity. The allegations against the two stalkerware
developers dealt with the economics of stalkerware— selling, marketing,
Upon the FBI’s successful prosecution of StealthGenie’s owner, then-Assistant Attorney General Leslie Caldwell affirmed this focus:
“Make no mistake: Selling spyware is a federal crime, and
the Criminal Division will make a federal case out if it.”
But sometimes, the federal crime of selling stalkerware is
not enough to catch everyone who makes it, said NNEDV’s Olsen.
“If you look at the language and discussion of the Stealth Genie app conviction, it was all about the marketing and the product that they were selling,” Olsen said. Unfortunately, countless stalkerware developers have changed their marketing tactics to position their products as more “family-focused” parental monitoring apps, but with the exact same, non-consensual spying capabilities. These slapdash marketing changes make it difficult for government agencies to actually catch and stop stalkerware developers, Olsen said.
“That change in their marketing makes it harder to hold them
accountable because they can claim they are not responsible for people misusing
or manipulating their product, but that their product is not meant to be used
for illegal activity,” Olsen said.
What to do, then, if developers have faced few consequences,
and an easy escape route—retooled advertising—is readily available? Easy, Olsen
said. Go after the criminal users.
“If they can’t go after them for that,” Olsen said, “then
the accountability has to be on the person who knowingly misused it for a
Stalkerware’s illegal uses
The legal effort to stop stalkerware users is an uphill battle. Much of that is because stalkerware
itself, and the ownership of it, is not a crime.
Instead, it is how stalkerware is usedthat could
violate various state and federal laws. Unfortunately, many of its use cases
are grim, tied often into cases of domestic violence, sexual harassment, and
Danielle Citron, professor of law at Boston University School of Law, wrote about stalkerware-leveraged domestic violence in her 2015 paper “Spying Inc.”
“A woman fled her abuser who was living in Kansas. Because
her abuser had installed a cyber stalking app on her phone, her abuser knew
that she had moved to Elgin, Illinois. He tracked her to a shelter and then a
friend’s home where he assaulted her and tried to strangle her. In another
case, a woman tried to escape her abusive husband, but because he had installed
a stalking app on her phone, he was able to track down her and her children.
The man murdered his two children. In 2013, a California man, using a spyware
app, tracked a woman to her friend’s house and assaulted her.”
When stalkerware isn’t directly tied to violence, it can still be used in several ways that break multiple federal and state laws.
For example, a domestic abuser in California who uses stalkerware to record their partner’s phone calls without their knowledge could be violating California Penal Code 632(a), which forbids recording a phone conversation without all parties consenting, along with the federal Wiretap Act. A domestic abuser in New York who uses stalkerware to track a survivor’s movements through GPS tracking could be in violation of New York state’s “Jackie’s Law.” And a domestic abuser who jailbreaks someone’s phone to install stalkerware onto the device could be in violation of the federal Computer Fraud and Abuse Act, a broad law that WhatsApp has claimed was violated by the Israelia spyware maker NSO Group.
Quite obviously, though, stalkerware use is most often bundled
into complaints of stalking, cyberstalking, and online harassment—statutes that
cover a gamut of illegal behavior including intimidation, harassment, and
bullying that happen in real life or online.
But even when the US government receives cases that outline these crimes, the actual, successful prosecution against the alleged criminals is rare, according to data obtained by ThinkProgress.
In 2017, ThinkProgress reported that the US Department of
Justice frequently failed to prosecute cyberstalking and online harassment
cases from 2012 to 2016. During that time period, US Attorneys’ offices
prosecuted 321 cases of online harassment and stalking, which included 41 cases
for cyberstalking. Of those 41 cases, 21 resulted in convictions.
The numbers betray the reported volume of cyberstalking that
was happening at the time.
According to 2016 data from the Data & Society Research Institute and the Center for Innovative Public Health Research, an astonishing 8 percent of all US Internet users had been cyberstalked at some time in their lives. Further, 14 percent of Internet users under the age of 30 reported they’d been cyberstalked, which included 20 percent of women under 30.
ThinkProgress wrote that the data it collected is not
ironclad. The data represented cases in which cyberstalking or online
harassment were the first charge listed in an indictment. Also, because of how
the federal statute on cyberstalking is written, the prosecutions include cases
in which stalking happened through more physical means, like through a phone or
through the mail.
Still, when ThinkProgress showed its data to Citron, she
remarked: “That’s pathetic.”
Mary Anne Franks, professor of law at the University of
Miami School of Law and vice-president of the Cyber Civil Rights Initiative,
echoed Citron’s statements.
“Anecdotally, we’ve definitely heard that law enforcement
generally, and the FBI in particular, is not interested in the vast majority of
cases,” Franks told the outlet.
The FBI, however, only investigates crimes with a federal
nexus, and quite often, the potential crimes committed in tandem with the use
of stalkerware break state laws, which are to be investigated by local police.
There, different obstacles arise.
As we’ve seen, the federal response to stalkerware—and to
cyberstalking and online harassment—is limited. Researchers claim that US
Attorneys are uninterested in prosecuting charges of cyberstalking and online
harassment, and federal agencies, like the FBI and FTC, have jurisdictional
limits to their investigations.
But what about at the state level, where victims can work
with local police, who in turn can obtain evidence of illegal behavior, and
then recommend charges and prosecution to a county’s District Attorney office?
When looking at how local law enforcement agencies respond
to crimes in which stalkerware could play a role, human struggles emerge, said
Maureen Curtis, vice president for the criminal justice and court programs for
Operation Safe Horizon. Some of those struggles include: both victim and local
law enforcement not understanding how stalkerware could be used in stalking
situations, difficulty in collecting strong evidence of cyberstalking, and fear
that contacting the police will make the situation worse.
Curtis has worked with the New York Police Department to
train countless officers on domestic violence victim safety, offender
accountability, housing options, and the criminal justice response to domestic
violence. She said that her office has seen a shift stalking behavior, from a
previously physical crime to one today that includes text messages, GPS
tracking, and calls made from spoofed phone numbers.
It is, she said, much more “invisible,” which makes it much
harder to track and much harder to find evidence on.
“When I think
about domestic violence and sexual assault and the way the criminal justice
responds, there are still crimes where the onus is on the victim to show
they’re a victim—definitely with stalking,” Curtis said. “It can be very
difficult, particularly now, when it’s more hidden and survivors don’t have the
understanding of it—it leads to them not having the evidence they feel they
But even when evidence is recorded, Curtis said, the
reporting of this type of behavior depends on a tenuous relationship between
domestic violence survivors and the police who patrol their communities.
“Some survivors don’t want criminal prosecution—they want
the [violence] to stop, and they might think that contacting the police will
escalate [the situation],” Curtis said. She said that many survivors also have
to consider the consequences of having their abuser arrested or sent to prison.
“If the [abuser] is an immigrant, they could be deported. If
they’re working, they could lose their job,” Curtis said. She said the concerns
pile up for communities of color, too. “Here in New York City, if I’m a woman
of color, I may be afraid of calling the police because I’m afraid what might
happen to my partner. Or I fear that, if I have children, and I call the
police, they may call the child welfare authority and now I have another system
involved in my life.”
Unfortunately, the frustrations can continue when a survivor
decides to work with law enforcement to attempt to bring charges against an
individual, Curtis said, because police can recommend charges be made, but
they’re not the ones to actually prosecute. That job falls to local district
“The police can get frustrated because, even if they write
someone up, the district attorney may not feel there’s enough evidence, so the
police get declined prosecution, which frustrates the police department,”
Curtis said. “It’s a vicious cycle.”
What to do?
In 2015, then-Democratic Senator Al Franken reintroduced a
federal bill to ban the development, use, and sale of GPS-stalking apps,
creating a potential legislative solution to both the creation and use
of some types of stalkerware.
At the time, Sen. Franken stressed the bewildering fact that
many of the apps that enabled illegal activity were, themselves, not illegal.
“[The legislation] will help a whole range of people affected by cyberstalking, including survivors of domestic violence, and it would finally outlaw unconscionable—but perfectly legal—smartphone apps that allow abusers to secretly track their victims,” Sen. Franken said.
Introduced in the Senate, the bill was referred to the
Judiciary Committee, where it stalled.
When asked if federal legislation was the right path forward
to solving the many issues in catching stalkerware abusers, cyberstalkers, and
online harassers, Curtis said that new laws might help, but she had separate
advice: Get the industry to do its part.
Years ago, Curtis’ office had an arrangement with Verizon,
she said, in which Operation Safe Horizon could work with the phone provider to
get a domestic abuse survivor’s phone number changed, free of charge. She also
pointed to a free event at the New York City Family Justice Center, happening
this year, in which Cornell University researchers are offering a “digital
privacy check-up,” which includes a scan for “spyware.”
She said cybersecurity vendors could learn from that.
“I would imagine that, if there’s a way of putting malware onto a device, the people who really understand the tech can find it and get rid of it,” Curtis said.
She stressed that any company that wants to help must
remember to provide its services for free, as many domestic violence survivors
suffer from limited resources. The best part about companies getting involved,
Curtis said, is that it provides an entirely new, separate avenue for relief:
“It will work whether you want to involve the criminal
justice system or not.”
Read more: blog.malwarebytes.com