Report: Stalkerware apps not held accountable for infringing privacy rights

Privacy news
3 mins
A smartphone screen with an open eye on a red background.

Stalkerware—spyware applications installed on devices to surveil children, employees, and partners—has become the latest tool used by abusers to exert power and control over targeted individuals.

Numerous reports have previously explored in great depth the scope and pervasiveness of spyware and the abuse these apps have facilitated since their naissance over two decades ago.

Now, for the first time, the University of Toronto’s CitizenLab has published a massive interdisciplinary report that highlights the lack of accountability stalkerware companies and users are held to in Canada.

After assessing the industry, the report concludes, somewhat unsurprisingly, that “the creation, use, and sale of spyware apps that enable covert surveillance of mobile devices can potentially violate numerous criminal, civil, privacy, and regulatory laws in Canada.”

The 360+ page report concludes that creators and users of stalkerware should be held liable for the harm inflicted upon targeted individuals.

We’ve summarized some of the report’s findings, although we highly recommend you also read both parts of the report here.

1. The industry markets itself explicitly to users wanting to track and surveil spouses

Companies in the stalkerware industry are not naïve to how their customers want to use their products. The report found that companies are “actively promoting their software for the purposes of facilitating stalking and, by extension, intimate partner violence, abuse, and harassment.”

Numerous stalkerware blog posts and text frequently refer to “spousal monitoring.” One company even brags that its software “is a great way to learn more about the target person.”

Stalkerware companies know their software is used to surveil individuals without their permission or knowledge, and will explicitly market their products as such.

2. Insecure stalkerware further endangers targeted individuals

Stalkerware apps have a history of being hacked, although thankfully, often with the intention of wiping the apps’ collected data completely. Nevertheless, these hacks highlight the poor information security these companies practice.

As the authors of the report wrote:

“In the best case of these events, breaches have resulted in hackers deleting collected data in an effort to erase data which may have been illicitly or inappropriately collected about targeted persons.” 

“In the worst cases, organizational security failures have resulted in huge volumes of sensitive data being accessible on the public Internet.”

Exacerbating an already-terrible situation

It’s horrid enough that software is available to people who want to stalk, hack, and surveil others. But worse is the shoddy security measures of their makers that creates the additional risk of targeted individuals having their private information published online.

The abusers, on the other hand, would face minimal backlash—after all, it’s not their information that’s on the line.

Antivirus and Google Play Protect can detect stalkerware

The report did have some good news—many antivirus products identified stalkerware apps as malicious. Google Play Protect was able to “block stalkerware installation and remove installed stalkerware.”

3. Companies failed to obtain meaningful and ongoing consent from targeted individuals

Authors of the report found “significant and disturbing failures by the companies in this study to obtain meaningful and ongoing consent … [that] seriously increase the risks and threats faced by those who operators target with stalkerware.”

This seems obvious at the surface. Stalkerware companies rely on hiding their product from the targeted individuals’ view, so it would be counterintuitive to ask for explicit consent.
It appears that most stalkerware companies are only concerned with the rights and guarantees to their customers, without any consideration of how their app affects the privacy of the targeted individuals.

Current legislation has “limited bite”

While some stalkerware companies state in their public policy that customers were responsible for obtaining consent from their targets, “at no point did companies require positive and affirmative consent—on an ongoing basis—of the actual persons targeted by the surveillance.”

Spyware peddlers rarely face repercussions for their actions because Canadian law has what the paper describes as a “limited bite.” The report also recommends the introduction of more effective and enforceable remedies and deterrents that reel in the intrusive nature of surveillance apps.

What change does the report hope to bring?

Edward Snowden once said that “privacy is what gives you the ability to share with the world who you are on your own terms.” To a large extent, this paper aims to redress the balance between the surveiller and the surveilled and recommends effective legislation so that survivors of this abuse can reclaim their right to privacy.

Read the full report.

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.