Carol’s ex-husband is cyberstalking her.
He hacked her social media accounts and wrote false comments that alienated her friends and relatives. He posted her private photos on Facebook. He locked her out of her Gmail account by changing the recovery emails and phone number to his own — derailing her sales career by taking away her access to her business contacts.
She knows that he installed spyware either on her phone or on the kids’ phones, because she found the purchase of the mSpy app on their joint credit card statement.
“Carol” is not one specific woman, but rather an aggregate of typical cyberstalking victims that computer scientists at Cornell Tech are helping through a pilot program with NYU Tandon and the Mayor’s Office.
Researchers say the problem is widespread. Abusers use technology to track, intimidate and harm their former partners. In a recently released research paper about the project to protect people from cyberstalking, the scientists concealed victims’ names and details, because they are under constant threat.
About half of the domestic violence victims participating in the initial field study were found to have hacked devices. Out of 44 assisted, researchers discovered compromised accounts, exploitable misconfigurations and potential spyware in 23 cases.
Cornell Tech is piloting a cyber program with the Mayor’s Office to End Domestic & Gender-Based Violence (ENDGBV) and NYU Tandon in Brooklyn. Damon McCoy, assistant professor in the Department of Computer Science and Engineering at NYU Tandon, described the program to reporters at a Cybersecurity Media Roundtable held in Downtown Brooklyn in conjunction with Cyber Security Awareness Week.
Domestic violence clients are referred to the program by the city’s Family Justice Centers, which provide free assistance to victims and survivors of domestic violence.
“We run the tech clinic on a referral basis, rotating between the five boroughs,” McCoy said. The clients bring in their devices, “and we try to diagnose the sources of the tech abuse that they’re experiencing. Or sometimes there is no tech abuse, and we give them some assurances.”
“A lot of it is very low tech,” he said. If the perpetrator has access to the victim’s iCloud credential, for example, “Through that they can monitor locations, and sometimes they monitor messaging apps, Facebook, things like that.”
There are numerous technical complexities faced by abused intimate partners. A victim or her children may be using online accounts controlled by her former partner, or relying on passwords he either knows or could easily guess. He might be backing up her iPad to an iCloud or Google account to which he has access. He may have turned on location sharing in her settings, or installed child- or spouse-tracking apps, or apps that can remotely turn on the camera or mic.
The researchers developed a spyware scanning tool to diagnose the victims’ phones and computers, along with a methodology to map out who controls what devices. The complete diagnostic process takes around an hour.
If the tech experts find spyware on the devices, they help the clients delete it or work around it, and inform them about privacy settings and other crucial information. They also advise their clients to take photos or screenshots of any discovered spyware or device compromises — as evidence in a potential future court case.
“Several clients we met with have ongoing court cases in which they plan to use evidence discovered via our consultations,” they said in their report.
‘I think he has my email’
Often, a victim will tell the center that their abuser “constantly shows up where I am,” and they don’t know how the abuser got that information; or, “I think he has my email,” said Jennifer DeCarli, assistant commissioner for Family Justice Centers & Outreach with the Mayor’s Office to Combat Domestic and Gender-Based Violence.
While the advocates do sometimes find sophisticated spyware on the devices, more often they find compromised accounts. Changing an account might be complicated, however, especially if the abuser becomes aware of the change, DiCarli said.
“We have a real nuanced conversation so they can make informed choices about their safety,” she said.
She added, “Even when we don’t find anything, it’s so reassuring for survivors to know he’s not following them.”
Sarah St. Vincent, the Computer Security Clinic’s founding director, told the Eagle that the clinic has served 116 clients since November 2018 “from all walks of life.”
The clients are often “very distressed and afraid,” she said. “Often the abusive partner tells them, ‘I always know where you are.’”
St. Vincent says she has seen abusers misusing their child’s phone or tablet to spy on a survivor. “Google, iCloud accounts, spyware on the phone — there are all sorts of ways abusive partners can weaponized tech to perpetuate abuse.”
Policymakers and courts “need to come to grips with how common this is,” she said. “We need to put control back in the hands of survivors.”
A serious and sometimes deadly problem
In many cases digital attacks can lead to physical violence, even murder, according to the study.
“Unfortunately, victims currently have little recourse, relying on social workers or other professionals who report having insufficient computer security knowledge to aid victims,” the researchers wrote.
One in six women and one in 19 men in the U.S. have experienced stalking victimization during which they felt very fearful or believed someone close to them would be harmed, according to a 2011 survey. (The share of this representing cyberstalking has not been broken out.) Nationally, 54 percent of female homicide victims reported stalking to the police before they were killed by their intimate partner, according to ENDGBV.
Statistics released by the Rape, Abuse and Incest National Network in Washington, D.C., show there are 3.4 million stalking victims each year. Of those, one in four victims said they have experienced a form of cyberstalking.
The FBI describes perpetrators who obtain nude photos of women specifically to blackmail or harass them. Some seek out prey on dating websites for the express purpose of victimizing them.
“The technology isn’t designed to resist these types of attacks,” McCoy said. “From a security standpoint, I would recommend people not share their passwords. But we have to function in society.” Apps should be designed better to allow someone to give partners some access, but still remain in control, he said.
DiCarli said if anyone suspects they are being cyberstalked, they should walk into a Family Justice Center to be screened for services. Service is provided for everyone regardless of race, creed, gender, income or immigration status, and it’s free.