Canadian laws are failing to protect the victims of cellphone “stalkerware,” researchers say, allowing abusers to easily repurpose supposed child protection and employee monitoring technology as weapons of intimate partner violence.

A pair of new reports from the University of Toronto’s Citizen Lab, published Wednesday, investigate the digital ecosystem and legal gaps in which stalkerware thrives. These powerful surveillance tools allow users to track another person’s GPS location, call logs, text and chat messages, web traffic, social media posts, and more; some even enable keystroke logging and can activate microphones or cameras.

“In theory, we found that there are laws in place to protect the victims of stalkerware,” says Cynthia Khoo, a research fellow at the Citizen Lab.

Yet while statistics show that technology-enabled surveillance of intimate partners is widespread, the researchers could find few cases in which either the users or the makers of stalkerware were legally held to account.

“The reason that it’s not more well known, that there aren’t more remedies for victims, is the lack of knowledge and awareness and resources and training among different actors throughout the justice system, ” Khoo said.

Read more:

Companies should get ‘meaningful consent’ for user data, privacy watchdog says

What you should know about the ‘Stingray’ surveillance device used by police

Toronto police have been using facial recognition technology for more than a year

A 2012 survey of Canadian anti-violence support workers found that 98 per cent of perpetrators used technology to intimidate or threaten their victims, more than two-thirds hacked into victims’ email and social media, and nearly a third installed computer-monitoring software or hardware. In the U.S., the National Network to End Domestic Violence found that 54 per cent of abusers tracked victims’ cellphones with stalkerware.

“The laws haven’t really caught up with the technology,” says Nadine Casemore of the women’s multi-service agency Sistering; Casemore has worked with survivors of intimate partner violence. “This is becoming a weapon, when it comes to intimate partner violence and gender-based violence.”

What the reports call “stalkerware” is usually primarily marketed as a tool for people who want to monitor the cellphone activity of children or employees. Many users download the apps for these legitimate, legal purposes.

But the apps can easily be repurposed by users to surveil, control, or terrorize current or former intimate partners, the researchers found — and are sometimes openly or clandestinely advertised for monitoring intimate partners without consent.

“Catch cheating spouse — it’s time to start spying,” advertises one. Among other features, the software developer advertises that its app is undetectable and can listen to and record the target phone’s surroundings in real-time.

Another app identified by the reports as stalkerware only visibly advertises itself as a parental control tool. But the researchers found that its website had concealed source code that referenced spying on spouses, cheating and fidelity. The text was tagged “SEO,” or search engine optimization, which is the term for techniques meant to place a website higher up in search results.

The researchers found that these apps re-victimize abuse survivors by failing to clarify how they can delete their data when they did not meaningfully consent to its collection in the first place. Many have insecure software update systems that leave phones vulnerable to intrusions, and have failed to adopt policies to notify the targets of stalkerware in the case of data breaches — something that has happened repeatedly, the researchers noted.

Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), stipulates that businesses need to obtain meaningful and ongoing consent when they collect personal information, and must give users the right to access and delete their own data. Stalkerware developers fail to meet these obligations.

“Given our findings, we find it deeply concerning that these companies operate in Canada in their present capacity, and we argue that their present operations would likely require significant modification for the businesses to operate legally,” the Citizen Lab authors write.

But unlike more robust European privacy laws, Canada’s privacy commissioner can investigate and issue recommendations under PIPEDA, but cannot compel changes without a federal court order. The researchers recommend that the Government of Canada update the privacy commissioner’s enforcement toolkit, including adding the ability to extract fines.

The reports were funded by a grant from a program at the Office of the Privacy Commissioner of Canada that supports independent privacy research.

The analysis also found that buying spyware primarily useful for secretly intercepting private communications is likely a criminal offence; many other facets of stalkerware use, creation, and sale violate Canadian criminal, civil, privacy, and regulatory laws. But there is a gap between what the law says and “what legal remedies are readily available to victims in practice”; police, lawyers, judges, and front-line workers should be better educated on stalkerware and the law, the authors say.

Loading... Loading... Loading... Loading... Loading... Loading...

The researchers also point out that there is no technological fix for the corrosive and violent effects of patriarchal gender inequalities, which give rise to stalkerware in the first place. But it is another reason to try to remedy gender and other diversity imbalances in the technology sector.

“It’s people who are most likely to be impacted who are not necessarily creating and developing the apps, but who would be the ones most likely to raise that sound of alarm early on in the design process and say, ‘Hey, maybe people won’t only use this to monitor their children in completely legal, ethical and consensual ways,’” says Khoo.

Note — June 12, 2019: An earlier version of this article posed a question to readers. It has been removed.