 I'm ready to intro. OK, excellent. Hi there. My name is Eva Galperin, and I will be hosting your panel for this afternoon. I just wanted to give you a pretty good idea of who it is that we're going to be talking to. We're going to be talking to Tara Hariston, who works at Kaspersky and is sort of fundamental to keeping the coalition against stalker wear together. She is basically the glue and the organization, and I cannot thank her enough for existing. We are also going to talk to Harlow Holmes from the Freedom of the Press Foundation. Harlow does a lot of work with victims of stalker wear and is going to talk to us a little bit about what it's like to sort of work with the people on the ground. And finally, we're going to talk to David Rees from Malware Bites, and he's going to talk to us a little bit about sort of what is stalker wear and what we're doing about it and how it's being detected and how the sort of treatment of stalker wear has changed over the last couple of years. All right, so let's go ahead and get started. I wanted to go ahead and start by asking some questions of David. So David, thank you so much for coming. Thank you. Thanks for having me. So do you want to begin with telling us what is stalker wear and how does it work? Yeah, yeah, it's a broad question, super simple answer. And honestly, I think it's really interesting because it's something that I didn't know about five years ago, four years ago. The really basic answer here, stalker wear is typically a mobile application, not always, but typically, very often, these are mobile apps that are put onto people's devices without their consent that allows for them to be spied on. They are privacy invasion enablers. They're digital tools to look into someone's life, again, that very frequently, you do not have the consent to do. So on a person's device, stalker wear can pry into your emails. It can look into your text messages, your SMS messages. Stalker wear can reveal your GPS location as it's happening. By the minute, it can also reveal GPS location history. So that can reveal patterns, routines of what you do. That can reveal your workplace that you go to every day. That can reveal where you live, obviously. That can reveal the people you visit, the people who are important to you, who you visit once a week. Let's say you visit your parents, your grandparents. It also, frequently, stalker wear can pull into someone's photos, their videos. It can pull deleted photos, which is exactly what it sounds like. If you have a phone and you say, OK, let me get rid of these photos, it can actually pull from those photos that you believed were deleted, that your phone told you were deleted. And it can pull them for someone else to look at. Again, these are all things that, I think, on their own are startling, are quite scary. Put together, again, they become these tools that can enable such severe degrees of privacy invasion. Kind of briefly as well, they let someone else take photos with your device without you knowing. They also sometimes allow live streaming. So as an example, if I had stalker wear on my device and someone was viewing it, right now they would see me through my front camera. It can live stream, which is as horrifying as it sounds. We've tested these things. I've used them on test devices specifically for writing research. They work exactly as it sounds to a terrifying degree. So that's what stalker wear is kind of in a nutshell. It is something that, slow and behold, lets someone stalk someone. From the perspective of a person who's installing stalker wear on somebody else's phone, what does this process look like? Like, where do you go? How much does it cost? What does it look like when you are looking at all of somebody else's information? Yeah, yeah. It's a fantastic question. And the broad answer is it's really, really, really easy. It's like disconcertingly easy to get this stuff, to download it. It's disconcertingly easy to install it onto someone's device. So the way it works, right? If you did a Google search for something that we advise you don't do, if you did a Google search and let's say you're just a piece of shit and you want to spy on someone and they don't deserve to be spied on, no one does. And you're like, how do I spy on my partner? How do I spy on my wife? How do I look at my wife's text messages? You will find results. You will find results and you will find tools online that don't just answer that one question, right? How do I look at someone's text messages without their consent? It's how do I look at someone's text messages without their consent and then also their GPS location and then also their photos, their videos. They are suites. They are entire suites of software that provide their suites of accessibility. And I've done it before myself, right? Again, to do this research to see how easy is it? Is it as easy as one assumes? And all you really need is physical access to a device for about five minutes as wild as that sounds. And I know if you're saying right now, oh, five minutes, I mean, we're so attached to our phones right now. When's the last time I'm away from my phone for five minutes? Every day, believe it or not, every single day, you actually are away from your phone for five minutes. To interject, I've done it in less than a minute. There you go, right? It doesn't even need to be like, oh, I'm in the shower. I'm in the bathroom. I'm doing a load of laundry. I'm folding my laundry in another room. I'm checking my email in another room and I don't have my phone on me. It is shockingly easy to do. It does not require a high technical knowledge. It is really as simple as drag and drop sometimes, and then opening the phone up and pressing the app button. Also, these apps often can hide themselves from view. So once you've run that tool on someone's device, it's hidden. It goes away. Sometimes it hides as a different type of app, as a system update, as a calculator, as something banal. Sometimes it's just not there at all. And there's no way you're going to find something like that. It is not there. Visually, it is not there. So very easy. So how widespread is the stalkerware problem? And what indicators can we use in order to make a guess at this? Yeah, it's something that we in the cybersecurity community have struggled with because you want to get a good view of what is happening out there. How widespread is this? Like you said, what is the scope? And we have to do some rough estimation here. We have to do some back of the envelope math. This isn't precise stuff. But luckily, many of the companies within the coalition against stalkerware, Spurski is one, Malorbytes is one. We have many other partners. They have began releasing numbers on either the number of users affected in a given year, the number of detections they make. So the way that works at Malorbytes is if we find an app or if we prevent an app from getting installed, that counts as a detection. Avira, Avast, they're putting out numbers like that. Basically for 2020, so for the past calendar year, I looked at our numbers at Spurski's numbers and at Avast's numbers. And everyone had collected at minimum 40 to 50,000 of these detections or number of users who were affected. Again, things aren't perfect here. You can't say, OK, well, it's just 50,000 plus 50,000 plus 50,000 equals 150,000. There might be instances where people have both of our apps. And so that's one case, but it's producing a double result. That also probably doesn't happen that often, but you can't discount it. But more than anything, what is most important is that even if we have that number, even if we just look at Malorbytes, our number was like 52,000 last year, that's the people who have Malorbytes. For Spurski, I think it's also around 53,000, 54,000. That's people who have Spurski. There are many people who do not have our tools. There are many, many, many, many people who do not have our tools on their devices. There are many people who don't have Malorbytes because Malorbytes maybe isn't even supported in that country. It's not even just a fact of, oh, they're not keen on cybersecurity. It's where are we available? And so if you look at something like 150,000, that kind of rough, again, very rough estimate back of the envelope math, not perfect, that's already a ton in my mind because of think of all the things that we're missing. And it's also a ton because even if that number was a 10th, even if you came to me and you said, we have the perfect data, doesn't exist, but we have the perfect data, let's say only 15,000 people a year globally are affected by this, think of the severity of the harm. I don't care if it's only 15,000. I don't care if it's only 150,000. These tools can and have been used. There is documented use that this intersects with domestic abuse, with domestic violence. The harm here is physical violence. We've seen this before. So again, if you're curious like, oh, is 150,000, is that that many people? Yes, yes it is. Drastically so. The privacy invasions here are not just theoretical. They are not just privacy invasions. These are privacy invasions which do and have led to physical violence. It is an extremely severe problem. So the last year, year and a half, we've all been dealing with COVID-19 and lockdown. Can you talk a little bit about how COVID-19 and lockdown have affected the use of Stockerwood? Yeah, the bad news is it made it worse. Like, what a terrible headline to come away from it, right? Everyone's going through a pandemic. And somehow the use of Stockerwood also increased. We saw this kind of across the board with several companies. So at Mauribytes, we detected an increase from January of 2020 before lockdowns really started taking effect to June of 2020. We saw something crazy. Like, we saw this insane up ramp of like 500 or 800% to be perfectly honest with you. Those numbers are insane. I think they're crazy. I want to couch them and be like, let's not say that it's a perfect thing. But I do want to communicate that it's still happening, right? Like, it didn't go away. And luckily, we're also supported by the fact Avast put out numbers. And they showed that in the first four months of like when lockdown really started happening across the globe. So March through, I believe, July. Comparing March through July to January and February, again, before lockdown procedures really started to take hold in every single country, they had a 51% increase across the globe. And I believe like an 80% increase in just the UK. 50%, 80%. Our numbers are very, very high. But they're supported by the fact that there was an increase. There was an increase. And I remember thinking to myself, perhaps quite naively, why is this happening? Like, what's going on? Isn't lockdown a, if you're locked down, can't you see what someone's doing? Even if you are an abusive individual, can you not see? Like, what is this thing doing that is sort of like checking a box of abuse for someone? And I was thinking it too narrowly, right? I have to also consider, and thankfully, right? This is part of what the coalition does. There are smarter people than just myself. Smart people who work with victims, who worked with survivors every day who understand these things. I have to consider that there are situations where a survivor lives separate from their abuser. And something like lockdown, which says you can to visit someone in their home, that drives already a violent and abusive person into an even greater loss of control, right? It's, they're more irrational. And again, I always worry about saying these things like explaining an abuser's mindset because that doesn't excuse it, right? I have to be very clear here. Being separated from someone doesn't, it doesn't suddenly make it make sense that you want to stalk them, that you want to spy on them. No, these are bad behaviors. In many situations, these are crimes. But even if they weren't crimes, they are bad behaviors. These are not normal outcomes. So again, I had to think about that. What's happening out there? What is driving the increase? And there are, again, it kind of comes back to the fact that every use of stalkerware, every domestic abuse situation is nuanced. That's why there isn't a one-size-fits-all solution to this problem that we're gonna talk about more in depth today. And unfortunately, in the pandemic, all of those nuances led to increased use. All right, so that's terrible news. Yes, it is. On that extremely unhappy note, Ms. Harlow, I'd like to spend a little bit of time talking about what life is like for the people who are working directly with survivors of domestic abuse and what the situation looks like on the ground. Harlow, could you talk to us a little bit about the work that you're doing and the kind of abuse that you are seeing in kind of your typical situation? Okay, yes. First and foremost, thank you very much for inviting me. And before I do get into that, I wanted to comment on what you just said, David, which I thought was pretty interesting, very, very intriguing, which is even if you are locked down, you can't see what someone is doing. And I think behaviors like that, where you mentioned that these are dangerous and sick and cruel behaviors, even taking place during lockdown kind of points to the irrationality of your typical abuser, where that person can be in, as Eva mentioned, they can be in the laundry room, they can be 10 steps away from you, they can be in the same bed as you, and they just wanna know what you're looking at on your phone. And so like, I mean, it's still the same behaviors and it gets exacerbated under the stress, I think, but I'm not a psychologist at all. I would like to give a little bit of a shout out to Dragana Curran, who is an amazing writer and researcher who wrote a very, very excellent piece called Sharing Spaces with Men during the COVID-19 pandemic, where she takes a global look at these effects of women feeling compelled to give men that they are locked down with access to their bodies, access to their time, access to their emotional space. But that said, I would like to preface that as I'm sitting on this panel because I have an amount of experience that is not at all the same as my co-panelists and it actually becomes a security route. I work in digital security, I'm the director of digital security at Freedom of the Press Foundation. And before coming to this particular role, I started to learn about these technologies and the capabilities and how they can be abused coming from like the human rights defense space. And that learning how stalkerware, malware, abuses of like all sorts of other characteristics of a mobile device that I'm about to talk about work put me in a position where friends or family members or even friends of friends of mine who knew that I was the person who knew about these things would reach out to me like after hours in order to have advice. So we do not at Freedom of the Press Foundation officially have at all any kind of incident response or program that addresses domestic or intimate partner violence. However, I always did find it fascinating that not only from a technological perspective about how these systems of surveillance work but also from a level on how to interact with people who go through this particular type of trauma. So... Miss Allen? Yes. Would you characterize this as like a problem that is strictly men spying on women or do you see something different? It can be different. It actually can be different. The difference actually does often have to do with positions of power, ultimately positions like seeking out positions of control and getting a particular amount of satisfaction at exercising whatever power you have over the person that you are trying to oppress. And once again, I do not come from like a psychological background and I would not want to mischaracterize my ability to address those types of trauma. But that is definitely something that I had learned in the more personal interventions that I've had to do on behalf of friends and family and friends of friends, et cetera, with certain types of incidents that I see working as a digital security professional, working with journalists who have also been subjected to certain amounts of like spyware or suspicion of spyware, physical and digital surveillance and helping them un-node and understand exactly like what the capabilities are, how that may or may not have affected them in the long run and how to empower them in order to take steps to make changes. And so that has been a very, very interesting like interplay between what I had seen personally and what I can provide when I'm working with someone who comes from that same place of trauma but from like the journalist space. All right, if I can interject for a moment, I've actually seen a really interesting dynamic where so frequently I am approached by survivors of abuse and I'm approached by people who have experienced physical abuse from their abusers. And I would say probably about two thirds of the time it is women, but about a third of the time it's men. But a really interesting dynamic that I have seen is that occasionally the survivors of abuse are trying to take control back by spying on their abusers and they ask me, how do I spy on this person? This person is cheating on me, this person is beating me, this person is lying to me. They're a bad person. I need to go and get proof that they're bad by spying on what they're doing on their phone. And what I tell them is essentially you cannot fight back against an abuser by becoming an abuser yourself. And that is a dynamic that worries me very much. Like you already know this person is abusive, please let me help you get out. Getting out is much more important than sort of trying to regain control because trying to regain control or getting the sort of upper hand in the relationship is just continuing the cycle. Yes, it puts you in a pattern. It definitely does, yeah. So can you talk about sort of generally or even specifically about the kind of cases that have come to you? Yeah, so I have rarely myself seen instances of the type of spyware that David and Tara are going to talk about. However, what I see mostly, what they think is unique, is a lot of like misconfigurations that make it more, make a stalker, an abuser more successful, such as, let's say user-generated content, which will on an Instagram post show exactly where it is that you are, that leads to like physical stalking or having the configurations on whatever social media platform that you use that displays your latitude and longitude automatically and not necessarily knowing that there are options to pare that down and turn it off. A lot of abuse does or surveillance can come from like the morass of like shared family plans. So like, someone can get a huge amount of your telephone data if they are on this, if they control the plans that all of your phone lines are on and can like audit that. And also things like shared iCloud accounts forgetting that you've allowed certain people to like find you by your phone and you have that capability still turned on on the phone. Yeah, there are... So yeah, what's that? Do you see a telephone? Yes, definitely. In cases, actually I do very vividly remember an incident when someone, when they were breaking up with their partner, did not remember that they had shared their passwords because that was like the contract that they had had in the beginning when things were better. And then as things became more dangerous, more abusive, forgetting that this person could still access their email account because they had a shared account where they had like a certain password and that password was reused on this other email account. Those are things that I have seen most of the time. So that's just like one example. So what do you usually recommend to people when they come to you and they say, I think my device has been compromised or I think my account has been compromised or like I have no idea what to do and I don't understand what's wrong. What is the order in which you look for compromises and then what kind of advice do you give to people? So there is definitely like that type of due diligence that you should do to look for like weird profiles on the phone, depending on your operating system. Like is someone or has someone installed something that perhaps if you can't see it but you do notice that like from a network perspective you should not be connecting to the internet via this particular route. Or that you have like certain like safeguards on your phone that make it possible for people to have installed something on your phone behind your back. So on Android, for instance, why is play protect disabled? Or on your iPhone, like your iPhone might have been jailbroken. So that's the due diligence first and I would tend to like perform that on my own because when I do not find that and once again in personal experience working with people that I know I actually have not gotten that but I just know from my experience in the field at Freedom of the Press Foundation as a mobile developer that that's what you should do. But then when you can assuage those fears personally then going to the people and just I give them like the security lesson that any of us might receive at any of the events that we attend such as understanding why in this particular situation what someone can do if you have shared passwords and how people ultimately can pivot onto other things other assets that you thought you had been able to keep private because you didn't remember that you had this shared reuse password out in the wild and why that's important. I also one thing that I've had moderate success with is telling people that it's never you know like such a horrible thing to start over again with a person and with a phone. Factory setting a phone is not as scary as it needs to be and often especially in cases of intimate partner violence when people are like not only gas lit but also in addition to like potential physical violence there's a high high probability of like financial control allocating the resources to get another device unless you're going to go to like organizations that do provide like brand new devices or just new devices for survivors. You might want to just like hold someone's hand as they wipe their phone and reset it and set it up to how I think that they should. All right, just as a quick interjection sort of the order in which I usually approach this I start with sort of the most common thing which is I look for misconfigurations and I look for you know human leaks of information. Then I usually tell them to essentially change their locks. So what you do is you change all of your passwords you install a password manager. Password manager to factor authentication from onto FAA. Make sure you're getting, make sure you're receiving alerts about like attempts to log in to your stuff. Yeah, and then there's also a whole bunch of other like you know just ways of like creating I guess like the psychosocial support that you need if that all becomes so overwhelming because it's a lot, it can be a lot of data. Yeah, and that's a lot to ask a survivor to do they're going through some stuff. And then finally after all of that if the problems are persisting then usually I tell them to if they have an Android download an antivirus program and run a scan. And if they have an iPhone to go through the domestic abuse manual that Apple recently put out and that I will link to in the chat. So now that we've made it through sort of you know the this malware is very bad and here's what it looks like when you when you're dealing with humans every day. Let's talk to Tara. Tara can you tell me a little bit about the coalition against stalkerware like how did it get started and what are they doing? Sure, well as always Ava thank you so much for having me and allowing me to participate. So the coalition against stalkerware launched in November 2019 we had 10 organizations to start five advocacy groups including EFF and then five cybersecurity vendors including malware bites and Kaspersky and we really been focused on kind of raising general awareness around the threat of stalkerware but we also have some other specific activities that we're engaging in things like sharing stalkerware samples amongst the technical companies that participate in the coalition to make sure that we're all detecting these things at the same level and that it's a real robust and healthy dialogue around what constitutes stalkerware because as David mentioned in his remarks the functionality can vary but we have that general overarching conception that it's something that enables a former surveillance without notification and consent and that tends to inform the detections that a lot of the companies are undertaking so that's a really big effort. Another thing is how do we interact with a number of different communities of interest? You know there's so many stakeholders that have to be aware of this issue to make sure that we can best support survivors as well as the organizations that work on their behalf. So we try to have resources available for survivors for things that they can look forward to determine whether stalkerware may be present on their device. We also are engaging with law enforcement so actually just about a month ago Interpol announced that they would be kind of collaborating with the coalition on how to educate national law enforcement agencies about stalkerware and tech-enabled abuse more generally so hopefully that information and that awareness and that sensitivity to the psychological harms that Harlow was mentioning can be filtered down to local officials throughout 190 plus countries. And then I would also say that we're trying to quite frankly have some conversations with tech. The industry really needs to understand the importance of not only stalkerware but stalkerware as an example of tech-enabled abuse because I think to what David was describing the numbers seem quote unquote small but it's actually really just kind of a symptom of these dynamics of power and control that tend to be pervasive in intimate partner violence relationships. And so there may be other forms of tech-enabled abuse like what Harlow was describing in terms of misconfiguration device or account compromise stalkerware would be a very small part of that continuum of violence but it is violence nonetheless. So I think we need to have a lot of conversations amongst our own industry quite frankly to understand the harms that this sort of technology can cause. And then lastly I would say we try to have a lot of discussion with media. I know you and David have had conversations with media on articles about stalkerware and other issues because quite frankly stalkerware has been a little bit sensationalized. It's kind of the quote unquote sexy issue that a lot of media tends to report on. But again, we want them to be very conscientious again of the psychological harms that are involved but also to treat this as kind of quite frankly another public health issue. We see that in terms of suicide prevention they provide the hotlines. We want them to do the same with domestic violence hotlines when they write about these sorts of issues as well because they are so interlinked. It's not just a matter of the technology. We often say within the coalition that stalkerware is not a technical issue. It's actually an abuse and crime issue and therefore we need the reporting that kind of frames these issues in the world to kind of take the acknowledging that fact. Can you talk a little bit about how law enforcement currently views stalkerware and sort of what do they do generally if somebody comes in to talk to the police and says essentially there's... Look, there's stalkerware on my phone. What do I do? Well, I think we still have this challenge with law enforcement and this is not true of everyone so I'm not casting aspersions here. But quite frankly, there tends to be a sense of disbelief that law enforcement or any criminal justice system actor tends to express when a survivor approaches them and says, hey, I think I'm being stalked. I think I'm being spied on through my devices because it just seems so fantastical. And so unfortunately a lot of survivors because of the general reaction tend not to approach law enforcement but I think when they do, law enforcement tends to sometimes be under resource to deal with any forensic crime. They tend to kind of kick it over to national law enforcement agencies which is why it's so important that the coalition is going to be partnering with Interpol. And as a result, it really just kind of lends to this overarching view from the survivor's perspective that society and the people that are supposed to protect us are not going to do so because they just can't engage with the level of psychological trauma that someone experiences by feeling like they're being surveilled all the time, that nothing belongs to them, that their minds don't belong to them because someone has access to their devices. And it just doesn't seem like something that's within the realm of possibility. So unfortunately we hear anecdotally that quite frankly, a lot of times law enforcement is not very responsive with someone approaches them about these issues. But definitely spying on somebody else's phone without their consent, spying on their stealing of their passwords, logging into their accounts, listening to their phone conversations. Isn't that illegal? The quality of the internet is, but I think there's a little uncertain, you've mentioned this and discussed this in other fora about like wiretap statutes and things like that. So yes, but I think what often happens is that similar to quote unquote, other crimes, there has to be certain threshold that is met for law enforcement to take action, which is really unfortunate in economic crimes. It's like, okay, if it's at a certain dollar amount, we'll take action if it's below that amount and we'll wait. Unfortunately, it seems to be a very similar approach when it comes to law enforcement in terms of these cases. And so, and law is very different. Even within the US, so they're across the globe, a lot of countries have statutes around domestic violence, but they don't necessarily consider that technology can be used to perpetrate domestic abuse and intimate partner violence. So it always is this question of, do we need to have a specific law for like technological abuse, or can we at least acknowledge that, okay, technology is being used to perpetrate abuse and violence, then that should be sufficient. But again, what do these law enforcement officials consider the threshold for action? And so I think it may be a bit different if there's maybe, if it's not necessarily a criminal proceeding, but maybe it's like to request an order of protection, for example, but you still have to kind of show a pattern of behavior. You have to provide a certain amount of evidence, quote unquote, in order to convince whether there's law enforcement or the criminal justice system, magistrates things of that nature to engage. And unfortunately, there doesn't seem to be even the horrifying fact that there are thresholds, there doesn't even seem to be a uniform threshold. So it's this very unfortunate dynamic where it's very ad hoc in terms of how law enforcement responds to these, despite the amount of evidence and the experience that someone is presenting to them. The response, unfortunately is to put it mildly less than optimal. One of the most common sort of bits of feedback that I get when I talk about stalkerware is the response, there ought to be a law, you ought to make this illegal. And then I have to tell them, I have terrible news for you, it's already illegal, but law enforcement doesn't do much because incentives are simply not aligned. Can you talk a little bit about the Safe Connections Act because it's really exciting when there's actually a law that might be useful for helping victims of domestic abuse. Yeah, sure, and the Safe Connections Act is something that would allow a victim or survivor of domestic abuse to be removed from shared phone plans. So again, going back to something that Harlow mentioned, a lot of times this is not about stalkerware. And it's having, a lot of times the abuser might be the purchaser of the family phones. And so they may have, because they're purchasing it, they may have had the opportunity to install the stalkerware even before the survivor gets their hands on that device. And oftentimes they're not able to separate themselves from the phone plans because of the way that phone plans typically work. So the Safe Connections Act is legislation pending in this Congress that would allow survivors to remove themselves from those shared phone plans, particularly because this isn't just a matter if they are cohabitating with their abuser. This is also an issue that can persist. Maybe once they've left the home, this is something that can persist even if they're just co-parenting children because that's another vector, which is just so infuriating to me that this isn't just about adults. A lot of times the abusers will leverage the children in common to act as a mode of surveillance on the survivor. And a lot of times that could be through the devices that maybe they've procured for the children. So things that enable survivors and empower them to have the access to technology but not have that access compromised by an abuser and not be dependent on the abuser for that access to technology. Something like the Safe Connections Act is really important. It's been great to see the advocacy that's been going on around those issues in Congress. And then also, for example, there's the Violence Against Women Act reauthorization that the House passed in March. Actually for the first time has language related to technological abuse, including the definition of domestic violence. So there's definitely a lot more attention on these issues but unfortunately with everything in Congress, it takes a very long time. And so in Congress' two year cycle, so we don't necessarily know timing of when some of these things are gonna move but it's definitely a positive direction to see that there's been some awareness of how technology can interplay with these issues of abuse, power and control. Fantastic, thank you so much. So we're gonna go ahead and get started on Q&A because there are so many questions. And I will simply read off the questions and then whoever feels like fielding it may go right ahead. The first question is, if someone with a technical and or legal background wants to get involved in helping victims, where can we start? What organizations do offer incident response for victims of stalkerware? Anybody? Yeah, I'll take that. Thank you for that question too. Please join, help us. There are some clinics across the United States that specifically offer drop-in services for survivors of domestic abuse to come in and get what's kind of like called a security checkup on their phone. And what that is is it's not just running an antivirus scanner to look for one of these pieces of stalkerware. It's also like Harlow was saying, it's looking at system configurations. It's looking at what's open. It's looking at, do you, just asking questions, have you shared your passwords? When's the last time you changed them? Who has them? Have you ever had shared account access which is completely normal? Like that's not a thing that people should be blamed for whatsoever. That's part of being alive today, right? And it's just going through those questions one by one and helping folks out. The only one that I specifically know of is actually all the way in New York and it's run by the clinic to end tech abuse. I think it's CEDA, yeah. And that's actually run out of either Cornell or... Cornell, Cornell, you know. Cornell, yeah, there we go, okay. Almost a whiff to that one. But they run that, they run that tech clinic and I think it's a fantastic model. Like I really do. I think it's a great model because as we've learned about today, just in the past like 40 minutes, these aren't, you know, it isn't like a survivor is saying I am being spied on, my Google Drive is being rifled through, someone knows what photos I've taken and without any follow-up, someone could say that's that piece of stalkerware. Like it isn't that at all. If it was, it would be easier to stop these kinds of things but of course it is not that. So a lot of this work requires person-to-person support. It requires advanced safety planning, right? Is it safe to even reach out to the National Network to End Domestic Violence to reach out to a domestic violence hotline? For many individuals, it is not. It is not because their device could be compromised. It is not because they are being stalked, they're being watched. So again, I know that CEDA is the one that does it. There are, there's at least one clinic that does it. I hope that there are others but CEDA has been very, very open, at least with me, without ever knowing them. You know, as much as I talk about stalkerware, my title at Mauerbytes is I'm a writer, right? I write about stuff and they were very, very open to talk to just a guy who wanted to talk about stalkerware. So they may know more places is what I'm saying. They may know more folks who are engaging in that model. I know more. There we go. Eva, if I could just really briefly, you know, similar to the clinic and tech abuse, there's also the technology enabled course of control institute out of the city of Seattle. But, you know, so there are definitely these models that are kind of like as David said, this kind of security audit approach. But quite frankly, I would recommend that anyone that's interested in helping survivors with these issues, go to your local DV program, your local domestic violence shelter. Because quite frankly, what also is the challenge is that domestic violence professionals, you know, people that are either advocates or, you know, service providers don't necessarily feel like they have the ability to help the survivors if there's a technology component to the abuse and violence that's happening. So, you know, we have a partner, for example, in the coalition, Operation Safe Escape, which is like this network of volunteers that do provide direct services to survivors. But even if you don't want to or cannot join these particular examples, reach out to your local domestic violence program. Sure, they would welcome any support that you can provide to help people with these sorts of technology issues. Do you find that the networks that you work within are struggling with capacity? And I mean, do we have any grand ideas about how to address that other than, you know, more people like the person who just asked that beautiful question? I think from my perspective, it is definitely, this is one of the things, for example, the coalition's trying to do. So one of the main constituencies obviously are the support organizations, those that provide service or advocate on behalf of survivors. And we are actually in the process of finalizing kind of an introductory technical training on things to look for when you suspect that there's either stalker wear or some other form of tech abuse that we want to deploy as widely as possible. And once the resources are finalized, we are going to share them as broadly as we can and anyone can then help disseminate and socialize that content with the networks that they work within. So I think it's going to be providing resources and information, again, empowering the organization as well as the survivors themselves to protect themselves, but also, you know, quite frankly, a lot of times it comes down to funding. A lot of DV programs are very under-resourced and underfunded. So if organizations have the ability to not only volunteer time, but also to volunteer or provide financial resources that may allow them to tap into these networks more broadly, that's something that I would also recommend. Eve, I'm sure you have other... Oh, oh, I do. So we've talked a little bit about Operation Safe Escape and the National Network to End Domestic Violence and CEDA in New York. But I also wanted to point out that, yes, a lot of people sort of freelance this. If it becomes known that this is the kind of work you do, people start seeking you out. And if that starts happening to you, what I really strongly recommend doing is learning a little bit about trauma. Just really take the time to learn about, you know, the trauma-informed approach to providing technical support because technical people can end up hurting a lot more than they're helping when they think they're helping you out. And I think it's really, really important if you have the technical skills to learn the dealing with trauma skills, get the soft skills on this. And if you have the soft skills and you're already very good at trauma-informed support, then learning the technical skills. But you absolutely need to do both because one or the other by itself is just not that helpful. So the next question that we have is, can you talk a little bit about air tags and similar devices? Who wants to talk about air tags? I'll start a bit. I personally have never seen that used against someone, but I can definitely imagine that being used against someone. Ultimately, they're tiny devices and Apple isn't the first, you know, company to kind of come up with this idea, but little devices that you can attach to actual objects, non-networked objects in order to locate them when they go missing. So like another one is Tile, for instance, if you're thinking about like Tile from way back, they're ultimately like, you know, a variety of Bluetooth-enabled and somewhat networked depending on like the protocol devices that you can attach to, you know, like your keys or like throwing your bag or something like that. And I do think that while, you know, like I haven't personally seen anyone have that used against them, I can once again imagine a situation where, you know, someone does have like an air tag or a Tile or whatever, like just kind of like dropped in their bag without their knowing and that being used as like a tracking beacon. As far as like, well, and I'll ask the rest of you about mitigation there. Well, to interject a little bit, I air tags have been available for purchase for a couple of weeks now. I already, you know, bought one, tested it, tore it apart, yelled a lot about Apple's really insufficient mitigations for stalking, pointed out that Tile has no mitigations for stalking, yelled at Amazon for saying, oh, we're gonna partner with Tile because we think that Tile isn't invasive enough and we think that it should talk to all Amazon Echoes. Yeah, Amazon's gone off the rail. But I have already seen air tags being used in domestic abuse cases. I actually just talked to a person who works directly with domestic abuse shelters who told me about two cases, one of which involved a Tile, which had been, not a Tile, sorry, an air tag, which had been stuck to the bottom of a car in order to track the vehicle and the other involved a air tag that had been slipped into the pocket of a partner's purse, which they knew that they simply never opened that pocket. So the abuse is real and the harms are not purely theoretical at this point. Does anybody else wanna talk about air tags and Tiles and just sort of this particular class of objects that we're starting to see? Eva, just really briefly, I'm not gonna talk about the air tags or Tiles because I don't have the sophistication and kind of knowing the details. But I guess what this really kind of points to from my perspective is that it's really important for us to understand that stalking can be enabled by technology that's been around for years. We tend to be kind of thinking about this as like a more recent phenomenon or something that's kind of, something that's only gonna be a problem with emerging technology, but location tracking is not new. We make the devices smaller and smaller but these technologies been around for quite some time. And so think about that when we're talking about these issues. Again, stalkerware still tends to be a fairly small subsection of tech enabled abuse. And this is a call not just to people that are interested in the issue to kind of understand that your car, even without a location tracker, but just with the general GPS service has been available for nearly 20 years. There have been cases where people have used the GPS tracking on a car to stalk a former partner. So think about that. But I also, this is kind of my little soapbox call for action with tech. Like, Eva, you were saying, have a survivor centric trauma informed approach to helping survivors. It's also have a trauma informed survivor centric approach to technology design and development. That this is not just about some edge case. This is thinking about how this is not just about your intentionality. This is like, okay, I have to think through the perspective of an abusive person, an abusive persona, how could they use my technology? Even if it's being used as intended, it can still be used to perpetrate violence and abuse. So it's really important that we think about this very holistically, because it's not an edge case. In some cases, it's not a stress case. The technology is being used exactly as you meant it to be used, but it can still perpetrate abuse and violence. That is an excellent point. Thank you so much. David, do you have anything to add? Just off of Tara's point, fantastic. The call to action that folks inside tech companies should consider more uses, 100% yes, absolutely. But I wanted to also add that we've all seen this before, where the people who are responsible for this, the words we use, they're champions. They're quality champions. They're survivor champions. And I appreciate every champion that we have. I love every one of them, many kudos and thank you to them. But I do wish that companies stopped relying on people to do more than they are being asked to do. I wish that companies stopped relying on the fact that they're hiring someone who out of their goodness is deciding to advance a product, right? Make those parts of the design, make that the job. Make that the job description. Make that the design process. We are barely scratching the surface in another area about making products that are accessible to all populations, right? To accessible to people who are handicapped, whether developmentally in any way. And we're just barely getting to that point where we're considering, what about someone who's colorblind? What about someone who's dyslexic? What about someone who can't read at this certain level? Standardize that. Make this part of the job. Again, I thank every champion out there, but if we keep relying on champions, we're not gonna get anywhere. We're just gonna have one-offs. We're gonna have ad hoc things. We don't spell. Yeah, exactly. Wish we could move forward on it, that's all. And if I could also just to piggyback on what David just said. It's also really important that when you do reach out to those that are doing the work with survivors, like National Network to End Domestic Violence, the Stock and Prevention Awareness and Resource Center, or your local DV program, if you're a tech company and you're like, okay, I care about this issue. I see why it's important. Don't assume that you can take advantage of their expertise without compensating them in the way that, compensating them for their expertise in their time. You will go out and maybe get a pen test or go out and get a cybersecurity audit of your product. And you will pay for that service. Recognize that these people are experts in their field as well. And therefore that if you're gonna take advantage of that expertise, obviously for hopefully beneficial reasons to make sure that your products can be less abusive, then make sure that you're thinking through, not just engaging with them, but compensating them for that expertise just as you would some other technical resource that you might be consulting for a product or something else. Just make sure that we're thinking about that their expertise is just as valuable as expertise within your company. Fantastic. And we have one last question, which is what would you say to someone who is considering using stockerware or air tags or some other form of tech enabled stocking against their partner? Anybody wanna start? Oh, come on, it can be yelling. Yeah, it's hard, right? Cause I think everyone on this call was like, don't fucking do that. Like really quickly, don't do that. And there's part of you that's like, well, how do I, how do I meet someone in the middle? There is no middle, there isn't a middle here, okay? It's wrong, like someone else, take this, you know? I mean, I'm only assuming that this person, if they're talking to me, it's because they don't necessarily realize that they're entering into or they're about to enter into like an abusive pattern with someone. And I, yeah, because otherwise, no, I wouldn't talk to that person at all. But definitely telling them exactly what David had said, that there is no middle. And it's also not like that, what you are about to enter into is technically known as abuse, technical enabled abuse. And if you are doing it because, you know, you're like, oh, well, I think, you know, like, I don't know, like I'm very, very suspicious of like, you know, this partner, like, you know, how can I take it into my own hands? That's when you say like, well, you know, there are actual like proceedings if you do need to like, you know, like get a divorce or something like that. And if that's where you're going, then like you and your divorced lawyer will help you through what you need to do, but like don't go on your own. Yeah, and that's only assuming that someone is acting in good faith and just isn't aware of the implications of what they're about to do. Tara? No, I mean, because it's so difficult. And I mean, and I'm not obviously an expert, but I know that there's, for example, members in the coalition that actually work, not only with survivors, but also with perpetrators. And I think sometimes it's, this isn't trying to meet them where they are, but it is kind of taking them through a series of questions, kind of asking them like, what is it you're trying to achieve by even thinking about this? Can you think about what kind of psychological harm you can cause to someone else? Because quite frankly, what this is a manifestation of, again, this is not a technical issue. This is really a manifestation of the fact that we as a society, and this is not just in the US, this is globally, don't think digital harm is the same thing as physical harm. And this kind of comes up in like the policy responses and law enforcement responses as well. So I think it's just kind of trying to get them to think through what they could be doing to the other person, maybe also reminding them of legal jeopardy they're putting themselves in, but it's also really making it very clear about how digital harm is harm point blank, full stop. And that they need to be thinking through what they're, and what also they're doing to themselves because there's a kind of a heightened emotional response that abusers get when they have access to these tools and they're getting all this information as well. So it's trying to kind of not meet them where they are, but really be very clear and explicit about the harm they're causing to the other person, the legal jeopardy they're putting themselves in, but also the harms that they're causing to themselves by engaging in this behavior. Fantastic. Thank you so much for participating in this conversation. All of your input is so important. You made such fabulous points. I really appreciate your having come to have this conversation. If people have any additional questions, where can they find you? Harlow? I am at Harlow on Twitter or otherwise Harlow at freedom.press. Tara? I'm unfortunately one of the uncool kids. I am not on Twitter, but you can locate me through at Stop Stalkerware on Twitter. That is the handle for the coalition. And I'm sure if there's any questions that come through myself or one of the other partners will be happy to answer them. And again, Eva, thank you so much for having us. It's a pleasure. And David, how do we find you? Yeah, yeah, I am. I'm foolishly on Twitter. Tara, you're making the right move here. And I'm at David Al Ruiz. So there I am. Fantastic. Thank you so much, everybody. It's been a pleasure. Thank you.