 With that, I believe I am through talking to you and I am thrilled to introduce our keynote this morning Eva Galperin, I think she is probably someone many of you are familiar with and I'm gonna let her fully introduce herself She's a woman who wears many hats. So I think here we go. Thanks a lot. Have fun Good morning Thank you so much everyone for getting up so early. I have come here from the West Coast and I usually go to bed around I'm gonna go with now So if I'm not entirely awake, please understand Fortunately there's some things that I can do even in my sleep I and that includes being really really angry about spouse wear and stalker wear So let's Start By making slides go My name is Eva Galperin and I'm the director of cyber security at the electronic frontier foundation How many of you here are familiar with EFF a Few people one or two three or four. This is good. It saves me a lot of time I like it when I don't have to explain what we do So for those of you who don't know what the electronic frontier foundation is we are a digital civil liberties organization based out of San Francisco and Our job is to make sure that when you go online your rights come with you so there are a bunch of ways that we can go about this and You know in the same way that the the internet is is global and its problems are global and they require a fairly broad toolkit if you want to deal with them So the the tools that we have in our toolkit are We have lawyers I have an entire floor of angry attack lawyers in in the us and Sometimes we file lawsuits. We do what is called impact litigation The purpose of impact litigation to protect digital civil liberties is Not just to file lawsuits that protect the people who are involved in the lawsuit but that lawsuits that will create good precedent or Get rid of bad precedent So that's what our lawyers are for Sometimes the situation calls for activists. You have to get people out in the streets. You need to get people angry They need to sign petitions. They need to wave signs around So we have an entire floor of angry activists and then Sometimes the answer is to throw engineers at the problem. And so we also have an entire floor of angry engineers Oh, dear I am one such angry engineer There we go who has managed to Mess everything up. So, uh, we also have a floor of angry engineers. I have my own team of angry engineers uh called effs threat lab and uh, we are particularly concerned about privacy and security for Vulnerable populations all over the world. So not just like your average user, but uh, activists journalists women people of color lgbtq populations and you know people in abusive Relationships as it turns out is among those the people that we are helping out in threat lab When I started threat lab, I sat my people down and I said, okay, everybody pick an industry that you want to destroy and This is the story of the industry that I decided to destroy Where do we go from here? so, uh The first thing that we need to talk about in order to sort of get to the area of spouseware and stalkerwares first We must go back in time To 2017 or like I call it the before time In 2017, I was a security researcher I uh, mostly did work on on apts advanced persistent threats, which is what we call especially annoying governments and I specialized in the sort of you know, b team of governments When I first started doing my work in 2011 Uh Most discussion of apts centered around the five eyes and china and russia and israel and there wasn't really thought to be a whole lot of other game in town I and because these uh apts were particularly sophisticated there was a lot of research about them because they're interesting um, but around 2010 and 2011 we started to see a rise in In lower level apts so, uh, vietnam Kazakhstan lebanon mexico saudi arabia And these were countries that were essentially just buying software from It turned out software that was often built in western countries Like the uk and germany and as it later turns out israel And that way they didn't have to you know roll a bunch of their own infrastructure They didn't have to train up a whole bunch of their own people. It was sort of like turnkey surveillance and This was one of the big things that we started to see happening Around around 2011 when I started doing my security research So I spent years publishing security research on, you know, syria and vietnam and lebanon With a guy who turned out In 2017 to be a serial rapist So I got mad I got really really angry and I didn't know what to do and I did What most angry people do on the internet When they don't know what to do I um I tweeted And I tweeted that if you are a woman who has been sexually abused by a hacker who threatened to compromise your devices You can contact me and I will make sure that they are properly examined now The reason I sent out this specific tweet Was uh that I had just read an article with an interview with one of this guy's victims And the journalist asked the ask the victim well, what took you so long to come forward? Why why did you spend, you know years not telling anybody? That that you'd been raped by this guy And she said I mean never mind that this is some like stupid victim blaming But what she said was he was a hacker and he threatened to compromise my devices I was really worried about what he was going to do to me And I was so mad and I didn't want anybody to ever feel that way again Hence tweeting What I did not foresee Was this uh That's 9400 and 80 63 retweets 16,339 likes So that kind of went viral And it would go viral once every few months So it would it would make the rounds on facebook It made the rounds on tumblr before the great porn band and now tumblr is just tumbleweeds And so I would get messages all the time And I was swamped I was getting somewhere between uh zero and a dozen contacts a day depending on whether or not my This message was currently going viral And every day I would go into my inbox and I would have A dozen stories of people telling me about the worst thing that ever happened to them The victims were mostly women abusers were mostly men But I also dealt with cases of women abusing men and of abusive same-sex couples One man who came to me had been outed as gay By his by his former boyfriend to his extremely conservative Korean family Which was super upsetting So I saw many different kinds of abuse and it was really disturbing But for the most part These people who thought that their devices had been compromised were wrong Most people didn't need forensics Sometimes they were the victims of a scam. I don't know how many of you had seen the Email a scam emails going around saying I have you know, I installed a you know malware on your computer And I have seen you looking at porn and masturbating through your Uh, you know through your computer and I have recorded this and I'm going to send it out to all of your contacts You bad bad person you Um, so this was making the rounds and I got a lot of people coming to me saying I got this email And I could tell them, you know, this is a scam Done Uh, sometimes it was not a scam, but most often it was account compromise. So people had their Their email accounts compromised their google drives compromised their facebook accounts compromised their twitter accounts compromised snapchat instagram whatsapp Apple id's everything if you could think of it, uh, somebody has somebody has compromised it And now they have pictures or are sending messages or in some other way harassing a person And for me, this is actually kind of good news Because we can do something about account compromise. We have we have solutions for account compromise You send them to go look at who's been logging into their accounts. You tell them Get a password manager use it correctly Have strong unique passwords use security questions as more passwords use the highest level of two-factor authentication That's feasible for you. So we have a lot of answers for securing your account and That makes my job a lot easier, but Sometimes it really is a rat and Those were the most disturbing cases I see only a small fraction of the cases that actually exist in the wild And this is partly because the kind of person who threatens to hack their victim usually doesn't Uh, it turns out those people are cowards. Uh, and also lazy Uh, and the kind of abuser who has a rat on their victim's device often keeps quiet about it in order to maintain access Um abusers lie about their capabilities all the time Uh, it helps keep the victims feeling confused and powerless When they don't know the shape and the limits of their, um, of their abusers surveillance So it's a really really powerful tool with even when it's not being deployed But I did occasionally see rats and those were the most disturbing cases because Those were cases in which people got They got new phones. They got new computers. They kept switching They kept switching accounts. They kept switching their passwords and Evidence of compromise kept persisting and they didn't know how to get rid of it So here I am getting all of these getting all of these messages and I'm kind of exhausted. Um But I feel great. I get to be a hero. I am captain marvel Uh, every every day people come to me and they say you're you're doing extremely important heroic work I have a profile, uh about me written by wired in which I'm looking off into the distance like a thought leader and, um But I'm also really tired and I don't scale. I and The hero thing is bullshit Having just one person Doing forensics on people's computers one at a time Holding their hands talking to them about you know, try trying to kind of distinguish between account compromise and device compromise is Not scalable. It's not a good use of my time And it is Honestly, like not so great for my mental health Uh, so the hero model feels really good, but the hero model is bullshit so I'm lazy and I started thinking about this in in a sort of More effy way In the same way that the electronic frontier foundation Does impact litigation. I started to think about how we could do, you know, some Impact activism impact engineering Punching above our weight so that it's not just one person doing the work of Of talking to one person at a time Because even though that feels good, it's dumb So because I am lazy I have decided to engage in some thought leadership So I had advice from people with compromised accounts But the worst abuses were definitely compromised devices mostly android phones running spouseware and stalkerware Um The spouseware and stalkerware would hand over emails text messages WhatsApp messages photos snapchats All your instagram messages web browsing searches basically having access to somebody's phone is Tempting to an abuser for the same reason that it's tempting to a to a state actor Which is that access to somebody's phone is the next best thing to access to somebody's mind Uh If you want to know where someone is going what they're doing what they're thinking Breaking into their phone is a pretty damn quick way to do it Um, and so I started looking at the spouseware and stalkerware industry as a whole Um So the good news is the investigating spouseware and stalkerware is a lot easier than investigating apts Um apts don't usually advertise on google Uh, and because this is these are all commercial products Um, I had the easiest time in the world just google. How do I spy on my girlfriend? How do I spy on my boyfriend? How do I catch a cheating spouse? I and results come up lots of results Uh, and so that's where I started And I started to see the language that they use around uh around their products Uh, for example Um Access to cocoa spy gives you the lead on how to spy on your wife with ease You don't have to worry about where she goes who she talks to or the websites she visits I mean never mind. You didn't have to worry about those things in the first place but uh This is the this is kind of the way that they frame it you get peace of mind by spying on your wife It's totally reasonable. Who wouldn't want to do that peace of mind sounds very soothing um The other way in which these these things are frequently framed is that uh cheating cheating happens all the time You you need to spy on your spouse in order to to catch that no good man or woman Or person of of your preferred gender cheating on you What is particularly interesting about this picture aside from that it is a man holding a woman with a black eye and possibly blood on her face Is that this um this article is on the side of the man The whole point of this article is that cheating Happens all the time and so what you really need to do is you need to spy on your wife So you can catch her and then beat her up That is what these products are for And the way that they often work is uh that you buy a subscription. So uh the first thing you do is you google How am I going to catch my cheating life? Then you uh pay them some money you download the The apk onto the phone that you're that you're going to spy on and then you log into a portal You buy access to a portal which is uh, which is run by the company that has sold you the product And as long as you pay your subscription you have access to the portal and therefore the contents of whatever is going on on On the phone. So it's not just that these companies are Are possibly writing spyware or that they're advertising spyware It is that they are taking money in order to continuously give you access To this data And why do we think this sort of thing is okay? well, uh, there's actually sort of a long history in in hacker culture of uh of drawing a distinction between spying on your spouse and Like nation state attackers. So, uh, this is uh, Jean-Pierre Le Sur He is a french hacker who it uh around 2011 2012 Had a project called dark comet. So dark comet was a uh a free rat That anybody could download and it turned out that it was being used A lot by at least two groups that were sympathetic to uh to the Assad regime In uh the sort of early stages of the of the syrian civil war So we're starting we were starting to see these uh rats being used uh to target um People who were opposed to Assad Who would then get visits from the security services who would then be sent to Uh prisons and tortured and possibly killed So we had these like very distinct links all the way from this free rat to people dying in syria and that was really disturbing and uh Jean-Pierre Le Sur shut the project down Uh, he basically said that He never meant for people to use his free rat in this way Uh, that it was not okay for it to be used by uh by pro Assad regime forces that he didn't want People in in syria getting hurt uh the Wired coverage of this was hilariously sympathetic The title of the of the wired article that was written about him was how the boy next door accidentally built a syrian spy tool But the subtext behind all this is that Oh, sure, you can't have you know pro pro syrian, uh, you know pro pro Assad people Using this to spy on uh on enemies of the Assad regime But if some dude wants to use it to spy on his cheating girlfriend, that's fine go to town That's that's entirely legit and uh For a very long time just no one called bullshit on this attitude so How do you know if it's spouseware? uh, because there's There's a lot of software out there and sometimes it is framed as uh, so you run a business and you want to uh, see what your uh, what your employees are doing Uh, you give your employees a phone. You want to make sure that they're not, you know, doing anything illegal on it You want to make sure that there are like no leaks from your organization You are a parent and you want to uh, you want to keep track of your child So maybe you might want to use these tools. So these are these are other things that you might want to do with uh, with sort of tracking software for people's phones and Most of these are legitimate uses. So how can we tell the difference between between these kinds of legitimate uses and spouseware slash stalkerware deception If The software is designed to run in such a way that the user does not see it on the device if it's meant to deceive the uh person who has the device into thinking that there is no spyware on the phone Then that's spouseware or stalkerware and we can argue about whether or not it's illegal But I am here to tell you that it's unethical as hell uh Now This also includes Situations which in order to install the software you need to have the devices login credentials For a very long time companies believed that if you had physical access to the device and you had say the apple id and And the password then that is legitimate access to somebody's phone And i'm here to tell you that that's not how abuse works Uh, it is extremely common in abusive situations for the abuser to have physical access to his partner's phone and To have the password and the username which they have compelled out of Out of their partner. So that's really not enough To count as legitimate access anymore. And this is one of those cases in which Essentially our threat modeling is wrong. We did not take into account Abusive partners and abusive situations and we thought oh Certainly there's never going to be a case where you just give away your password to somebody who you know doesn't mean well So I went ahead to you know, I went up over the virus total after having downloaded a bunch of a bunch of spouseware And I went to see you how uh How the various antivirus companies treat this software and I've discovered uh back in I think that this is from a few months ago. This is from like april Um, I discovered that detection rates were very low Not only are detection rates quite low, but for the most part, uh av companies largely Ignore stalkerware and spouseware Because it has some legitimate uses in in their eyes. So here we have more examples. I believe this is A copy of the truth spy that I was that I was looking for and as you can see We had 10 10 av companies were able to detect it and that's out of 61 So that's pretty damn disappointing. What are these security researchers even doing with their time? So I uh, I went to the av industry and I managed to convince a couple of companies to start treating Spouseware as malicious to start marking it and say like this is spouseware. This is stalkerware I see it on your phone here. Possibly I can remove it It shouldn't remove it automatically because uh, I am very much in favor of making sure that the that the user Is able to make an informed decision and also because there may be some cases where Uh removing the spouseware from the phone may cause the abuser to escalate To either violence or greater violence than they're already engaged in So I am I'm all about marking it rather than Rather than just sort of nuking it from orbit because that decision really needs to be made by By the victim. So this is the privacy alert that uh the kaspersky put out This is this is how they mark spouseware and and stalkerware now But not everybody is down for installing kaspersky products on their devices for some strange reason and so They were soon joined by lookout lookout put out a statement that was like. Oh, yeah stalkerware and spouseware We've always been doing that. Uh, we we've always been at war with With east south asia So Look out also does this and I'm very happy that now I have alternatives We have we have two companies that are treating stalkerware and spouseware in the way that I think that they should be But I think that what we really need to see is This needs to become the new normal there Are there were what like 61 companies on virus total and this is two So, uh, 59 to go I'll wait here. So Let's talk a little bit about what antivirus can do because even in the cases where these products are legal They're unethical and av should detect them Again av should not automatically remove them because victims should have a choice There I am worried about abusers escalating to violence and uh our first duty, which I have blatantly Stolen from the medical profession is to first do no harm Um I am very excited that both lookout and kaspersky are doing this But there is so much work left to do I do have av companies reaching out to me saying well just like Give me a list of all the spouseware and then we will just you know add it to our Add it to our engine and we will be done I and this is uh I think not the right approach to the problem because again once more We are relying on the hero model where suddenly it's my job to Maintain a list of stock aware and spouseware for the entire av industry to use um I don't work for them I'd be paid much better if I worked as an av researcher than I do at the electronic frontier foundation a non-for-profit organization Uh, who's money comes entirely from 40 000 volunteers all over the world Uh, and so what I would really like av companies to do is to stay on top of it themselves and do their damn jobs There are also some things that google can do uh google could do a better job of policing the google play store It is already against uh google's terms of service for their play store to have Software which surreptitiously spies on you which does not appear with a like large icon On on your dock showing you this is the thing which is running on your device so having that uh police better would be A tremendous relief to me And finally what can governments do? uh Often when I tell people about a problem the very first reaction that I get is There ought to be a law Now I am extremely skeptical of this because I have seen many bad laws I have seen many poorly written laws used against security researchers used against uh journalists and activists and uh people who really need to defend their privacy and Their anonymity and their speech Generally if a law is written badly It is not going to get used against bad guys It's going to get used against the most vulnerable populations and those are the people that I protect all day So i'm very skeptical when somebody says there ought to be a law But it turns out that there are some laws and they already exist This is a brief list of uh of us federal laws that apply Which I understand will be less interesting in canada But uh this is uh when all you have is a hammer problem Which is to say that my hammer is a floor of angry us lawyers and so I do not have a Canadian analysis Of uh of what laws these guys are breaking, but uh in the united states They may be uh violating the federal wire tapping Act the fwa Which generally prohibits the interception of wire oral Or electronic communications. So if they're you know spying on your on your phone calls in real time The stored communications act again very This time when the when the information is stored and then you pull it down And finally the computer fraud and abuse act which Is often used against against hackers and so i'm very concerned about uh Over zealous prosecution of people under the cfa But it is fairly clear that what we're talking about here. It does violate the cfa and it's um It's prohibition on I've totally lost it. Uh, anyway, it is violation of the cfa and it is bad Uh, so the federal wire tapping act prohibits the manufactured distribution possession and advertising of certain interception devices uh Though it's not limited to the developers of of spyware And uh, some courts have held that the maker of spyware installed on a computer used to intercept electronic communications And send them to the company's server is itself guilty of the interception Under the fwa even though it was not the end user Uh, and you can see uh that in 2014 The ceo of a company called stealth genie was indicted under, uh, usc 2512 He pled guilty and was fined five hundred thousand dollars another spy spyware software was indicted Developer was indicted in 2005 but he fled the country And uh, prosecutions have also occurred with respect to the end users of spyware And uh, additionally another tool that we have at our disposal is the ftc In 2012 the ftc charged designer wear llc, a company that provided spyware to rent to own computer providers And entered into a consent decree decree with the company agreeing Not to collect data from computers without giving clear and prominent notice and obtaining affirmative consent In 2008 the ftc sued cyber spy software, which sold a keylogger program The company entered into a consent decree with the ftc in 2012 and which agreed not to promote Sell or distribute software to be installed on computers without the knowledge or consent of the computer's owner So it can be done Additionally, there are state laws in the u.s. Uh, such as, uh, any state wiretapping statutes States with two-party consent where Recording a conversation without the consent of both parties is illegal Uh, and the consumer protection against consumer spyware act, which is sure specific Um, which exists in the great state of california where i am from Uh, you may ask yourself, but maybe maybe i'm a parent Shouldn't i be allowed to spy on my children? And uh, while i have already answered that earlier in the in the talk that uh, it's it's unethical, um It is Kind of legal So most courts have found that parents may vicariously consent on behalf of their minor children to record their child's oral wire Or electronic communications, uh, which makes these interceptions legal under the federal wiretapping act Um, however, this is uh, not an unlimited power Uh, the parent has to demonstrate a good faith objectively reasonable basis for believing Uh, that such consent was necessary for the welfare of the child So it's not like a phenomenal cosmic power Uh, so this is sort of my my wrap up of all the different tools that we could possibly use to solve this problem And the last thing that i wanted to talk about Were a bunch of other people so I didn't invent the term spouseware or stalkerware I think the first use of the term that I was able to find goes back to something like 2007 um, I didn't even invent doing security research on spouseware or stalkerware Uh, none of the work that I have done would have been possible if it was not for Uh, the work of people like harlow holmes uh at the, um The freedom at the freedom of press foundation who has been working with with individuals on things like this for years uh, the work of journalists at At vice especially vices motherboard uh blog This uh, this blog actually has a series called when spies come home, which is focused entirely on spouseware and And the stalkerware industry Which you know really saved me a lot of time and explaining what the hell this stuff is And saved me an awful lot of research and trying to find uh bad actors in the space And there are also journalists like uh, thomas bruster who works for forbs Who's also spent a lot of time uh covering the spouseware and stalkerware industry So we don't do this alone uh, we don't have to do it alone and uh the more people that we have Looking into the way that uh, that the stuff is being abused and pressuring companies To take action the faster we can stop this kind of abuse and we can change Uh, we can change the norms around the use of spouseware and stalkerware. Thank you very much