Author: Chris Cox

Home » Archives for Chris Cox » Page 2

Our Commitment to Equality

Equality, diversity, and safety are important in May. They’re also important in July. But June is when we celebrate LGBTQ Pride Month- a time when we should all reaffirm our commitment to treating human beings equally and with the dignity they deserve. But, more importantly, that commitment needs to be firmly and unwaveringly held every single day of the year.

Operation Safe Escape wants to take this opportunity to renew our pledge to help all survivors of domestic violence, stalking and harassment; we do not discriminate based on gender, gender expression, sexual orientation, or any other innate characteristic. We believe that love is love, and no one should be denied safety and security because of who they love or who they are.

Members of the LGBTQ community are too-often affected by domestic violence and related crimes, and sometimes it can be difficult to know where to go for help. We see you, we support you, and we‘re here for you.

FCC Logo and Cell phones

FCC to Enact New Rules to Protect Survivors of DV

In December 2022, President Biden signed the Safe Connections Act into law. The Safe Connections Act required mobile service providers to separate a survivor’s phone line from a shared family plan in cases of abuse. Previously, even survivors of domestic violence required the account owner (often the abuser) permission to release the line and allow the survivor to keep their phone and number under their own plan. Of course, the abuser rarely gives this permission as another form of control.

Under this law, cell phone providers have two days to separate the line after the request is made. This allows the survivor to maintain contact with their support system without losing any of their contacts or history.

The Federal Communications Commission (FCC) is currently considering rules that will meet the requirements of the law. Among the plans include a way to ensure calls to domestic violence hotlines don’t appear on call and text message logs, which will help make sure the abuser can’t see when the survivor reaches out for assistance. The FCC is also planning to launch a “lifeline” program to provide emergency communications for up to six months for survivors who can’t yet afford to pay for services.

When the FCC considers new rules and processes, they often have a public comment period to allow people to share their experiences and how the rules might affect them. Even more important, they listen. They have invited survivors and advocates to share their concerns and experiences to help them understand ways they can help survivors stay connected.

You too can make your voice heard. Comments are open until March 10, 2023; you can add yours by visiting the FCC Website and using “22-238” as the proceeding number. Using this number will automatically populate the subject with “Supporting Survivors of Domestic and Sexual Violence.”

FCC Chairwoman Jessica Rosenworce said in a statement “What I learned is that domestic abuse often happens in silence,” and she vows that the FCC will help break through that silence.

“Stalkerware” developer fined $410,000 by NY Attorney General, required to notify victims

As recently reported by the Electronic Frontier Foundation, the New York Attorney General fined Patrick Hinchy and the 16 companies he runs a total of $410,000 for producing and selling spyware and stalkerware apps. Such apps can be used, as the name suggests, to spy on or stalk another person, often a spouse or intimate partner. Users were able to access victim’s personal messages, view their location, activate the microphone remotely, and more.

In addition to the fine, the companies have been required to notify victims that their devices were compromised and modify the spy app’s previously-obscured icon on the victim’s device to indicate it’s true purpose, as well as providing more information if the app is opened. They are also required to post removal instruction on their website and provide links to domestic violence resources.

In a press release announcing the move, New York State Attorney General Letita James noted, “[s]nooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law.” Specifically, its use likely violates federal wiretapping laws, state recording and privacy laws, the Electronic Communications Privacy Act (ECPA), Computer Fraud & Abuse Act (CFAA), and more. Purchase and use of these tools have already led to convictions, and this move may lead to even more.

The recent move against stalkerware developers is a significant victory for those who have had their privacy violated by these malicious apps. Not only does it provide a sense of relief for survivors of domestic violence and victims of stalkerware, but it also serves as a warning to those who may consider purchasing these apps. They should be aware that they are breaking the law and that sooner or later, the consequences will catch up with them.

As a proud founding member of the Coalition Against Stalkerware, Operation Safe Escape applauds the actions taken by New York and encourages other states to follow in their footsteps. While there is still much work to be done in the fight against stalkerware, this is a pivotal shift shift toward the right direction.

Password recovery questions: who already knows your mother’s maiden name?

We’ve all been there- you go to log into a website and realize that you just can’t remember your password. And it’s not like you can easily guess it, because your probably used a strong password rather than something insecure like your dog’s name (right?). So you click that little link that says “forgot password” and start the process of getting back into your account.

The website developers made a choice at that point, and it affects your security. They might send a password reset link to your email address and let you reset it there. Hopefully they don’t send you your current password in the email itself, that just means they’re not protecting it right. It’s a bit better if they send you a temporary password that expires after a set period of time. But in many cases, they’ll prompt you to reset your password by verifying your identity and answering password recovery questions.

In the early days of social media, there was a game making the rounds. It said that your “adult entertainer” name was your first pet’s name and the street you grew up on. If I had played it, I would have been Alex Sunset, which honestly has a nice ring to it (I’ll explain in a bit why I don’t mind telling you that). But do those pieces sound familiar? “Pet’s name” and “Street you grew up on” were at the time (and in too many cases, still are) some of the most popular password recovery questions. By giving hackers and identity thieves that information, you’ve already made their job a lot easier.

Fast forward to today, we’re living in the information age. Back in the 1800s when telegraph banking became a thing, most people didn’t know another person’s mother’s maiden name unless they were a part of the family or at least from the area. So when they came up with security standards, it seemed like a good question to ask someone who was asking for their money to be transferred to a different area. Yes, “mother’s maiden name” as a security question is really that old. But today, websites collect that information for you and make it very easy to find. The other answers might be found on your facebook page or other “people search” websites.

Fortunately, many websites have realized this and changed up their questions to ones that can’t be easily found. They’re more opinions and personality traits than searchable facts, things like “what’s your favorite vacation spot” or “who was your favorite teacher in high school?” Sure, someone following you on social media might also know the answers to those questions, but the idea is that only you would know all of them. Well, maybe you and someone who lives in your home or grew up with you. That’s the biggest flaw in even these “second generation” security questions- they assume that only you would know about your memories and opinions, and that’s clearly not always the case.

There’s no delicate way to put this, so I’ll just say it: it’s okay to lie. Or maybe I’ll put it another way- it’s perfectly fine to use answers that you’d remember but someone else might not think to use. If your favorite vacation spot is New York City, make a habit of naming your LEAST favorite vacation spot instead. Instead of naming your favorite food, name your favorite drink. Be consistent, be unpredictable, be secure. There’s another benefit to doing it this way- most sites will alert you if someone tries to reset your password. You get an alert but your password remains intact.

So feel free to use my first pet’s name and the street I grew up on to reset my passwords, because I don’t.

(Just want to mention, another option is to use a password manager to store your very secure passwords. That’s another topic on its own, but if you’re going to use one make sure you’re able to protect the primary password, since it controls access to the rest of them!)

Set your own PACE

In some professions, communication is important. In the military and public services, for example, they use what’s called a PACE plan to make sure they always have a way to send a critical message when time’s a factor. And you can, too.

PACE stands for Primary, Alternate, Contingency, and Emergency. In other words, it’s a way to make sure there’s multiple ways to reach someone or communicate even if something goes wrong and the primary method isn’t an option. Broken down, it looks kind of like this:

Primary is the way you routinely talk to someone. It’s the one that makes the most sense to use and is often the most convenient. For example, many of us will be using our phone to call, text, or DM someone we want to talk to. If it’s what you normally use to talk, that’s probably going to be your primary method.

Alternate is what you use if the primary method isn’t available. If you drop your phone in the bathtub and have to wait for the bag or rice to work it’s magic, what would you to do reach out to someone you want to talk to? Maybe then you’d use your computer or a tablet- that’s your alternate method.

Contingency is what you use if neither the primary or alternate method is an option. This is often something that’s a bit less convenient, but will still do the trick. This could be a neighbor’s phone, sending someone with a message, or another way to get information across.

Emergency is when you or someone else needs help right now, and there might not even be time to send a message privately or securely. Consider how the military communicates- in most cases, they’re using encrypted radios or some other way that hides what they’re saying. But if there’s an emergency, sending out a message “in the clear” can make sure everyone gets it and can respond quickly. You hope to never need to use an emergency method of contact, but deciding what it might be ahead of time is important.

Another benefit of setting up your PACE plan now is that you have time to think about safety and security for the methods you choose. If your phone is your primary method of communicating with your support system, of course you want to make sure your phone is protected and private. But if your computer is your alternate communication method, you should probably make sure it is too- just in case you need to use it.

So set your own PACE, what that means is up to you.

The Aldrich Ames mailbox

Sending a signal, just like in the movies

Have you ever watched one of those exciting, edge-of-your seat spy movies? Or maybe an equally exciting documentary about the life of a real-life spy? In both cases, there’s one scene in particular they tend to get exactly right.

At a certain point, the spy needs to signal to his or her handler that they need to speak. Or maybe that they have information. Or maybe that there’s trouble. Whatever it is, they use a pre-arranged to send that important message. Sometimes, it’s a piece of tape on a window. In the real-world case of Aldrich Ames, the CIA double-agent would leave small chalk marks on a specific mailbox. The important part is that the spy and their contact both knew what they messages met and what to look for, and their adversary didn’t.

While you’re (hopefully!) not a spy, you might someday have a need to send secret messages in a way that won’t alert an abusive partner. With the advent of social media, this is a lot easier to do than it was before but traditional options can still be useful. For example, leaving the window blinds open at a 45 degree angle could mean “please check on me.” Posting a specific picture on instagram might mean “my phone is being monitored.” Using a specific phrase on facebook could be saying “call 911.”

If you choose to set up a clandestine communication method like this, keep the following important principles in mind:

1. Set up the signal and what they mean ahead of time with someone you trust. Make sure they understand what each signal indicates and what they need to do

2. Make sure the signal doesn’t stand out or raise suspicion. In the previous examples, if you never change the way the window blinds are oriented doing it to send a signal would be seen as out of character

3. Make sure the signal is unique and stands out, but isn’t likely to be accidentally used (or thought to be used)

4. Establish how often your ally should be checking for a signal, if applicable. Is it enough for them to drive by your house once a week to see if the houseplant in the window has moved? Should they be looking at your twitter feed regularly?

Even if you feel you can safely reach out to your support system or call for help if you need it, it’s helpful to set up an alternate way to communicate with others just in case you need it. Setting up signals ahead of time and making sure they’re not too obvious to someone not “in the know” can help you do so safely.

Proposed England and Wales law would decriminalize non-consensual deepfake pornography and removes the barrier of “intent”

A proposed new law in England and Wales will close a loophole in non-consensual pornography laws and criminalize the sharing of pornographic deepfakes without consent.

The Online Safety Bill removes the requirement for prosecutors to prove an intent to cause distress, which has allowed offenders to avoid prosecution in the past by claiming they didn’t “intend to cause harm.”

Deepfakes allow creators to overlay an individual’s face on another person in a video, often making it look like the target is performing the actions in the source video. This has been for comedic effect, such as overlaying Steve Buscemi’s face over Jennifer Lawrence’s appearance at the golden globes, or less commonly for political purposes. Unfortunately, the technology can also be used to seemingly place an unwilling victim into pornographic videos.

Partially due to a growing awareness of deepfake technology, lawmakers felt compelled to tighten and update existing laws to aid in prosecution and protect victims of fake and nonconsensual pornographic images.

When announcing the measures, Justice Secretary Dominic Raab said they wanted to “give women and girls the confidence that the justice system is on their side and will really come down like a ton of bricks on those who abuse or intimidate them”.

In a BBC interview in 2021, one unnamed deepfake porn creator said that such measures would make him stop doing it. He said, “if I could be traced online I would stop there and probably find another hobby.”

Happy Thanksgiving

Thanksgiving means many things to me. It’s a day to gather with friends and family to enjoy one another’s company. It’s a day that my daughter and I put together grandma’s famous fruit salad for everyone to enjoy (and she eats the cherries as fast as I can cut them!). It’s also a day when I like to stop and think about the many things for which I’m grateful and how my life has been enriched by others.

If you’re reading this, know that I’m thankful for you.

When I founded Operation Safe Escape in 2016 (at the time using the awful name of “Project Safe Escape,” what a mistake that was!), I dreamed that we could help a few dozen people feel safe and start a life they had only dreamed of. If I let my mind wander, I could imagine helping 100 people. 100 people! The effects would be felt for generations if we could help break the cycle of abuse for so many.

Over 3,000 successful escapes later, Operation Safe Escape is still going strong. It’s more than I had ever hoped for and I’m thankful every single day for it. I’m thankful for the volunteers that give their time to help people they’ll probably never meet. I’m thankful for our partners, who have donated goods and services that we can make available to survivors. I’m thankful for for people like you, who support us in so many ways. Many of the people reading this message have literally save lives in one way or another. It’s truly remarkable.

Whether today is Thanksgiving for you, or if it’s Thursday, I hope you have much to be thankful for. I hope this upcoming year is even better than the last.

Best wishes,
Chris
Director, Operation Safe Escape

The Safe Connections Act Passes Congress, Pending Presidential Signature

Cell phones have changed the way we work, play, and communicate with one another. They can be used to talk to loved ones anywhere in the world, do schoolwork, play games, and so much more. In fact, for many of us, it’s hard to imagine life without it.

323.6 million Americans own cell phones, most having “smart phone” capability. Unfortunately, statistically speaking, up to 6.3 million of those people have been, are currently, or someday will be in an abusive relationship. In many of those cases, the abuser has control over the survivor’s phone plan- even after a breakup. That may allow the abuser to access their phone records, see who they’ve been speaking to, shut off the service at will, and prevent the survivor from moving the device to their own (more private) plan.

In January 2021, Senators Brian Schatz, Deb Fischer, Richard Blumenthal, Rick Scott, and Jacky Rosen sponsored Senate Bill 120, The Safe Connections Act. This bill requires mobile service providers to separate the survivor’s phone line, as well as their children or others in their care, from the abuser’s line whenever technically possible. Furthermore, the providers are not allowed by law to charge fees for this service.

The bill also requires providers to complete the separation within two days of making the request, allow remote methods to make the request, protect the survivor’s confidentiality, and provide information to the public about the service so people know it’s an option.

Happily, this bill has since passed both chambers of congress and is waiting for the President’s signature to become law. Operation Safe Escape agrees with the Electronic Frontier Foundation, who says:

“We would have preferred a bill that did not require survivors to provide paperwork to “prove” their abuse. For many survivors, providing paperwork about their abuse from a third party is burdensome and traumatic, especially when it is required at the very moment when they are trying to free themselves from their abusers. However, this bill is a critical step in the right direction, and it is encouraging that Congress so overwhelmingly agreed.”

But, it’s a start and a huge victory for survivors of domestic violence and their advocates.

View details on the bill here.

Protecting your passwords

You’ve probably heard it before: “never write down your passwords. Use unique passwords for each website and memorize them.”

It’s great advice, but it’s not always easy. In 2022, the average person has between 70 and 80 passwords they need to keep track of! This can sometimes lead to people using easily-guessed passwords (like their birthday or pet names, things like that) or reusing passwords for multiple sites (if one site is hacked and the passwords stolen, hackers can see if the passwords work for other websites, too).

Fortunately, you have options for protecting your passwords and accounts. Here’s a few:

1. Use a password manager. A password manager is an app for your phone or computer that can securely store encrypted passwords so you don’t have to remember all of them. All you have to do is remember your password for the password manager, which you should make as strong as possible. This means you can use very strong and unique passwords for each website without having to remember each one.

2. Write them down. I know, right? You always here it- don’t write down your passwords. But this is where you need to decide which is safer for you. Remember that your online accounts can be attacked by anyone with an internet connection, but gaining access to a notebook or password sheet requires access to wherever it is placed. If you feel you can protect a sheet of paper and know you need to use strong and unique passwords, this might be an option.

3. Write them down, but know the secret. If you feel like writing down your password (and securing it) is an option for you, you can add an extra layer of security by changing the password from the actual one. For example, anyone looking at the password sheet wouldn’t know that you actually added an extra letter to the end. Or that you added 2 to all of the numbers in your password. By changing it, you can not only protect your accounts but you can also get an alert if someone tries to use it.

Whichever you choose, you should always turn on two-factor authentication. Two factor authentication (2fA) requires an additional measure to prove your identity prior to logging in. Sometimes, this can be an app, or it can even be a hardware token that must be present in order to log in. Using 2FA means that even if someone knows your username and password, they still can’t log in without you knowing.

Whatever password solution you choose, we recommend changing all your passwords at the same time if possible. This prevents anyone from leveraging their access to undo the work you’re doing to protect your accounts. And don’t forget to choose the option “log me out of other locations” whenever possible! If someone is in your account without permission, this will kick them out and make sure they can’t log in again.