“Stalkerware” developer fined $410,000 by NY Attorney General, required to notify victims

As recently reported by the Electronic Frontier Foundation, the New York Attorney General fined Patrick Hinchy and the 16 companies he runs a total of $410,000 for producing and selling spyware and stalkerware apps. Such apps can be used, as the name suggests, to spy on or stalk another person, often a spouse or intimate partner. Users were able to access victim’s personal messages, view their location, activate the microphone remotely, and more.

In addition to the fine, the companies have been required to notify victims that their devices were compromised and modify the spy app’s previously-obscured icon on the victim’s device to indicate it’s true purpose, as well as providing more information if the app is opened. They are also required to post removal instruction on their website and provide links to domestic violence resources.

In a press release announcing the move, New York State Attorney General Letita James noted, “[s]nooping on a partner and tracking their cell phone without their knowledge isn’t just a sign of an unhealthy relationship, it is against the law.” Specifically, its use likely violates federal wiretapping laws, state recording and privacy laws, the Electronic Communications Privacy Act (ECPA), Computer Fraud & Abuse Act (CFAA), and more. Purchase and use of these tools have already led to convictions, and this move may lead to even more.

The recent move against stalkerware developers is a significant victory for those who have had their privacy violated by these malicious apps. Not only does it provide a sense of relief for survivors of domestic violence and victims of stalkerware, but it also serves as a warning to those who may consider purchasing these apps. They should be aware that they are breaking the law and that sooner or later, the consequences will catch up with them.

As a proud founding member of the Coalition Against Stalkerware, Operation Safe Escape applauds the actions taken by New York and encourages other states to follow in their footsteps. While there is still much work to be done in the fight against stalkerware, this is a pivotal shift shift toward the right direction.

Password recovery questions: who already knows your mother’s maiden name?

We’ve all been there- you go to log into a website and realize that you just can’t remember your password. And it’s not like you can easily guess it, because your probably used a strong password rather than something insecure like your dog’s name (right?). So you click that little link that says “forgot password” and start the process of getting back into your account.

The website developers made a choice at that point, and it affects your security. They might send a password reset link to your email address and let you reset it there. Hopefully they don’t send you your current password in the email itself, that just means they’re not protecting it right. It’s a bit better if they send you a temporary password that expires after a set period of time. But in many cases, they’ll prompt you to reset your password by verifying your identity and answering password recovery questions.

In the early days of social media, there was a game making the rounds. It said that your “adult entertainer” name was your first pet’s name and the street you grew up on. If I had played it, I would have been Alex Sunset, which honestly has a nice ring to it (I’ll explain in a bit why I don’t mind telling you that). But do those pieces sound familiar? “Pet’s name” and “Street you grew up on” were at the time (and in too many cases, still are) some of the most popular password recovery questions. By giving hackers and identity thieves that information, you’ve already made their job a lot easier.

Fast forward to today, we’re living in the information age. Back in the 1800s when telegraph banking became a thing, most people didn’t know another person’s mother’s maiden name unless they were a part of the family or at least from the area. So when they came up with security standards, it seemed like a good question to ask someone who was asking for their money to be transferred to a different area. Yes, “mother’s maiden name” as a security question is really that old. But today, websites collect that information for you and make it very easy to find. The other answers might be found on your facebook page or other “people search” websites.

Fortunately, many websites have realized this and changed up their questions to ones that can’t be easily found. They’re more opinions and personality traits than searchable facts, things like “what’s your favorite vacation spot” or “who was your favorite teacher in high school?” Sure, someone following you on social media might also know the answers to those questions, but the idea is that only you would know all of them. Well, maybe you and someone who lives in your home or grew up with you. That’s the biggest flaw in even these “second generation” security questions- they assume that only you would know about your memories and opinions, and that’s clearly not always the case.

There’s no delicate way to put this, so I’ll just say it: it’s okay to lie. Or maybe I’ll put it another way- it’s perfectly fine to use answers that you’d remember but someone else might not think to use. If your favorite vacation spot is New York City, make a habit of naming your LEAST favorite vacation spot instead. Instead of naming your favorite food, name your favorite drink. Be consistent, be unpredictable, be secure. There’s another benefit to doing it this way- most sites will alert you if someone tries to reset your password. You get an alert but your password remains intact.

So feel free to use my first pet’s name and the street I grew up on to reset my passwords, because I don’t.

(Just want to mention, another option is to use a password manager to store your very secure passwords. That’s another topic on its own, but if you’re going to use one make sure you’re able to protect the primary password, since it controls access to the rest of them!)

Set your own PACE

In some professions, communication is important. In the military and public services, for example, they use what’s called a PACE plan to make sure they always have a way to send a critical message when time’s a factor. And you can, too.

PACE stands for Primary, Alternate, Contingency, and Emergency. In other words, it’s a way to make sure there’s multiple ways to reach someone or communicate even if something goes wrong and the primary method isn’t an option. Broken down, it looks kind of like this:

Primary is the way you routinely talk to someone. It’s the one that makes the most sense to use and is often the most convenient. For example, many of us will be using our phone to call, text, or DM someone we want to talk to. If it’s what you normally use to talk, that’s probably going to be your primary method.

Alternate is what you use if the primary method isn’t available. If you drop your phone in the bathtub and have to wait for the bag or rice to work it’s magic, what would you to do reach out to someone you want to talk to? Maybe then you’d use your computer or a tablet- that’s your alternate method.

Contingency is what you use if neither the primary or alternate method is an option. This is often something that’s a bit less convenient, but will still do the trick. This could be a neighbor’s phone, sending someone with a message, or another way to get information across.

Emergency is when you or someone else needs help right now, and there might not even be time to send a message privately or securely. Consider how the military communicates- in most cases, they’re using encrypted radios or some other way that hides what they’re saying. But if there’s an emergency, sending out a message “in the clear” can make sure everyone gets it and can respond quickly. You hope to never need to use an emergency method of contact, but deciding what it might be ahead of time is important.

Another benefit of setting up your PACE plan now is that you have time to think about safety and security for the methods you choose. If your phone is your primary method of communicating with your support system, of course you want to make sure your phone is protected and private. But if your computer is your alternate communication method, you should probably make sure it is too- just in case you need to use it.

So set your own PACE, what that means is up to you.

The Aldrich Ames mailbox

Sending a signal, just like in the movies

Have you ever watched one of those exciting, edge-of-your seat spy movies? Or maybe an equally exciting documentary about the life of a real-life spy? In both cases, there’s one scene in particular they tend to get exactly right.

At a certain point, the spy needs to signal to his or her handler that they need to speak. Or maybe that they have information. Or maybe that there’s trouble. Whatever it is, they use a pre-arranged to send that important message. Sometimes, it’s a piece of tape on a window. In the real-world case of Aldrich Ames, the CIA double-agent would leave small chalk marks on a specific mailbox. The important part is that the spy and their contact both knew what they messages met and what to look for, and their adversary didn’t.

While you’re (hopefully!) not a spy, you might someday have a need to send secret messages in a way that won’t alert an abusive partner. With the advent of social media, this is a lot easier to do than it was before but traditional options can still be useful. For example, leaving the window blinds open at a 45 degree angle could mean “please check on me.” Posting a specific picture on instagram might mean “my phone is being monitored.” Using a specific phrase on facebook could be saying “call 911.”

If you choose to set up a clandestine communication method like this, keep the following important principles in mind:

1. Set up the signal and what they mean ahead of time with someone you trust. Make sure they understand what each signal indicates and what they need to do

2. Make sure the signal doesn’t stand out or raise suspicion. In the previous examples, if you never change the way the window blinds are oriented doing it to send a signal would be seen as out of character

3. Make sure the signal is unique and stands out, but isn’t likely to be accidentally used (or thought to be used)

4. Establish how often your ally should be checking for a signal, if applicable. Is it enough for them to drive by your house once a week to see if the houseplant in the window has moved? Should they be looking at your twitter feed regularly?

Even if you feel you can safely reach out to your support system or call for help if you need it, it’s helpful to set up an alternate way to communicate with others just in case you need it. Setting up signals ahead of time and making sure they’re not too obvious to someone not “in the know” can help you do so safely.

Proposed England and Wales law would decriminalize non-consensual deepfake pornography and removes the barrier of “intent”

A proposed new law in England and Wales will close a loophole in non-consensual pornography laws and criminalize the sharing of pornographic deepfakes without consent.

The Online Safety Bill removes the requirement for prosecutors to prove an intent to cause distress, which has allowed offenders to avoid prosecution in the past by claiming they didn’t “intend to cause harm.”

Deepfakes allow creators to overlay an individual’s face on another person in a video, often making it look like the target is performing the actions in the source video. This has been for comedic effect, such as overlaying Steve Buscemi’s face over Jennifer Lawrence’s appearance at the golden globes, or less commonly for political purposes. Unfortunately, the technology can also be used to seemingly place an unwilling victim into pornographic videos.

Partially due to a growing awareness of deepfake technology, lawmakers felt compelled to tighten and update existing laws to aid in prosecution and protect victims of fake and nonconsensual pornographic images.

When announcing the measures, Justice Secretary Dominic Raab said they wanted to “give women and girls the confidence that the justice system is on their side and will really come down like a ton of bricks on those who abuse or intimidate them”.

In a BBC interview in 2021, one unnamed deepfake porn creator said that such measures would make him stop doing it. He said, “if I could be traced online I would stop there and probably find another hobby.”

Happy Thanksgiving

Thanksgiving means many things to me. It’s a day to gather with friends and family to enjoy one another’s company. It’s a day that my daughter and I put together grandma’s famous fruit salad for everyone to enjoy (and she eats the cherries as fast as I can cut them!). It’s also a day when I like to stop and think about the many things for which I’m grateful and how my life has been enriched by others.

If you’re reading this, know that I’m thankful for you.

When I founded Operation Safe Escape in 2016 (at the time using the awful name of “Project Safe Escape,” what a mistake that was!), I dreamed that we could help a few dozen people feel safe and start a life they had only dreamed of. If I let my mind wander, I could imagine helping 100 people. 100 people! The effects would be felt for generations if we could help break the cycle of abuse for so many.

Over 3,000 successful escapes later, Operation Safe Escape is still going strong. It’s more than I had ever hoped for and I’m thankful every single day for it. I’m thankful for the volunteers that give their time to help people they’ll probably never meet. I’m thankful for our partners, who have donated goods and services that we can make available to survivors. I’m thankful for for people like you, who support us in so many ways. Many of the people reading this message have literally save lives in one way or another. It’s truly remarkable.

Whether today is Thanksgiving for you, or if it’s Thursday, I hope you have much to be thankful for. I hope this upcoming year is even better than the last.

Best wishes,
Chris
Director, Operation Safe Escape

The Safe Connections Act Passes Congress, Pending Presidential Signature

Cell phones have changed the way we work, play, and communicate with one another. They can be used to talk to loved ones anywhere in the world, do schoolwork, play games, and so much more. In fact, for many of us, it’s hard to imagine life without it.

323.6 million Americans own cell phones, most having “smart phone” capability. Unfortunately, statistically speaking, up to 6.3 million of those people have been, are currently, or someday will be in an abusive relationship. In many of those cases, the abuser has control over the survivor’s phone plan- even after a breakup. That may allow the abuser to access their phone records, see who they’ve been speaking to, shut off the service at will, and prevent the survivor from moving the device to their own (more private) plan.

In January 2021, Senators Brian Schatz, Deb Fischer, Richard Blumenthal, Rick Scott, and Jacky Rosen sponsored Senate Bill 120, The Safe Connections Act. This bill requires mobile service providers to separate the survivor’s phone line, as well as their children or others in their care, from the abuser’s line whenever technically possible. Furthermore, the providers are not allowed by law to charge fees for this service.

The bill also requires providers to complete the separation within two days of making the request, allow remote methods to make the request, protect the survivor’s confidentiality, and provide information to the public about the service so people know it’s an option.

Happily, this bill has since passed both chambers of congress and is waiting for the President’s signature to become law. Operation Safe Escape agrees with the Electronic Frontier Foundation, who says:

“We would have preferred a bill that did not require survivors to provide paperwork to “prove” their abuse. For many survivors, providing paperwork about their abuse from a third party is burdensome and traumatic, especially when it is required at the very moment when they are trying to free themselves from their abusers. However, this bill is a critical step in the right direction, and it is encouraging that Congress so overwhelmingly agreed.”

But, it’s a start and a huge victory for survivors of domestic violence and their advocates.

View details on the bill here.

Protecting your passwords

You’ve probably heard it before: “never write down your passwords. Use unique passwords for each website and memorize them.”

It’s great advice, but it’s not always easy. In 2022, the average person has between 70 and 80 passwords they need to keep track of! This can sometimes lead to people using easily-guessed passwords (like their birthday or pet names, things like that) or reusing passwords for multiple sites (if one site is hacked and the passwords stolen, hackers can see if the passwords work for other websites, too).

Fortunately, you have options for protecting your passwords and accounts. Here’s a few:

1. Use a password manager. A password manager is an app for your phone or computer that can securely store encrypted passwords so you don’t have to remember all of them. All you have to do is remember your password for the password manager, which you should make as strong as possible. This means you can use very strong and unique passwords for each website without having to remember each one.

2. Write them down. I know, right? You always here it- don’t write down your passwords. But this is where you need to decide which is safer for you. Remember that your online accounts can be attacked by anyone with an internet connection, but gaining access to a notebook or password sheet requires access to wherever it is placed. If you feel you can protect a sheet of paper and know you need to use strong and unique passwords, this might be an option.

3. Write them down, but know the secret. If you feel like writing down your password (and securing it) is an option for you, you can add an extra layer of security by changing the password from the actual one. For example, anyone looking at the password sheet wouldn’t know that you actually added an extra letter to the end. Or that you added 2 to all of the numbers in your password. By changing it, you can not only protect your accounts but you can also get an alert if someone tries to use it.

Whichever you choose, you should always turn on two-factor authentication. Two factor authentication (2fA) requires an additional measure to prove your identity prior to logging in. Sometimes, this can be an app, or it can even be a hardware token that must be present in order to log in. Using 2FA means that even if someone knows your username and password, they still can’t log in without you knowing.

Whatever password solution you choose, we recommend changing all your passwords at the same time if possible. This prevents anyone from leveraging their access to undo the work you’re doing to protect your accounts. And don’t forget to choose the option “log me out of other locations” whenever possible! If someone is in your account without permission, this will kick them out and make sure they can’t log in again.

Period Tracker Apps and Safety

After the recent supreme court ruling overturning Roe vs Wade, many of you are rightfully concerned about your rights, your health, and your safety. One of the ways this has manifested is mistrust of many period tracker apps when you can’t control your data or ensure it’s being properly safeguarded- the worry being that the data will be given or sold to states that are adding criminal penalties for abortions, other losses of pregnancy, and other forms of heath care. Many users have started uninstalling their period tracker apps out of concern, particularly those in such states.

Today, Operation Safe Escape began development of a period tracker app that we will make available for free for Android and iOS. There will be no ads or monetization of any kind. Additionally, the following privacy features are intended to keep users safe and able to make health decisions without compromising their safety or sense of safety:

  • The app will not access the internet for any reason
  • The only data collected by the app will be what the user enters and what is necessary for the app to function on the device. None of this data will ever be sold, shared, or given away. Since even we can’t access it, we couldn’t anyway
  • The information will exist only on the user’s device, not the cloud
  • All data will be encrypted
  • All data on the app will be in control of the user, and the app will allow a quick wipe of the data
  • There will be a space for safety resources and links

Critically, the app will be open source to allow the community (and the users themselves) to know exactly what the app is doing and how their data is being stored. There should be nothing to hide. We will be looking for other ways to protect users from other threats, such as cases where an abusive partner may get access to the device.

More information will be provided as development continues. If you have any input or ideas, please feel free to reach out at [email protected]

Reproduction and body autonomy is a common target by abusers. Reproductive coercion is a form of abuse where the abuser forces the victim to get pregnant or terminate a pregnancy against their will. According to the National Coalition Against Domestic Violence, 25% of domestic violence survivors have experienced this form of abuse. Reproductive health is directly related to domestic violence, and Operation Safe Escape stands against all forms of abuse.

June 28, 2022 update:

The question was asked, why create a new tool versus supporting existing open source projects? That’s a great question.

Historically, we’ve tried both creating our own tools and requesting changes / updates to existing open source ones. We admire and appreciate the open-source maintainers; they keep the world running. But we have to consider and include our primary mission in everything that we do. I this case, ensuring that the users impacted by domestic violence and stalking have their concerns and needs quickly addressed. This is something we want to do to help everyone, but survivors of abuse sometimes have different needs. Our perception of risk doesn’t stop with any government, although this is certainly a concern. We’re not only concerned about government overreach and weaponization of the courts, we’re also concerned about the abuser trying to control the individual’s fundamental reproductive rights. By developing our own tool, change control and approval is less of a concern. For example, including information and resources on reproductive coercion might seem important to us, but might not be a change that’s accepted on another team’s app (not assuming, just an example). Another issue is that abusers adapt quicker than the government does, so the ability to very quickly add new features, information, and tools can make a major difference for a specific set of users. 

Removing Unwanted Network Devices from your Wifi

In some cases, an abusive partner may add new devices to a wireless network in order to monitor and harass their victim. For example, cameras, microphones, smart home devices, and more are relatively easy to conceal and may be used to listen in on conversations.

When the bad actor (that is, whoever is trying to cause harm) has  previously had access to the wireless network, it may be possible that they added those devices to the wireless network to remotely access and receive information. This article will discuss how to identify and remove any unauthorized wireless devices from your wireless network.

If possible, you should look for connected devices any time you’re concerned that your conversations may be being monitored. At the very least, you should follow this process when the abusive partner leaves the home permanently- especially if they had access to the network.

Option 1: Using your router’s browser or web interface

(Please note: logging into the router as administrator will leave a record in the device logs. It will show that the administrator account has logged in, but won’t show who was using it.)

If you’re not familiar, your router is the device, most often provided by your service provider, that connects you to the internet. It’s normally a black or silver box with network jacks on the back, status lights on the front, and it might have an antenna or two on it. If you’re having trouble identifying it, you can always call up your service provider or do an internet search for “[internet provider] router models” (without the quotes).

The router has a web interface that you can access through the browser in order to make configuration changes. The instructions for doing this would have been provided in the documentation that came with the router, but you can also look online if you know the model number. In many cases, the information is on a sticker that can be found on the back or bottom of the router.

You’ll need the device’s IP address to connect to it. Type that number into the browser’s address bar, where you would normally type in a website address. This will take you to the web interface login screen. The username and password, if it hasn’t been changed, will be found in the documentation provided with the router. If it’s been changed or if you don’t know that information, contact your ISP and they’ll help you recover the information. You might also find the default login information online by searching “default login” and your router model number.

The specific location for this information may vary depending on the model and brand of router, but it will generally be under a link, tab, or button called “attached devices,” “connected devices,” or “DHCP clients.” You’ll probably find this on the wifi configuration page or on the status page. This may also be on the main screen for some devices.

  • On may D-Link brand routers, this can be found by clicking Status, then Wireless.
  • On many Linksys routers, you’ll find this option under Status > Local Network > DHCP Clients Table.

The list can be confusing at first, but it will show you what devices are connected to the network. Note that if you’re only looking at the “DHCP” devices, you might not see everything. Make sure to look at anything that shows connected devices. If you’re not sure, refer to the device documentation or contact your ISP.

Looking at this list will give you an idea of what devices are connected to your network. Look for anything unusual or that you don’t recognize. If you see a hostname that looks suspicious, search the web for the recognizable parts of the name to try to get an idea of what it might be.

An example interface showing connected devices. Courtesy how-to-geek.

Note that you are likely to see things you don’t recognize, and in many cases that’s normal. Your phones and computers aren’t the only things you’d expect to find here; you’ll also likely to find your home security system, video game consoles, authorized smart home devices, televisions, and more.

This is a good basic step to take, but it’s not foolproof. Device names can be changed or faked to look legitimate. If possible, additional steps should be taken to make sure you know exactly what’s on your network.

Option 2: Change the WiFi Key

Hopefully, you’re using the strongest encryption available on your device, which may be WPA3 if available. Otherwise, WPA2 should be an option. If neither option is available, contact your ISP for a new router because your current one is likely obsolete and needs to be upgraded or replaced. The type of encryption can be checked on the password settings page.

The good news is once you change your password, it will kick all devices off the network until they’re updated with the correct password. This will effectively remove any unauthorized devices off the network and a good way to ensure only devices you know about and approve are connected. This step should be done as soon as possible, especially since your wireless signal can often reach outside the home.

Refer to your system documentation for any wireless devices that will need to be reauthorized, such as smart TVs, cell phones, home surveillance systems, etc.

Consider reviewing the router configuration page after each device you add, so you’ll recognize it when you check up later.

Option 3: Ask Your Service Provider for Help

If you’re not comfortable or are having trouble logging into the router, contact your service provider and explain to them that you’re concerned about unauthorized devices and unauthorized access. They also have an interest in making sure that no one can use your network without your permission, so they will be able to assist you. They may send out a technician that will help confirm your settings and identify any rogue devices.

Option 4: Reset Your Router

This is the most secure option, because it will restore your router to a known-good configuration and remove any rogue devices.

If you’re not able to access your router’s web interface, you can reset it to the default settings. This will re-enable the default passwords as well, which will be noted in the device documentation, affixed to the router itself, of may be found online.

The process for each device may vary, and can be found in the device documentation or online. In most cases, there’s a small hole on the back of the router that says “reset.” Unplug the device. A small pin or paperclip can be used to press the button inside the hole; hold it down for 30 seconds, then remove the pin. Plug in the device again, and it should be reset to its default configuration.

Note that any custom configurations or passwords, including for WiFi access, will be removed and will have to be re-added.