Stalkerware sees all, and US laws haven't stopped its spread
Installing hidden spy software is illegal, so why is it so easy?
Carlos Enrique Perez-Melara wrote software in San Diego before he became a fugitive from the FBI. According to federal charges, he had sold hundreds of copies of software he wrote called Loverspy, promising users that 99.9% of people would be unable to detect the software as it surveilled everything they did on their computers.
The program, an early example of software that has flourished in a legal gray area, let users secretly intercept their partners' emails, turn on their webcams and read chat conversations. The software came in an email, which told its targets to open an attached e-card. Before Perez-Melara was charged with violating federal wiretap laws, the software had allegedly infected the computers of about 1,000 victims.
Perez-Melara, who was placed on the FBI's Cyber Most Wanted list in 2013, is still at large. Applications like Loverspy, which give others access to your email, log what you read online and record using your microphone or camera, have proliferated into the tens of thousands since he was charged.
These days, the apps, broadly known asor spyware, are designed to work on phones too, which now hold the keys to people's entire lives. Although it's illegal to sell apps that exist primarily to secretly spy on adults, the laws governing these sales are narrowly tailored and let many app makers operate legally. Additionally, law enforcement agencies struggle to effectively investigate when victims bring their devices in with concerns over stalkerware due to lack of training and resources.
Cases against spy software makers, and their customers, remain rare 15 years after the indictment against Perez-Melara. The software maker, whose last known location was his home country of El Salvador, according to the FBI, has no lawyer listed in court records and couldn't be reached for comment.
The apps have long been linked to domestic violence and tragedy. A woman in Minnesota was held captive and assaulted for hours by her boyfriend in 2014 after he tracked her movements and listened to her through a microphone with a spyware app. In the same year, the National Network to End Domestic Violence found that 52% of domestic violence service organizations said that GPS tracking apps were a concern for their clients.
While location tracking presents the most immediate danger to survivors of domestic violence, the privacy violation of stalkerware is also a major burden for targets, said Erica Olsen, who directs the safety net program at the National Network to End Domestic Violence. "There's essentially nothing you can do with or around your device that doesn't have the potential to be seen by somebody else," she said.
Some progress has been made in stopping stalkerware. Antivirus companies have begun a concerted effort to identify stalkerware apps on phones and give users more specific warnings. Now many of them have joined the Coalition Against Stalkerware, a group of domestic violence advocacy organizations and cybersecurity companies that aims to raise awareness of the problem and create best practices for identifying stalkerware and warning targets.
But despite calls for change by legal experts, advocates and even lawmakers, it's very challenging to stop the sale of the apps and catch the people who use them to secretly track targets.
Catching a spy
When someone takes a phone they worry has stalkerware to the police, there's no guarantee officers will be able to help. Many police departments lack the training and tech needed to find stalkerware, said Bryan Franke, an officer who conducts forensic investigations for the Longmont Police Department in Colorado and trains officers in other departments how to search for stalkerware.
It's difficult for investigators to find the apps on phones, he said, because that requires access to expensive software. Franke tells his trainees they can reach out to nearby departments with more resources, but he acknowledges many law enforcement agencies are overloaded with requests for forensic analysis on tech.
There are only so many forensic tech tools available for all investigations, including murder and organized crime. "We've unfortunately reached a point where now we're having to triage all the bad and focus on what's really bad," Franke said.
At least one federal investigation has led to charges against someone for installing stalkerware. The defendant, who pleaded guilty, was charged with putting the software on a police officer's device as part of an identity theft racket.
It's hard to know how many people have been charged with crimes at the state level for using stalkerware. Additionally, the number of cases wouldn't reflect how common the use of stalkerware is, because few investigations go after someone just for installing the software, said Richard Kaplan, a criminal defense attorney in California.
"These cases are really only going to get prosecuted if there's some other more serious underlying crime," he said.
Prosecuting app makers
It's illegal to sell spy software that's primarily meant to secretly tap phones, record private conversations or steal emails under federal wiretapping law, and many state laws, too. Nonetheless, stalkerware app developers are hard to prosecute and often assert they are legitimate businesses.
The problem, legal experts say, is the word "primarily." Many apps advertise themselves as child-monitoring services, and parents don't need consent from their minor children to install secret software on their phones. (Employers, too, can monitor workers' devices with the software, though they must get consent.) So while bad actors can abuse the apps to stalk people, the reasoning goes, that isn't necessarily a stalkerware apps' primary purpose.
Laura-Kate Bernstein, a prosecutor with the US Department of Justice, said that leaves app manufacturers free to say, "Don't use it for any other purpose, wink and nod."
A 2014 indictment of app maker StealthGenie led to a guilty plea in 2015. But that didn't lead to other app makers running away from the business. "What we really saw as fallout of that prosecution was that a lot of stalkerware app makers muddied up their websites, and made it less clear that the apps are primarily useful for surreptitious interception," Bernstein said.
The same challenge applies to regulators at the US Federal Trade Commission, which enforces federal consumer privacy laws. The agency considers it an unfair and deceptive practice to market and sell products that undermine consumer privacy, and has gone after app makers before. However, the agency can only penalize companies for failing to ensure their apps aren't primarily used for secret, illicit spying, and can't stop them from selling the apps altogether.
In an October 2019 settlement with app maker Retina-X, the agency required the company to make it more clear to purchasers that they must get consent from adults before installing the software on their devices, in addition to displaying an icon on the phone that's being monitored with the name of the app.
Law professor Danielle Citron of Boston University, who has studied stalkerware, applauded the settlement, which she said sets a mold that similar apps must fit to comply with the law. But she found one part of the agreement weak: Retina-X agreed to get a written statement from purchasers that they wouldn't use the app for illegal purposes.
Instead, Retina-X should have been required to say, "We won't sell a product that's hidden," Citron said. (Retina-X shut down in 2018 after being repeatedly targeted by hackers.)
What monitoring software should look like
Kevin Roundy, a cybersecurity researcher at antivirus maker NortonLifeLock, agrees that no commercial monitoring app should be able to hide from the device's user. That's why he's developing new methods to detect stalkerware, and why the company's antivirus software alerts users when it detects the invasive software on their phones.
Legitimate apps are possible, he says, but only if the software is plainly visible on phones. Just as importantly, they should persistently remind users that their devices are being monitored. Software makers can't make stealthy apps and look the other way when customers abuse them.
"If they don't take action to make it unusable in those cases," Roundy said, "then they really are complicit."
Off the hook
Many app makers are no longer as obvious as Loverspy maker Perez-Melara was back in 2005 that their software can be used to track the activity of romantic partners, but some of them retain traces of the industry's origin.
For example, an app on the Google Play store called Family Locator (Safe Zone) offers a service to track the location of children. The app, made by a developer called SoftSquare InfoSoft, doesn't appear to offer any stealth spying tools. But an archived version of the app's page on the Play store shows that the app used to be called GirlFriend Cell Tracker.
The 2017 product description offered services that appear to be in violation of Android developer rules. "In premium feature, admin user can access phone call logs and SMS of their girlfriend or boyfriend," the older app description said. SoftSquare InfoSoft didn't reply to a request for comment. Google declined to comment directly on this app, and referred CNET to its policies banning spy apps.
As for Perez-Melara, he's no longer on the FBI's Cyber Most Wanted list. He was arrested in El Salvador and removed from the roster of wanted criminals, an FBI spokesperson said, but the Salvadoran Supreme Court issued an order denying his extradition in 2017. He remains a fugitive from US law enforcement.