Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications by Cynthia Khoo, Kate Robertson and Ron Deibert
comments
This report provides an in-depth legal and policy analysis of technology-facilitated intimate partner surveillance (IPS) under Canadian law. In particular, the analysis focuses on a growing marketplace of spyware products that exists online and in major software application (app) stores. These apps are designed to facilitate remote surveillance of an individual’s mobile device use with the surveillance often being covert or advertised as such. Despite increasing recognition of the prevalence of technology-enabled intimate partner abuse and harassment, the legality of the creation, sale, and use of consumer-level spyware apps has not yet been closely considered by Canadian courts, legislators, or regulators.
Spyware and other forms of technology that facilitate IPS are sometimes referred to as stalkerware. In some circumstances, stalkerware technology is used in an intimate relationship to conduct powerfully intrusive covert or coerced surveillance of an intimate or former partner’s mobile device without their knowledge. Once installed, stalkerware apps allow an operator to access an array of intimately personal information about the surveillance target. The apps can enable real-time and remote access to text messages, emails, photos, videos, incoming and outgoing phone calls, GPS location, banking or other account passwords, social media accounts, and more. Stalkerware apps are sometimes used covertly while, in other circumstances, the technology is used openly to intimidate, harass, or extort the surveillance target.
Hundreds of spyware apps relevant to IPS are available at the consumer level. Research conducted in Canada and internationally suggests that a significant proportion of women who experience intimate partner violence, abuse, and harassment also report experiences with a range of technology-facilitated abuse, including surveillance and abuse that is enabled by the powerful mobile device spyware apps that are the focus of this report. Despite this troubling context, few reported cases involving spyware-enabled IPS have appeared in Canadian courts, and spyware companies, which profit from the sale of these apps, appear to operate in the Canadian marketplace without being hindered by criminal or regulatory law enforcement.
This report conducts an in-depth analysis of the criminal, regulatory, and civil law consequences of using, creating, selling, or facilitating the sale of stalkerware technology in Canada. The analysis concludes that the creation, use, and sale of spyware apps that enable covert surveillance of mobile devices can potentially violate numerous criminal, civil, privacy, and regulatory laws in Canada. With respect to the criminal law, notably, purchasing and selling spyware that is primarily useful for surreptitiously intercepting private communications (as many of the major consumer-level spyware products do), likely constitute a criminal offence in Canada. These offences expose vendors and operators of spyware products to the risk of criminal law consequences, such as jail.
Operators of stalkerware are also subject to civil liability if they are found to have perpetrated a tort (wrongful act). Targeted individuals may bring a cause of action (lawsuit) against an operator on legal grounds of: invasion of privacy, public disclosure of private facts, breach of confidence, and intentional infliction of mental suffering (IIMS). We also briefly discuss non-intentional torts and assess the emerging novel tort of harassment as a potential additional response to stalkerware.
Our legal analysis found that the act of making and selling—as opposed to using—spyware products likely also runs afoul of both criminal and product liability law with respect to dangerous or defective product design. We also review the applicability of non-binding instruments such as the United Nations Guiding Principles on Business and Human Rights and industry efforts at self-regulation, including ethical codes and internal worker resistance in the technology sector. We consider, briefly, the limited applicability of intellectual property laws to impeding the creation and dissemination of stalkerware.
Canadian consumer privacy and data protection law, governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and substantially similar provincial legislation, includes several provisions regarding informed consent, notice, and appropriate purposes that would apply to stalkerware businesses and likely render their activities unlawful. We find that PIPEDA includes three potential exceptions, or loopholes, that may allow stalkerware vendors to circumvent accountability. We recommend that the Office of the Privacy Commissioner of Canada or federal and provincial legislators take action to close these potential gaps.
App stores and web platforms that sell apps to consumers also play a role as intermediaries that can facilitate sales of stalkerware through their platforms. Despite active efforts by companies such as Apple and Google to enforce app developer policies and agreements against such apps, research shows evidence of a continued, albeit decreased, presence and availability of stalkerware on popular app stores. We recommend that all app stores clarify their relevant policies and revise developer terms of agreement regarding user privacy, consent, security, and malicious behaviour to expressly state that such protective policies apply to the individual whose data is being collected, processed, or disclosed by the app in every case, instead of referring simply to a generic ‘user’. The generic term ‘user’ can inappropriately or incorrectly be interpreted as referring to the stalkerware operator rather than the targeted individual.
Despite the available data about the prevalence of IPS and technology-facilitated abuse and harassment in Canada and its impact on victims and gender equality rights more broadly, there appears to be a significant measurable gap between what the law dictates about such conduct and whether legal remedies are readily available to victims in practice. One complicating factor is that many spyware apps market themselves as, or are genuinely intended as, apps for ostensibly legitimate purposes, such as child and employee monitoring. Such apps are then repurposed into stalkerware for abusive purposes. Similar repurposing occurs with non-spyware apps or built-in phone features such as a GPS tracker, which abusive operators may manipulate or repurpose into stalkerware. We discuss this dual-use nature of spyware technologies, and critique the legitimacy of dual-use spyware even where such technology is used to surveil children or employees.
The report concludes by recommending a range of measures that relate to public legal education, law reform, heightened investigative and regulatory scrutiny of consumer spyware markets, and enhanced training and resources for law enforcement, regulators, and other justice system participants who are tasked with enforcing Canada’s laws. Given stalkerware’s inherent dangers and invasive capabilities and the documented association between stalkerware apps and intimate partner violence and gender-based abuse, justice system participants and the private technology sector bear a responsibility to establish and reinforce a web of meaningful restraints that address and remedy the harms of stalkerware, both in law and in practice.
Our purpose in this report is to contribute to greater substantive efforts to address technology-facilitated gender-based abuse in Canada, beginning with the harms and violence that stalkerware enables through its covert or exploitative surveillance of targeted individuals. The critical analysis provided in this report is designed to enhance public understanding of legal remedies, policy considerations, and human rights concerns associated with stalkerware. The report is also designed to provide assistance to policymakers, legal professionals, academics, community workers, and advocates who are trying to support victims or navigate the complex implications of this technology.