Spyware

'Selling Surveillance' (Indiana Legal Studies Research Paper No. 495) by Asaf Lubin comments 

There is a vast and growing network of private companies selling spyware—tools and services that provide their clients with unprecedented access to smartphones, laptops, and other internet-connected devices. Investigative reporting and work by civil society have now repeatedly confirmed the systematic abuses of these technologies by government actors to target human rights activists, journalists, and dissidents around the world. 

A large group of UN human rights special rapporteurs, civil society organizations, and members of the European Parliament have recently called for an immediate and global moratorium on the sale, transfer, and use of spyware technologies. The paper argues that such calls are not only impractical, but they are also hypocritical and pose a danger to public safety and the future integrity of our information and telecommunication technologies. Ad hoc litigation and ex post blacklisting and sanctions are similarly inapt in generating sufficient deterrence. 

As an alternative to these flawed approaches, this paper makes the case for an international system to standardize the commercial spyware industry, which I call the “Commercial Spyware Accreditation System” (CSAS). The paper first explains the limits of existing domestic and international regulation—including international export control law, international human rights law, and corporate social responsibility—in constraining the negative externalities of the commercial spyware trade. The CSAS model responds to these limitations by proposing a multistakeholder forum with a set of binding controls, enforced through governmental licensing and contracting, that could mitigate the harms produced by these technologies. The control spans the five stages of the spyware lifecycle: (1) development and investment; (2) marketing and sale; (3) client management; (4) spyware diplomacy; and (5) client and product/service termination. 

Policy makers both in the United States and across the Atlantic are engaging in an ongoing dialogue to develop new international instruments that effectively respond to threat of spyware. This paper aims to provide these regulators with a set of innovative tools that have not been considered before in the literature.

Authentication and Integrity Checking

'The Intrinsic Value of Valuable Paper: On the Infrastructural Work of Authentication Devices' by Aleksandra Kaminska in (2020) Theory, Culture and Society comments

Authentication devices transform cheap paper into legitimate documents. They are the sensory, informational, and computational features that make up valuable papers like banknotes and passports, and they provide the confidence required in moments of exchange and passage. These devices – which include techniques like watermarks and specialized threads, proprietary substrates and inks, or RFID chips – are the product of security printing, an industry that continuously reinvents the possibilities of paper. Importantly, these components protect paper things from counterfeiting, allowing it to function as an original and authentic copy and to do the logistical work of connecting quotidian materials to global networks. The value of valuable papers is therefore not purely extrinsic, socially or discursively established, but is also performed through its intrinsic material qualities. These are the authentication devices that are read, assessed, and trusted as paper things are circulated, and they are what securely connects paper to infrastructures of mobility.

As I tweeted earlier this month, ProctorU, the controversial and widely used online proctoring service (aka integrity platform), has released a Student Bill of Rights.

It is up there with a local retailer's assertion (which I used in a seminar last year) that we all have a 'right to be beautiful' ... sounds good but somewhat unenforceable.

The Bill is presumably a response to growing criticism by university students in several jurisdictions regarding the invasiveness of ProctorU, Proctorio and other invigilation services. The platforms are not new … they have for example been in use outside universities for at least ten years regarding certification of financial advisors and that there is convergence between psychometric testing services and exam invigilation services.

In a forthcoming book chapter on learning analytics I'm drawing on the substantial scholarly literature about such services. They have gained increasing attraction in the mainstream media, particularly as institutions have rushed to embrace online invigilation of exams as part of the COVID-19 transition to online-only teaching. An item in the Washinton Post for example comments 

At the start of a ProctorU test, students are told to show the proctor their student ID cards, their rooms and the tops of their desks to prove they don't have any cheating material at hand. During the test, the proctor listens through the student's microphone to ensure he or she does not ask for help from someone out of view.

 

The proctor gains access to the test-takers' computer screens and receives alerts if they do something unacceptable, like copying and pasting text or opening a new browser tab. A video system analyzes the students' eyes: If they look off-screen for four straight seconds more than two times in a single minute, the motion will be flagged as a suspect event - a hint that they could be referencing notes posted off-screen.

 

To ensure the right student is taking the exam, the software uses facial-recognition software to match them to the image on their ID. Random scans are performed throughout the exam to prevent another test-taker from jumping in.

 

The company also verifies identities with a typing test: A student may be asked to type 140 words at the beginning of the semester, then again just before testing to verify the speed and rhythms of the student's keystrokes. Any discrepancies can be flagged for closer inspection.

 

A human proctor watches every second of an exam, though the student cannot see the proctor's face. In previous versions of the software, the student could see the person watching them, but "the creepiness factor always sort of came up," McFarland said. If a proctor suspects cheating, they alert a more aggressive specialist, or an "interventionist," who can demand that students aim their webcam at a suspicious area or face academic penalty.

 

Proctors typically work out of one of 11 centers across Alabama, California, India, Jamaica, Panama and the Philippines. But with many of those offices closed, the company said, it is opening backup centers in Canada, hiring more than 100 new workers and instructing many proctors to work from home.

Managers in the centres appear to have a disquieting ethic, with the Post reporting

When University of Florida sophomore Cheyenne Keating felt a rush of nausea a few weeks ago during her at-home statistics exam, she looked into her webcam and asked the stranger on the other side: Is it okay to throw up at my desk? He said yes. So halfway through the two-hour test, during which her every movement was scrutinized for cheating and no bathroom breaks were permitted, she vomited into a wicker basket, dabbed the mess with a blanket and got right back to work. The stranger saw everything. When the test was finished, he said she was free to log off. Only then could she clean herself up.

The article states

 

ProctorU, which oversaw 2 million tests last year from more than 750,000 students, has compiled years of data on students' 15 "behavioral cheating types," McFarland said. Students' tests are live-streamed and recorded for later review: The worst offenders, McFarland said, have had their videos edited together into what he called a cheating "Hall of Fame."

 

ProctorU's competitors offer similar anti-cheating surveillance with different strategies. Honorlock, a Florida-based company that CEO Michael Hemlepp said has seen "a massive spike in inquiries," uses software that looks for "attempted dishonesty" and then sends in a human proctor for further review.

 

Proctorio goes further, using a completely software-driven approach. After students consent to letting Proctorio monitor their webcams, microphones, desktops or "any other means necessary to uphold integrity," the system tracks their speech and eye movements, how long they took to complete the test and how many times they clicked the mouse. It then gives professors an automated report ranking test-takers by "suspicion level" and the number of testing "abnormalities." Students deemed untrustworthy by the computer are color-coded in red and given an icon of two shadowy figures, reminiscent of the "Spy vs. Spy" cartoon of Mad magazine fame.

 

Chris Dayley, the director of academic testing services at Utah State University, which uses Proctorio, described the software with a laugh as "sort of like spyware that we just legitimize." And though many students despise the feeling of being watched, Olsen, the company's chief executive, said the discomfort is worth it if it helps protect the tests. "We're the police," he said.

Civil liberties group Public Citizen notes the egregious litigiousness of ProctorU, which appears to have attempted to silence academic criticism in the US by threatening litigation over a range of its critics supposed harms, including copyright, defamation and trade mark infringement. Not, in my opinion, the service provider that you want to partner with. 

As for the Bill of Rights? Privity means it's in essence an expression of puffery ... pretty words that are unenforceable under contract law by Australian students. 

The various services are a data breach waiting to happen.

Partner Surveillance

Installing Fear: A Canadian Legal and Policy Analysis of Using, Developing, and Selling Smartphone Spyware and Stalkerware Applications by Cynthia Khoo, Kate Robertson and Ron Deibert comments

 This report provides an in-depth legal and policy analysis of technology-facilitated intimate partner surveillance (IPS) under Canadian law. In particular, the analysis focuses on a growing marketplace of spyware products that exists online and in major software application (app) stores. These apps are designed to facilitate remote surveillance of an individual’s mobile device use with the surveillance often being covert or advertised as such. Despite increasing recognition of the prevalence of technology-enabled intimate partner abuse and harassment, the legality of the creation, sale, and use of consumer-level spyware apps has not yet been closely considered by Canadian courts, legislators, or regulators. 

Spyware and other forms of technology that facilitate IPS are sometimes referred to as stalkerware. In some circumstances, stalkerware technology is used in an intimate relationship to conduct powerfully intrusive covert or coerced surveillance of an intimate or former partner’s mobile device without their knowledge. Once installed, stalkerware apps allow an operator to access an array of intimately personal information about the surveillance target. The apps can enable real-time and remote access to text messages, emails, photos, videos, incoming and outgoing phone calls, GPS location, banking or other account passwords, social media accounts, and more. Stalkerware apps are sometimes used covertly while, in other circumstances, the technology is used openly to intimidate, harass, or extort the surveillance target. 

Hundreds of spyware apps relevant to IPS are available at the consumer level. Research conducted in Canada and internationally suggests that a significant proportion of women who experience intimate partner violence, abuse, and harassment also report experiences with a range of technology-facilitated abuse, including surveillance and abuse that is enabled by the powerful mobile device spyware apps that are the focus of this report. Despite this troubling context, few reported cases involving spyware-enabled IPS have appeared in Canadian courts, and spyware companies, which profit from the sale of these apps, appear to operate in the Canadian marketplace without being hindered by criminal or regulatory law enforcement. 

This report conducts an in-depth analysis of the criminal, regulatory, and civil law consequences of using, creating, selling, or facilitating the sale of stalkerware technology in Canada. The analysis concludes that the creation, use, and sale of spyware apps that enable covert surveillance of mobile devices can potentially violate numerous criminal, civil, privacy, and regulatory laws in Canada. With respect to the criminal law, notably, purchasing and selling spyware that is primarily useful for surreptitiously intercepting private communications (as many of the major consumer-level spyware products do), likely constitute a criminal offence in Canada. These offences expose vendors and operators of spyware products to the risk of criminal law consequences, such as jail. 

Operators of stalkerware are also subject to civil liability if they are found to have perpetrated a tort (wrongful act). Targeted individuals may bring a cause of action (lawsuit) against an operator on legal grounds of: invasion of privacy, public disclosure of private facts, breach of confidence, and intentional infliction of mental suffering (IIMS). We also briefly discuss non-intentional torts and assess the emerging novel tort of harassment as a potential additional response to stalkerware. Our legal analysis found that the act of making and selling—as opposed to using—spyware products likely also runs afoul of both criminal and product liability law with respect to dangerous or defective product design. We also review the applicability of non-binding instruments such as the United Nations Guiding Principles on Business and Human Rights and industry efforts at self-regulation, including ethical codes and internal worker resistance in the technology sector. We consider, briefly, the limited applicability of intellectual property laws to impeding the creation and dissemination of stalkerware. Canadian consumer privacy and data protection law, governed by the federal Personal Information Protection and Electronic Documents Act (PIPEDA), and substantially similar provincial legislation, includes several provisions regarding informed consent, notice, and appropriate purposes that would apply to stalkerware businesses and likely render their activities unlawful. We find that PIPEDA includes three potential exceptions, or loopholes, that may allow stalkerware vendors to circumvent accountability. We recommend that the Office of the Privacy Commissioner of Canada or federal and provincial legislators take action to close these potential gaps. 

App stores and web platforms that sell apps to consumers also play a role as intermediaries that can facilitate sales of stalkerware through their platforms. Despite active efforts by companies such as Apple and Google to enforce app developer policies and agreements against such apps, research shows evidence of a continued, albeit decreased, presence and availability of stalkerware on popular app stores. We recommend that all app stores clarify their relevant policies and revise developer terms of agreement regarding user privacy, consent, security, and malicious behaviour to expressly state that such protective policies apply to the individual whose data is being collected, processed, or disclosed by the app in every case, instead of referring simply to a generic ‘user’. The generic term ‘user’ can inappropriately or incorrectly be interpreted as referring to the stalkerware operator rather than the targeted individual. 

Despite the available data about the prevalence of IPS and technology-facilitated abuse and harassment in Canada and its impact on victims and gender equality rights more broadly, there appears to be a significant measurable gap between what the law dictates about such conduct and whether legal remedies are readily available to victims in practice. One complicating factor is that many spyware apps market themselves as, or are genuinely intended as, apps for ostensibly legitimate purposes, such as child and employee monitoring. Such apps are then repurposed into stalkerware for abusive purposes. Similar repurposing occurs with non-spyware apps or built-in phone features such as a GPS tracker, which abusive operators may manipulate or repurpose into stalkerware. We discuss this dual-use nature of spyware technologies, and critique the legitimacy of dual-use spyware even where such technology is used to surveil children or employees. 

The report concludes by recommending a range of measures that relate to public legal education, law reform, heightened investigative and regulatory scrutiny of consumer spyware markets, and enhanced training and resources for law enforcement, regulators, and other justice system participants who are tasked with enforcing Canada’s laws. Given stalkerware’s inherent dangers and invasive capabilities and the documented association between stalkerware apps and intimate partner violence and gender-based abuse, justice system participants and the private technology sector bear a responsibility to establish and reinforce a web of meaningful restraints that address and remedy the harms of stalkerware, both in law and in practice. 

Our purpose in this report is to contribute to greater substantive efforts to address technology-facilitated gender-based abuse in Canada, beginning with the harms and violence that stalkerware enables through its covert or exploitative surveillance of targeted individuals. The critical analysis provided in this report is designed to enhance public understanding of legal remedies, policy considerations, and human rights concerns associated with stalkerware. The report is also designed to provide assistance to policymakers, legal professionals, academics, community workers, and advocates who are trying to support victims or navigate the complex implications of this technology.