The role of empathy in the fight against stalkerware

8th Mar, 2022#16

In today’s social media-dominated world, the word stalking has been flipped to mean being harmlessly followed online, getting a ‘like’, getting a retweet, having your profile viewed constantly, among others. In fact, some even see it as a good thing because it shows how interesting one’s life is. But, that’s just one side of the coin.

The other side is dark. Stalkers use technology to abuse their victims emotionally by tracking and controlling their every move  – everyone they call, text, or share intimate details with. It's a tactic abusers use to scare, deter, control, or hurt people by stripping off their privacy.

While it may start off as harmless in many cases, the ending can turn out very violent as we’ve seen in many cases. And by this, I mean kidnappings, domestic abuse, extortion, and exposing private information, among others.

However, there are solutions that can prevent unauthorized access to personal devices or alert you if you were already being spied on. 

Our guest today is Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation and co-founder of the Coalition Against Stalkerware. Inspired by victims who reached out for help, Eva has been helping people identify and secure their devices against stalkaware applications.

In this episode, you’ll hear about who uses stalkerware and why – and what is being done to keep our devices secure from this kind of tracking and intrusion. You’ll also learn more about the people working behind the scenes to help victims and prevent future attacks. Additionally, you’ll get straightforward examples of howempathy gives cyber security a higher and even more important role than you realize it has.

In this episode, you will learn:

  • How empathy for victims determined Eva to advocate for stalkerware detection, removal, and blocking (01:11)

  • The people that Eva works with and their contribution to helping those most vulnerable (06:27)

  • A personal experience that led Eva to analyze and fight against stalkerware (10:12)

  • How she approaches the stalkerware conversation when talking to non-technical people (18:45)

Guest

Photography of Eva Galperin.

Eva Galperin

Eva Galperin is the Electronic Frontier Foundation’s Director of Cybersecurity.

Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley and earned degrees in Political Science and International Relations from SFSU.

Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF’s Tor Relay Challenge, to writing privacy and security training materials (including Surveillance Self Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Kazakhstan.

She also founded the Coalition Against Stalkerware in response to the growing threat of stalkerware, which is often used to facilitate partner surveillance, gender-based and domestic violence, harassment and sexual abuse. The Coalition seeks to combine its partners’ expertise in domestic violence survivor support and perpetrator work, digital rights advocacy, and digital rights advocacy to address the criminal behavior perpetrated by stalkerware.

Transcription

[00:42] Dave Smyth: In today's episode, Andra talks to Eva Galperin, Director of Cybersecurity at the Electronic Frontier Foundation, and cofounder of the Coalition Against Stalkerware. The conversation covers how and why empathy is crucial to weave this work, the catalyst for it to start working in the stalkerware space, and the importance of setting boundaries when working in an area like this. Let's jump right in.

[01:11] Andra Zaharia: I wanted to dive right in and ask you about the very difficult and very complex work that you're doing around stalkerware, around raising, not just awareness of it, but trying to inspire companies to get them to actually act, detect, remove, block spyware from their marketplaces, from people's devices, and so on and so forth. So, I wanted to ask if there's a place for empathy in this work, and what that looks like. It is obviously rooted in empathy, but what does that specifically look like when we're talking about stalkerware.

[01:48] Eva Galperin: I think that empathy is really at the center of the work that I'm doing. A lot of the time when we talk about cybersecurity, we talk about securing systems, and we talk about securing accounts, and we don't really talk about securing people. My approach to cybersecurity is very people-first. And the people who come to me are often people who have been through a lot. They don't necessarily know what is wrong, they can't give me straightforward answers. It may take several attempts in order to help to fix their problems. And it's really important not to gaslight them, and to approach their problems, again, with empathy, but really with what is called a trauma-centered approach; with an understanding of how trauma affects the body and the mind, and how to not worsen that trauma while trying to make things better. And I think that that's something that we really don't teach a lot in cybersecurity because we'd like to pretend that cybersecurity is just about machines and accounts, not the people behind them.

[02:58] Andra Zaharia: That is absolutely true. And this is why I think that your work stands out so well in this industry, and well beyond that; simply because you tackle a specific problem, first of all, that people have no idea exists, most people don't even realize this is a thing. They don't realize how deeply rooted and how damaging it truly is on multiple aspects. And I think that bringing stalkerware into the mainstream conversation around topics in cybersecurity and technology, in general, actually helps people connect and empathize with those emotional consequences that it creates. So, I'm sure that, obviously, it’s – and I know you've written about this in the past, and you've talked about it – taking on this burden from people and listening to their stories. And you received hundreds, and what I know is there are thousands of these stories; how do you practice self-empathy? How do you manage to stay healthy and to avoid being depleted emotionally and mentally while trying to help these people? Because this is extremely, extremely difficult work to do.

[04:09] Eva Galperin: Oh, bold of you to assume I have maintained any level of health or boundaries. It's been sort of an up and down process, not gonna lie. I think it's really important for the people who do this work to acknowledge that we are not perfect creatures who are able to maintain our boundaries or are unaffected by the people who come to us and the stories that they have. And particularly, the cases in which we cannot help, those are really the ones that get to me, and from which I need some time off. But what has helped me when I have managed to successfully help myself is to set boundaries around the times that I am doing this to essentially not let it creep into all of my free time. And also to step away from the hero model, from the notion that “I am the only person who can help these people, and therefore, I must drop everything right now in order to do it.” I am not the only person who does this work. I'm not even the only person in my community who does this work. And I will happily message the other people in this field sometimes if I don't have the time or I don't have the emotional bandwidth and simply tell them, like, “Listen, I have a case, I have somebody who needs help and I don't have the bandwidth to take care of it right now. Would you be willing to pick it up?” And probably the best thing about this space is the extent to which the people working in it really take care of each other. I think that that is what helps us get through this very difficult work. And having said that, it's not just difficult, it's also really gratifying. When you actually manage to give someone, who has been terrorized, peace of mind. And understanding of the shape of the surveillance around them when their abuser has been working in order to make it seem as if they are omniscient and omnipotent, it's really empowering for the survivor. And that's really satisfying, that is my favorite part about this work. When someone comes to you feeling helpless, and they leave feeling empowered and safe and ready to take action; that's really why I keep doing this.

[06:27] Andra Zaharia: I think of just perfectly summarizing what an ideal experience and interaction with cybersecurity could look like. This is exactly the kind of, let's say, emotional memory that we want to leave people with, ideally, around security technology in general. This feeling of ownership over your own identity, over your own actions and behavior, and the data and the details that it produces. And then to which extent you are aware of these things and realize that you have control over some and not so much over others, but you're okay with that because you know that they're going on. So, I think that is a very powerful statement. And I particularly resonated with how you emphasize the kind of connection and almost emotional intimacy between people that resonate with the same principles, people who work in the cybersecurity industry in various roles. So, I was wondering if you could share with us, what these people look like. Because what I find challenging is sometimes to share with others who have no relation to technology or security, how they first, and how people in all sorts of unexpected roles that aren’t visible anywhere, do a lot of important work, a lot of emotionally intense work to help others. So, who are these people? What do they look like? And what roles might we find them in? 

[08:01] Eva Galperin: They really run the gamut. I definitely talk with people who run entire support organizations devoted to domestic abuse, people who are devoted to fighting domestic abuse. I always have this weird thing where it trips me up when we talk about, say, investigating malware. And say you're in malware – actually, you're against malware. In this case, we're not in domestic abuse, we are against domestic abuse. It gets a little bit tricky. So, people who work directly in the field of supporting survivors of domestic abuse, people who work in training those people and also training people in law enforcement, people who do outreach to universities, but also people who simply work in cybersecurity during the day and actually care about these issues. There are entire networks of people who simply go to the same conferences, who are the people that someone will go to if they're having a problem in the community, and we all talk to one another. There is definitely a vast whisper network. But there are also problems with whisper networks; we cannot rely entirely on whisper networks and these informal connections in order to help people. Because the people who usually get left out of whisper networks are the people with the least power than people who belong to marginalized communities. It's more likely to be women of color, people who are new to the community, people who don't have a lot of power in the community; they're the ones who aren't immediately going to know who to talk to. And so we have to acknowledge the limits of whisper networks even while we use them. So, there's also a lot of that. I work with a lot of people who are essentially security researchers during the day, or who do privacy or security activism during the day. In some ways, their day job doesn't necessarily prepare them for this, but it doesn't make them care about it a lot. And so they do the work that they need to do in order to be prepared to help people.

[10:12] Andra Zaharia: To me, it's very interesting to see how some of these people's, let's say, paths or journeys, if you've been in the space for a while and you have some favorite people that you connect with in some sort of way, you see the spectrum of the things that they care about slowly expand to incorporate more and more people, and their spirit grow and become even more generous. And I know that, obviously, it's not a generalization, there are plenty of issues in cybersecurity that we all talk about. But I do believe that we need to emphasize good examples just to show what good behavior looks like, and how it helps, and how it has these ripple effects through the entire ecosystem. So, I was wondering specifically about your story because, obviously, what most people leave on there is that when you go into cybersecurity, you care about a technical career, technical path. So, is there any inflection point that you remembered that made you care particularly about the issue of stalkware, or even before that, a particular inflection point that led you to this path to end up working with the Electronic Frontier Foundation and do all of this incredibly important work around supporting people's digital rights and so many things on top of that?

[11:42] Eva Galperin: Well, I would like to tell you that this was the result of a very carefully thinking out my life plan and my career, but that would be a lie. I started at EFF, working on internet censorship on the international team. This wasn't my first job at the EFF, but this was my introduction to doing international work. And my work in internet censorship led me into tracking APTs and looking at the ways in which journalists and activists are being threatened by authoritarian governments online. And this was at a time when people were really starting to move from their computers to mobile devices, and so we were seeing some of the first state-sponsored mobile malware. And we were really starting to see governments that we did not expect moving into this space. We took it for granted that Five Eyes, Russia, Israel, even North Korea were all players, China was a player. But people were not looking for malware from Vietnam, or from Kazakhstan, or from Lebanon. And as it became easier and easier to deploy these kinds of capabilities, we started to see it being used by more and more authoritarian regimes that we didn't usually think of as being players in this field. This was a long time ago. So, there I was, working on APTs, when it turned out that the researcher with whom I had been doing the majority of my work was a serial rapist. And I read an article in Vice magazine, that was an interview with one of his survivors, and also with some of the other people who had been around her at the time, and they were all terrified. They were all absolutely scared of this guy. And the thing that they were scared of was that he was going to compromise their computers, or he was going to compromise their phones, because apparently, this was something that he had been threatening to do. I got so mad. I was absolutely livid. And so I tweeted that if you were a woman who had been sexually assaulted by a hacker and wanted somebody to take a look at your devices, that you could contact me and I would make sure you'd get a forensic analysis. 

[14:04] Eva Galperin: And that's sort of what started this whole journey. Basically, I wanted to help this one woman who had been through so much, and I didn't want anyone to ever feel that scared again. And instead of having this turn into a tweet and have a couple of people come up and talk to me afterwards, I got thousands of responses. This thing was retweeted for more than a year. I ended up helping a lot of people. And I really want to emphasize that it's not just women. Even though my tweet said, “If you're a woman who has been sexually assaulted by a hacker,” that about two-thirds of the people who came to me are women, and about a third of them are men. And I don't think we talked enough about how domestic abuse, and tech-enabled abuse, and this kind of surveillance is not just a women's issue. There is such a stigma for men surrounding abuse, where they're usually characterized as the abusers, and it is considered to be a tremendous shame to come out as someone who has been on the other end of that dynamic. I really want to create a safe space for men, women, and non-binary people to talk about these issues. So, yeah, I really push back against this whole notion that it's just men who are abusers and it's just women who are survivors because it's really simplistic and it's simply not true. 

[15:39] Eva Galperin: So, there I was, suddenly inundated with a bunch of requests for help. And I was getting really tired, so I spent some time thinking about what I could do in order to change the industry; ways in which we could move the needle in order to make it less necessary for people like me to sit there staring at p-caps, wondering what the hell is happening on a device. And there is an entire industry around finding things you don't want on your device that are on your device, and that is allegedly the antivirus industry. So, I went to I the antivirus industry, and I did a quick check to see how good the top antivirus products were at detecting the most common stalkerware that I could find. The stalkerware that would come up when I would just search for spying on my girlfriend's phone: How do I spy on my girlfriend's phone? How do I spy on my boyfriend's phone? How do I catch a cheating spouse? All that kind of thing. And on average, they were not very good at picking this stuff up. I had, on average, about a 60% hit rate, and that's just disappointing. So, I went to the AV companies and I said, essentially, “Hey, you guys, there's an entire class of malicious app out there, and you do a lousy job of detecting it.” We could go into Why, but I think that Why is not nearly as important as the fact that once I got one company on board, which was Kaspersky, a bunch of other companies got on board, and it suddenly became very normal to go and seek out stalkerware, and write signatures for it, and to stay on top of the stalkerware industry, and to create the expectation that stalkerware is one of the things that your AV product is going to protect your device from. So, I was very happy to see that. 

[17:33] Eva Galperin: The research into how well the all AV companies are doing at this is still ongoing because you always have to keep the pressure on. But that really changed the game a lot. And we've seen, additionally, actions by governments. For example, the FTC has taken action against two different stalkerware companies in the last couple of years: Spy Phone and Retina-X. And most recently, as in yesterday, there was some research published in TechCrunch by Zack Whittaker, about an entire network of stalkerware apps run by a company in Vietnam called 1Byte, which were all insecure. So, they all shared the same security vulnerability that made it really easy to exfiltrate all of the data that was being covertly collected. So, that is a really big problem. And Zach spent a bunch of time trying to alert the companies to this vulnerability, and they were non-responsive, and their web host was also non-responsive. And so he finally published this report. But it's my hope that the next step is that the FTC will take action, because this is exactly the sort of thing that the FTC has taken action about before. 

[18:44] Andra Zaharia: You've inspired tremendous change. And to me, it is fantastic, what you have been able to do, and all of the people who care about this, and all of the people who care about it enough to actually do something about it. I feel like in the past two years since you brought this up, and since I've been following it and tried to pass this information on, there's been a tremendous, let's say, level of awareness that has really spiked. And I think that this is incredibly important, and equally or even more important, is like you said, to maintain this in the public conversation, to maintain this in the public eye. And consistently take action because, obviously, there will always be people who try to make a profit out of anything. And it's as much of a cliche as it is, it's never been easier to just manipulate technology to do whatever malicious or unethical thing it can do. So, I think that these examples are so powerful. And the fact that people are talking about this, I think, that really broadens their understanding of these issues; who it affects and how it connects technology to our real lives in a way that's very palpable, in a way that's very personal, which doesn't often happen in spite of people being glued to their phones 24/7. So, I really appreciate you bringing nuance into the conversation and expanding the space to include as many people as possible that really, truly, need our help to navigate whatever life and technology throws at them, with them being unprepared, and honestly, not being experts because…

[20:32] Eva Galperin: I guess, you don’t have to be. 

[20:34] Andra Zaharia: Exactly. So, there's this strong emotional connection that people have when they click with a topic that they really care about, but it's equally difficult. As much passion as you put into it, sometimes it's really difficult to get other people to care about it. And what I believe that the EFF has been constantly doing really well and increasingly well, over the last few years, is getting people to care about things like censorship, and abuse through technology, and infringement on just a broad range of our rights and across the world. And I was wondering what we might be able to learn from; how you and the rest of the EFF team do things there, and how you use empathy to create a more familiar territory from an emotional standpoint as a counterbalance to using fear, uncertainty, and doubt, which are still a big trigger for people?

[21:33] Eva Galperin: A lot of the time when I'm brought in to talk about stalkerware to a non-technical audience, the response that I get the most often is: “Well, now I'm terrified.” I try really hard to push against that because I think that terrified people don't act, terrified people often become frozen. They engage in privacy and security nihilism, which is, “Everyone can see everything all the time anyway, why should I bother taking any kind of action?” I don't want people to be afraid, I want people to be angry. Anger gets things done, empowered people get things done, and scared people freeze. So, it's really important when speaking out about an issue, not only to show up with the facts, but also to show up with things that people can do, with concrete actions that people can take today, if they care about this issue. Because otherwise, all you're really doing is lecturing a bunch of folks, and they will forget everything that you have said as soon as you walk out of the room. So, I think really the most important thing when you're connecting with people is to give them things to do, and to make them part of the community who are taking action about an issue, instead of just people who have sat through a talk.

[22:59] Andra Zaharia: That is truly powerful. And every time that I see people just reacting to -- “Show, don't tell” always works, obviously. And it still works because our biology hasn't evolved enough to keep up without technologies evolving. I truly believe this. It's not something that's derogatory to people in general, I just think it's a reality we need to accept and work with. So, this power of example is, obviously, very persuasive, and I see that all the time in the way that people react to your tweets, for example, in the way that people react when they used to be in a room when you presented on a topic. And I had the pleasure to be there and see people's emotional, very visceral reaction to these stories into these realities and truly connecting with them because nothing else was interrupting them, and they had a direct line to all of these stories. I truly believe in wanting to emphasize the power of what you said; of taking action because that's one thing's thick, that's when we remember things, that's when they become etched into our brain, into our emotional universe. And we actually start our own journey. And I truly believe that studying or trying to understand cybersecurity concepts can be very helpful for your personal growth. There are plenty of aspects that are worth exploring, and studying, and understanding that can help you across your entire life, not just staying safe online on the internet. So, besides this palpable impact. I was wondering if you have other examples of where empathy makes a real difference – a difference you can almost – touch in technology and how it influences our entire lives.

[24:55] Eva Galperin: Well, I actually have a somewhat old and more obscure example, which was that once upon a time, the internet was not encrypted. If you went to the top of your browser and you looked at the URL, it started with the letters “http://”. And this meant that anybody else who was sitting on the network could see all of your network traffic. That seems bad now, that just all makes us wince. And it turned out that this was particularly useful for people, say, controlled telcos, and governments. especially authoritarian governments, but even the US government. It turned out that the NSA was secretly keeping copies of all of the traffic that was going through the United States. They had a secret room inside of various telco facilities, including one at AT&T on Folsom Street, down the street from the EFF office as if to taunt us. And this was a tremendous amount of information that they were gaining about people from looking at their web browsing.  The American government was doing it, and a bunch of authoritarian governments also really enjoyed this sort of thing. And, obviously, the way to fix it was HTTPS – all websites should use HTTPS, and they should use HTTPS by default. 

[26:17] Eva Galperin: This turned out to be a surprisingly uphill battle. I spent a bunch of time going to platforms like Twitter and Facebook, and saying, “Hey, you should move to HTTPS by default.” And what they would tell me is, “Why?” I would say, “Well, because governments are spying on journalists and activists.” And what they would tell me is, “Journalists and activists are an edge case.” And then the Arab Spring happened, and the company said, “Well, fine, we will have HTTPS by default in Tunisia, or in Syria, or in Egypt. But surely, we don't need it in the rest of the world; places that are not actively in the middle of uprisings.” And slowly, at least, partially through empathy, we managed to convince the companies that HTTPS by default was the way to go, that journalists and activists are not edge cases, that everybody deserves to have their browsing be secure at the transport layer by default. And this is now the expected behavior of all of your browsing traffic, which is a really big change that has happened over the last decade. If you tell people now that only journalists or activists or people who are in conflict zones need to have transport layer browser security, they would tell you that you are crazy because their ideas about how just a default level of security and privacy in your browsing have changed.

[27:57] Andra Zaharia: I feel like we take them so easily for granted, big changes like these in technology. It’s obviously because most people don't even notice they happen, and they don't know how impactful and important they really are. And they only pop up again when someone tries to dismantle them and tries to revert that change, just like we're seeing now with so many governments out there. So, if we were to try to, let's say, give people a reference or one of these connection points, from an emotional standpoint, to encryption; what might we be able to share with them to get them to understand how truly, essentially important encryption is for the security, stability, and general, very precarious balance in which the world sits in with technology as one of its fundamental layers?

[28:53] Eva Galperin: Well, often I start with the example of adversarial journalism. There is a reason why the journalists, who report on corruption and who maintain independent and authoritarian regimes, are often that regime’s first targets, that they go after their political enemies. And there's story after story of that happening. EFF is currently representing a Saudi woman whose phone was spied on by several governments but using a number of different methods, but one of them was a project carried out in the UAE called Project Raven. They spied on her phone, the Saudi government arrested her, detained her, and tortured her. So, this is a very close connection between how the security of her phone was breached, she was spied on, and then that surveillance led directly to physical action against her and physical harm. So, those kinds of stories often really connect in a visceral way. But then people think, “Hey, I'm never going to be a Saudi activist.” Sure, I want to protect Loujain, but also what happens in my everyday life. And frequently, I will talk to people about their money. I will talk to people about what happens when somebody hijacks your accounts, when somebody steals money from you, when somebody steals your passwords, when someone gets into your photos and then uses them to blackmail you. So, I bring up scenarios that are more likely to happen to the person that I am talking to. So, it really depends on how broadly their empathy is distributed.

[30:42] Andra Zaharia: Exactly. And it is, at the end of the day, an ability that we can cultivate, that we can improve, that we can expand to cover also other people but also ourselves. Just the one last thing to wrap up. If we were to highlight one thing that people should remember about those who are on the other side of the screen, tucked away somewhere in their office or in their home office, working to help them; what's one thing that you think is worth remembering about these people, and the fact that they care so much about helping others that they're willing to spend a lot of time and personal resources and energy to do so? What's one thing that would help close that gap, that non-existent but also very real gap between them?

[31:33] Eva Galperin: I think that we do all reach out to one another. That's actually one of the most satisfying things about this kind of work is that we find each other, we really do. The word gets around about who is helpful, and who speaks up, and who has good technical advice, and who will just sit there and listen while somebody yells at them, or cries at them, or both, because that is what they need to do. We all learn from one another, which I think is really important. And we all learn from the people who work directly with survivors in a non-technical way. Some of the most useful books that I read, that have helped me with my work have had absolutely nothing to do with technical issues. The Body Keeps the Score, which is essentially a book about how trauma works in the body is incredibly useful to me. There's also a book called “Helping Her Get Free”, which is about how to help people to escape abusive relationships. And a lot of the advice in that book is counterintuitive, but it prevents you from doing more harm than good, which I think is really important. And also there's a book called “Why Does He Do That?: Inside the Minds of Angry”. A lot of these books, they frame abuse as men abusing women, and they frame it in a really heteronormative way. I would love to be able to recommend some books that really break out of that pattern, but I haven't been able to find them. So, if your listeners have any recommendations, I'm really open to them because I think that's a big problem I've had with the existing literature.

[33:19] Andra Zaharia: Hopefully, we'll start to see more of those soon, simply because things can progress and they do progress in waves. There’s no linear progress almost anywhere in life. So, hopefully, we'll see those upward curve work in this way as well. Thank you so much for allowing us to learn from you, and for speaking about all of these difficult things with such grace and such kindness and generosity. And thank you for all the work that you do and the examples that you set. I know that I have learned tremendously from them, and they have changed the way I think and the way that I try to act. And I know that I'm just one of the many, many people who you have done this for. So, thank you again, Eva. It's been so wonderful to be able to talk to you and I'm very thankful for this opportunity. 

[34:08] Eva Galperin: It's such a pleasure to be here.