How is Spyware Legal?

Today's Cyber Stalkers have free access to almost government-grade spyware software with which they can terrorize their victims. Who's enabling the commercial spyware market?

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 12 million downloads as of Oct. 2018.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Lodrina Cherne

Digital Forensics Instructor for the SANS Institute and a Product Manager at Cybereason

Lodrina Cherne has over a decade of experience in digital forensics and a lifelong passion for cybersecurity. Her work focuses on preservation and analysis of electronic evidence including host based analysis of Windows, macOS, Android, and iOS systems in matters concerning Intellectual Property (IP) theft, employment disputes, and evidence tampering. She earned a bachelor's degree in Computer Science from Boston University and has continued her education by earning the GCFE, GCFA, and GASF certifications from GIAC.

How is Spyware Legal

One year ago, Ryan S. Lin, a 25 year-old computer science graduate of Rensselaer Polytechnic Institute, was sentenced to 17 years in prison. He’d been found guilty of perpetrating a severe, year-long campaign of coordinated cyber harassment against his former roommate. He recruited others online to send messages threatening to rape and kill her and her friends. They broke into all of her devices, and sent her personal photos, videos, medical and sexual history to all her friends and family. They sent child pornography to her mother and friends. They put up her personal information on pornography websites, encouraging men to visit her home address. Three did.

The details go on, but you get the idea. Ryan Lin is a very extreme example of a very common phenomenon today: cyber harassment. He was not only more aggressive than even most stalkers are, but he knew what he was doing better than most stalkers do. He used Tor to disguise his IP address, a VPN to disguise his internet connection, and various apps to disguise himself in texts and emails. In contrast, most people who commit cyber stalking and harassment do not have computer science degrees from respected technical universities. In fact, all you need to commit government-grade cyber spying today is a monthly subscription payment. Lodrina Cherne is a Digital Forensics Instructor for the SANS Institute and a Product Manager at Cybereason. In her investigative work, she’s dealt with commercial spy tools firsthand.

“[Lodrina] So stalkerware is software that can track somebody using a device. Typically we’re talking about some kind of tracking that is not consensual by the person being tracked.

So this could come in two different forms. We could be talking about legitimate software, something like Google Maps where you might be sharing your location with somebody and while Google Maps is a legitimate program, the way that it’s used – for example if I’m sharing my location on my phone but I don’t know who I’m sharing my location with, that could be an example of legitimate software being used in an unintentional way to show somebody’s location.

Another example could be something that’s a little more insidious. It could be something like software that’s sold to monitor somebody’s location or monitor somebody’s activities, text messages, emails, that sort of thing.”

An Industry On The Rise

So those are two big buckets that stalkerware could fall into.

Today’s episode is about that second big bucket of stalkerware, also known as spyware. It’s an industry on the rise. In total, it takes around five billion dollars a year. Much of that is made up of government spending. A whole chunk of it, however, is supported by individual people: overbearing parents, authoritarian bosses, and most of all, jealous and abusive romantic partners. The most popular commercial products have millions of customers.

And it’s not just all this spying that’s the problem, but what spying allows for. Oftentimes, these programs are being used by abusive men, against their female partners. A poll conducted by the National Network to End Domestic Violence found that 54 percent of U.S. domestic violence victims were being tracked by their abusers, using spyware. 54 percent! That means, on average, one out of every two domestic abuse cases in America today is supported by some form of cyber spying. Lodrina Cherne understands the problem intimately.

“[Lodrina] So this summer, I was speaking at the Diana Initiative in Las Vegas and the title of the talk I gave to my co-presenter was an “APT to Your Personal Safety”. So as cyber-security professionals, we were talking about how we’re very conscious of things like malware and APTs and how we need to identify these threats early before they get too embedded in your network.

So we talked about infosec concepts like using a cyber kill chain to identify threats and stop them as early as possible and then we related that to a personal attack and by personal attack, we’re talking exactly about spyware and stalkerware and if you have somebody who is embedding themselves in your technological life, who might have access to you, to your devices, and what does that mean for your personal safety, particularly in the context of relationships and if you should leave a relationship and if that person is intent on trying to track you and see what you’re up to. This is exactly what we talked about.

Just informally as we followed conversations about this online, every time this topic came up, the pervasiveness of replies and number of people who responded, men and women from all different walks of life, people who are technologically-savvy, people who weren’t, was really astounding and what was so moving is that after the talk, we spent probably two hours in the hallway after a 30-minute talk, having conversations with people who had experienced something like this, people for whom the topic rang true and who had never heard it discussed in public before.

Then to learn more, I have these conversations and particularly after giving that talk on stage, I think whatever numbers are out there, it’s something that is seriously underreported and I hope that the more we talk about it, the more we can define just how much of a problem it is.”

“[Nate] So the impetus for this episode was Ryan Lin’s story…”

That’s Nate, Senior Producer and Researcher for our show.

“We were going to talk about stalkerware, bullying, domestic abuse victims–it was all very important and very depressing.

But then, as my research developed, this one question kept gnawing at me. I’d learned just about everything one would need to know about stalkerware; run through some forty or fifty different sources in the process. Except nobody was answering this one, pestering question I had.

How in the world is spyware legal?

If commercial spyware were just now hitting in the market, you might reasonably say: well, the legal system moves slowly, maybe we just haven’t gotten around to making it illegal yet.

But this isn’t new. Commercial spyware–not the stuff hackers or governments use, which existed long before, but the stuff actual regular people use–has been trafficked in the U.S. for well over a decade now. And it doesn’t exactly happen in secret, either. In my research, I came across a New York Times article from 2008 promoting Mobile Spy, one of the leading stalkerware programs.

So we have to ask: if this stuff has been publicly available for so long, who’s enabling it?”

ISS World Convention

The story of how we got the spyware market we have today begins nearly two decades ago.

After the events of 9/11, the U.S. government took drastic measures to ramp up their surveillance capabilities. For example, in Season Two of Malicious Life, we talked about the President’s Surveillance Program–when George W. Bush’s administration loosened the reins on the NSA, allowing them to spy on just about any suspected enemy of the state without warrant.

So it may not seem like such a coincidence that the world’s biggest convention for buying and selling government-grade surveillance equipment began back in 2002, in Washington D.C.

The Intelligence Support Systems World Conference–”ISS World” for short–is what would happen if hackers, the Illuminati, James Bond and George Orwell had a baby together. The concept: a marketplace where private companies sell their high-end surveillance tech. But this isn’t just any trade show.

The first ISS World was attended by fewer than 50 people. Today, it’s attended by hundreds or even thousands of police, spies, and government officials from every corner of the world. It is the Super Bowl of state-level surveillance–where shady companies host negotiations with government agencies in dark backrooms, where influential oligarchs, repressive police forces, and the world’s most powerful governments come to window shop for spyware.

At least, that’s what we believe happens. There’s very little reporting on ISS World because journalists are barred from entry. No journalist makes it past the outer edges of the premises. For two ISS events hosted in Prague and Malaysia in 2011, a Bloomberg News reporter described the scenes as he was “walking hotel corridors, sitting in bars and haunting lounges.”

“For the Malaysia event, which has 871 invited attendees from 56 countries, the Hilton lobby hosts a parade of ISS’s various tribes and their telltale markings. Buyers from Saudi Arabia’s interior ministry, India’s cabinet secretariat and the 5-month-old state of South Sudan brandish yellow nametags that peg them as government officials. Vendors are identified by red tags.

In Prague, at a hotel connected to a shopping mall food court, potential buyers included Thailand’s Department of Special Investigation and the U.S. Drug Enforcement Administration. In the lobby, contingents from Greece and Turkey sat on opposite sides of the room.

In the Prague hotel’s elevators, an employee of Andover, U.K.-based Gamma International rode up and down, escorting government delegations to back-to-back, appointment-only demonstrations of Gamma’s FinFisher intrusion system, conducted in darkened rooms.”

The technology on display at ISS World runs the gamut, from lower-level knockoff products to the staggeringly high-tech.

“[Nate] But if ISS were really just about technology, then all kinds of people would be able to attend. They can’t, because more so than the tech itself, ISS World is a worldwide hub for state intelligence, defense, espionage and civil repression. In fact, the more you look at it, the spyware industry seems to have less to do with the technology industry than it does international politics.”

No Such Thing As Bad Press

In March of 2011–the same year as those Malaysian and Czech ISS conferences–two human rights activists broke into the headquarters of the Cairo-based State Security Investigations Service, or SSI. SSI was like the FBI of Egypt, for the past century. The organization had a less-than-sterling reputation, especially among the government protesters who fell under its ire during the latter days of President Hosni Mubarak’s administration.

When the two protesters got inside SSI HQ, they found hundreds of police batons, loads of torture equipment and classified documents. One of those documents stood out, because it was written not in Arabic, but in English. It was obtained by The Guardian, and provided early evidence of something we know much more about today.

Social media gave voice to millions of Middle Eastern activists, journalists and citizens during the Arab Spring. Spyware, it turns out, was a useful means of shutting them up.

Hacking Team, based out of Italy, and Gamma International, from the U.K., are the McDonalds and Burger King of spyware. They sell to governments and police forces around the world, and don’t discriminate in the process. Hacking Team, for example, has sold their software to the regimes in Saudi Arabia, Sudan and Kazakhstan. FinFisher, Gamma’s full-suite product, was used by dictators in Venezuela, Uganda and Bahrain. The English document found at SSI was just one example of this. It was an invoice from Gamma, for a total of 287,000 Euros. It included the costs of software, hardware, installation and training. So, just as a popular uprising was forming against the country’s dictatorship, an English company was training Egyptian officials to quash it.

Because of the nature of their product, Hacking Team and Gamma each target the world’s most repressive regimes. When news of FinFisher’s partnership with the Bahrain government surfaced, for example, it led to lots of negative news stories about Gamma. But there’s no evidence that bad press hurt their bottom line–if anything, the increased notoriety made them more well-known to other repressive regimes interested in such a service. When an account manager for Hacking Team, their competitors, saw the story, they sent an email to colleagues at the company. “Rumor of an opportunity in Bahrain,” they wrote. Notoriety is, almost, a currency to these companies which otherwise operate behind closed doors. In an email from May 2015, David Vincenzetti, Hacking Team’s CEO, wrote to colleagues that “Definitely, we are notorious, probably the most notorious name in the offensive security market. This is great.”

Not Just Oppressive Regimes

But I don’t want to give you the wrong impression: it’s not just repressive third-world governments that do business with these high-level surveillance contractors–in fact, the majority of the industry is supported by stable, democratic countries. When internal Hacking Team documents were leaked in 2015, they revealed huge amounts of business with intelligence and police forces in Italy, Brazil, Morocco, Spain, Russia; even Cyprus and Luxembourg.

Hacking Team is particularly popular in the United States. Between 2011 and 2015, they earned 200,000 dollars from the Department of Defense, 600,000 from the DEA, and 700,000 dollars from the FBI. The U.S. Army purchased Hacking Team technology, but never ended up using it, because of bureaucratic red tape.

“[Nate] All in all, it’s much easier to find countries that have done business with either Gamma or Hacking Team, than those that haven’t.”

Why is spyware used by democratic countries? Probably because it has its positive uses as well. For example, the name NSO might be familiar to those of you who followed the tragic affair of Jamal Khashoggi, the Saudi journalist who was brutally murdered by his own government: NSO was accused of supplying the software that enabled the Saudi government to spy on Khashoggi. But that same spyware, named Pegasus, was also used in recent years by the Mexican and Panama government to track and prosecute dangerous drug lords and bring down violent drug cartels. One notable example is El-Chapo, described as the “world’s most wanted man and [Mexico’s] most powerful drug baron.” He was captured in 2016 after the mexicans spied on El-Chapo using Pegasus.

So, in spite of being used by many dark and oppressive regimes, spyware does have its benevolent uses when used by lawful governments. However, this does not answer the question we posed: even if spyware has its legitimate uses when in the hands of democratic governments – it doesn’t mean it should be used by private consumers. We have plenty of examples of stuff which is legitimate in one context but illegal in others. For example, it’s illegal to keep radioactive materials in your basement, but the same materials can be used lawfully in hospitals and research institutes.

So the question remains: why is spyware legal? Well, it could be that governments have a vested interest in keeping it legal.

An Industry Intertwined

The biggest players at ISS World events are sophisticated, secretive agencies like Gamma International and Hacking Team. But plenty others are more minor players who don’t particularly mind who they’re selling to as long as they’re selling.

For example, a company called Leo Impact, based in India. Leo Impact made itself out to be a cyber defense company–pitching to entities such as Hacking Team. Its website, SpyPhoneWorld.com, told a different story. There, the software could be purchased by anyone. It promised to “catch a cheating partner or control and monitor child, employee phone remotely.”

One of Leo’s competitors, Aglaya, also based out of India, is another case of military and consumer spyware overlap. When Forbes reporters encountered Aglaya at a 2015 arms fair in London, the company CEO, Ankur Srivastava, was selling software which, he claimed, could bypass firewalls and hack power plant control systems. The company also sold zero-day vulnerabilities to governments–for systems such as Windows, Android, even WiFi–for prices upwards of a million dollars. Srivastava claimed that he only sold to Indian intelligence agencies, but upon further examination, their spyware was found to connect to a server which also hosted a website from one of the consumer market’s most popular spouseware companies: mSpy.

“[Nate] What does this mean? It means there isn’t such thing as two, entirely separate, government and consumer spyware industries. This is one industry, continuous, messy, intertwined. Some companies sell to both governments and private citizens, and the companies which sell to only governments are in business with the companies that only sell to citizens.”

Hacking Team, for instance, is a customer of Mobile Spy – a consumer facing stalkerware – and openly admits to being in business with multiple other consumer spyware companies.

“[Nate] If spyware companies cross the boundary between selling to governments, and selling to consumers, then we have a problem.”

The problem is that if a government made commercial spyware illegal to its private citizens, it might also hurt companies who sell it sophisticated state-level spyware, since as we saw these two types of companies are often intertwined. And not only in the strict business sense: driving the commercial companies out of business means less developers and engineers who work in the field and thus a more limited talent pool. It also means less innovation in the market. For example, a Hacking Team employee wrote in a leaked email: “We check a bunch of spy apps (i.e. mSpy, Flexispy), just to verify that they don’t introduce any feature we are interested in.”

“[Nate] In other words: the spyware which a government uses on targets of national interest, and the spyware which a husband uses on his wife, largely comes from the same trough. In some cases, they may even be the same exact programs.”

All this means that governments might have a vested interest in keeping the commercial market for stalkerware legal and buzzing with activity – since making it illegal may hurt their interests, by hurting the companies who develop high-grade, state-level spyware.

But that’s still not the complete answer.

Two Legal Cases

There are two legal cases of the 21st century, which have defined the U.S. justice system’s stance towards consumer spyware.

In the first, the Federal Trade Commission filed suit against Tracer Spence, and his company, CyberSpy Software LLC. Spence’s company sold RemoteSpy, a spyware program marketed as a “100 percent undetectable” way to “spy on anyone, from anywhere,”. In practice, it was little more than a keystroke-logging malware, delivered to host PCs via infected email attachments. The case resulted in a settlement, two years later. On the FTC’s website, victory was claimed.  “The Federal Trade Commission has put the brakes on the business practices of an operation that was selling spyware,”.

The second case involved Hammad Akbar, the Pakistani-Danish owner of InvoCode Private Limited and Cubitium Limited, the companies responsible for distributing StealthGenie. StealthGenie was not unlike every other spyware we’ve discussed on today’s show: it could install secretly on a user’s smartphone, and record just about everything they were doing with it. On December 14th, 2012, about a year into his operation, Akbar unwittingly sold his spyware to an undercover FBI agent. Indeed, the admiral was right all along – It was a trap. Akbar wouldn’t learn of what happened until two years later, when on a trip to Los Angeles, he was arrested by FBI order. He pleaded guilty to the charges.

Though two cases in four years doesn’t sound like so much, it certainly must have seemed like a step in the right direction. Surely the case against CyberSpy would curtail spyware from being sold to the general public, and Akbar’s fate would be a warning sign to any other spyware CEOs.

Except, no other major cases like these have arisen in the time since, even as the market for consumer spyware has grown exponentially.

And it gets worse. As part of CyberSpy’s settlement, the company was forced to stop marketing their product as a way to spy on unwitting victims. But the company never admitted to any wrongdoing, they never faced any criminal charges, and they were allowed to continue selling RemoteSpy.

Mr. Akbar fared only slightly worse. He was sentenced to time served, and ordered to pay a half-million-dollar fine. As part of the agreement, he was forced to give up StealthGenie.

“[Nate] But get this: Akbar wasn’t asked to destroy his program. Instead, he was ordered to hand over the source code to the U.S. government. Why?

I think you probably know what I want to say–what I really want to say, right now–but I won’t, because I can’t prove anything.

The bigger point is this:

StealthGenie was, characteristically, no different from Flexispy, mSpy or any of the rest of the apps that exist openly online today. At any point in the past decade, any of those other major stalkerware providers could have been pursued by the justice department just as CyberSpy and Invocode were. They haven’t been.

In fact, the effect of these two legal cases has been, if anything, empowering to the stalkerware market. When these companies were called upon by the U.S. justice system, they could have been made an example of. But they weren’t. CEOs of other companies have nothing to worry about, because the judicial precedent has been set: that selling undercover surveillance software to the public warrants only a slap on the wrist.”

Skirting Past The Law

Today, the case against CyberSpy acts as a playbook for spyware companies looking to skirt past the law. As a Forbes reporter wrote in 2017: “those selling spy software to the general public have been able to avoid legal action by simply removing advertising material that encouraged spying on spouses. They may have learned that trick from an FTC case against CyberSpy software.”

This may be the reason these companies were let off so easy. Not everything bad is illegal, and not everything used for illegal purposes is itself illegal. Think of the Tor browser, as an example. Tor is used to facilitate every crime you can think of, but it’s also used for good things, like allowing protection for whistleblowers and informants who wish to connect with the press.

The most common fronts that spyware companies put up, to avoid the potential for legal recourse, is to advertise spyware’s uses in monitoring employees and children. These practices may be unseemly, even immoral, but not necessarily prosecutable. Lodrina Chern:

“[Lodrina] you could certainly make an argument that I want to monitor what my young child is doing on their devices and I want to know what applications are installed and who they’re talking to.

So you could say that monitoring applications and hopefully with some conversations with that young child about what they’re doing on their phone and how you’re trying to validate that they’re using that phone safely is a legitimate use of these tracking applications.

What’s great and terrible is all you need to do is a Google search on “install spyware” or you could even run a much more innocuous term like “How do I track my kids?” “How do I track what my family member is doing?”

Now this gets into search terms that are a little bit more shady perhaps. But when you run those searches in Google, you will come up with a long list of programs that maybe purport to be legitimate monitoring software. Find out what your kids are doing online. Find out who your kids are talking to. Be able to read their emails. So if we take this off the computer example and we go on to cell phones, we get very similar capabilities. We get the ability to log keystrokes, to take screenshots, to monitor your location in this case and there’s a lot of the software that might have the capability to turn on your GPS and share that location data.”

The rest of the industry has certainly received the hint: targeting jealous and abusive spouses behind closed doors, but marketing legitimate uses of spyware on the face of it. “Catch Cheaters” the Flexispy website once read. “Is your wife cheating on you? For the sake of your mental and sexual health, you have a right to know if your partner is being responsible. Spy on their mobile phones to reveal their secrets.” On Twitter, it was more of the same. “Noticed any changes in your partner’s behavior?” one tweet reads, “Share Your Story.” Nowadays, their website reads: “The World’s Most Powerful Monitoring Software for Computers, Mobile Phones and Tablets / Know Everything That Happens on A Computer or Smartphone, No Matter Where You Are. ”

This is yet another possible reason for why stalkerware is legal – it lives in the gray area of the law. Ironically, it’s a bit similar to cheating on your spouse: it’s clearly wrong and immoral – but it’s also not illegal in the same way that stealing is illegal, for instance.

There are plenty of ways law enforcement could, theoretically, go after consumer spyware. It threatens the rights of children, and the rights of employees, to their privacy. Most spyware is made to be unnoticed, and requires no consent from its target. And yet, there is no indication that the spyware market is under any threat today. So long as it continues to serve the powers that be, toe the edge of the law, and avoid public scrutiny, there’s no reason to suggest anything will change any time soon.

“[Nate] We originally intended to talk about Ryan Lin, and the cross-section between domestic abuse and cyber stalking. We made sure it would coincide with October, the month officially dedicated to Domestic Violence Awareness.

But if I’m being honest, I don’t think we’re the right podcast to do justice to such a sensitive topic. Domestic abuse–a subject which requires a certain deftness of touch–is frankly just not our strong-suit.

What I hope we were able to do, instead, is tell a story about how technology can be used to enable the powerful and target the weak. It’s not that some Illuminati organization has conspired to unleash spyware on unsuspecting citizens. No single person, on their own, is responsible for the system as-is. Rather, it’s that governments–the benefactors of a healthy spyware market–are infinitely more powerful than individual victims of domestic abuse–those taking the brunt of the system.

And look: it took us thirty minutes to get to this point in the episode. Because it’s such a complicated industry, it’s not abundantly clear to most people that this is, in fact, one, interconnected system, between governments, suppliers, and abuse victims. Unfortunately, I believe we’ve demonstrated that these two sides are unbreakably tied to one another–to have one is to necessitate the other.

Stalkerware will only grow, in orders of magnitude, as the years go on, and the problem will only get worse.”

X

Want to hear our bonus episode?