Domestic Abusers Can Control Your Devices. Here’s How to Fight Back.

New York Times. 6.April.2020.By Kaitlyn Wells and Thorin Klosowski.

Every day, Sarah Prager saw the magnet on her fridge warning her of the dangers of domestic abuse, but she didn’t think much of it. Her girlfriend’s tactics were much more subtle, involving checking her phone and electronic devices, she said. In response, Ms. Prager, a writer from Massachusetts, deleted text messages as soon as she sent them, and never complained when her partner went through her devices.

“She had such control and jealousy in general that it would’ve been really suspicious of me to ask her to not do that,” Ms. Prager said. Her partner would flip the script on her if she refused to show what was on her devices. “What are you hiding that I can’t look at your phone?” was the go-to response.

Tracking messages is just one way technology can be used by an ill-intentioned romantic partner to monitor, intimidate, and control you — and they don’t have to be a tech wizard to manipulate it. If an abuser gets access to your phone, they can unassumingly squirm into every aspect of your digital life, from private messages to location history. Technology-based abuse, also called “technology-enabled coercive control” by anti-domestic-abuse professionals, can be as nuanced as an abuser spoofing their number to bypass a list of blocked contacts and using social media posts to keep tabs on your interactions, or as sophisticated as tracking a car’s location throughout the day via GPS and installing apps to make smart-home devices run amok. The tactics executed by abusers vary widely, and they rely on tech because it’s cheap and easy to implement.

“You don’t have to reach out and touch someone in order to control and terrorize them,” said Ruth Darlene, founder and executive director of WomenSV, a resource center serving the Bay Area of California. WomenSV specializes in helping people who face domestic abuse in middle-to-upper income areas, but Ms. Darlene and other experts note that tech-based abuse isn’t limited to just one income bracket.

Data on the prevalence of technology-based abuse is limited, thanks to varying definitions, but the experts we spoke with said that such incidences go hand-in-hand with domestic abuse. It’s estimated that one in three people have experienced sexual violence, physical violence, or stalking by an intimate partner, according to The National Intimate Partner and Sexual Violence Survey: 2010-2012 State Report (PDF) from the Centers for Disease Control and Prevention. The report’s authors define stalking as “a pattern of harassing or threatening tactics used by a perpetrator that is both unwanted and causes fear or safety concerns in the victim,” with methods including unwanted calls, emails, social media messages, and texts, as well as spying via listening devices and GPS.

Other studies have shown that this type of abuse is much more pervasive. An article published in the Journal of Family Violence in January 2020 found that between 62 and 72 percent of women (the only gender surveyed) have been stalked, and 60 to 63 percent have experienced technology-based abuse by an intimate partner.

“Technology is not the only tactic; it is one of many,” said Erica Olsen, director of the Safety Net Project at the National Network to End Domestic Violence (N.N.E.D.V.). “Today’s technology offers new ways to perpetrate abuse, but the behaviors and the reasons for it are not new. Abusers want power and control over the other person, and this is just one more way to get that.”

Here’s how to record abuse without being discovered, safeguard your devices, and, ultimately, protect yourself.

How to recognize technology abuse and control
Every social services expert we spoke with said domestic violence survivors often convince themselves to ignore signs of abuse, technological and otherwise. So trust your gut if you suspect the worst in your partner. Signs of technology-based abuse may seem insignificant — like if an abuser brings up conversations you had in private with another person, or if you just feel like you’re being watched — but they can quickly snowball. “When those coincidences start to happen over and over again, that’s a sign that something’s not right,” Ms. Darlene added.

Ms. Prager knew her girlfriend was invading her privacy when she found sent and deleted emails she didn’t recognize in her email history, but she brushed it aside. “A phone is such a basic thing that we need for our lives. She used it to monitor and check on my texts and emails, and it’s what she used to contact me even when we weren’t together,” she said. “I didn’t think it was abuse at all because she wasn’t physically abusive until the day that I left.” Ms. Prager said her ex-girlfriend continued to stalk her, both digitally and in person, for about a year.

If you suspect that a verbally or physically abusive partner is using tech to spy on you, you need to safely elude tracing. First, seek help. Visit a public library, or a doctor’s office for a routine appointment, and ask to use their phone to call a local domestic violence shelter, the National Domestic Violence Hotline (800-799-SAFE), or the National Sexual Assault Hotline (800-656-HOPE). You could also live chat with the N.D.V.H. or text LOVEIS to 22522.

If you can’t leave the house, in most states you can dial 211 (or 311 in New York City) and ask to be transferred to a nearby shelter; you can also save hotline numbers in your phone’s contact list under a different name to fool your abusive partner. Support centers can help you make a plan to leave your partner, as well as connect you with local resources. (Amid the Covid-19 pandemic, some municipalities consider shelters essential services, which means they are still open. You can also connect with a teletherapy provider from our guide to online therapy services.)

Identifying how an abusive partner is using technology to monitor you can be difficult. Our experts recommend keeping a handwritten log (PDF) of every time you think you’re being cyberstalked, and then sharing your findings with your counselor. Avoid taking notes or recording passwords on your phone’s notepad app. “If login credentials are syncing to the cloud, your partner could be reading them without your knowledge or consent, and then using them to surreptitiously access your other accounts,” warned Diana Freed, a Ph.D. candidate in the Department of Information Science at Cornell Tech, who co-authored a paper on computer security and intimate partner violence (PDF).

When you’re ready to meet with an attorney, a counselor, or a private investigator, our experts advise parking blocks away from your meeting point, and leaving your electronics in the car or back at home. Ditching devices is important: Some device-security tips found on the web, especially on comment forums, are phony or ill-informed and could compromise your safety. For example, a site may recommend enabling airplane mode to prevent spying. But a phone with stalkerware — any software that enables spying, also called spouseware or spyware — installed can still collect data via the microphone or camera, even when in airplane mode, said Sam Havron, a Ph.D. candidate in the Department of Computer Science at Cornell Tech, who co-authored the aforementioned paper with Ms. Freed. If you have the means, buy a prepaid burner phone (a phone with minimal voice or data services, which are designed to be used sparingly and should not be attached to any shared credit cards) with cash, so you can contact your support network without being tracked.

Visiting an advocacy center that specializes in auditing a survivor’s devices can help pinpoint how an abusive partner is monitoring you so you can collect evidence for an order of protection. (Resources like the N.N.E.D.V.’s Safety Net Project and WomensLaw.org have tool kits on collecting tech-specific evidence for court.) Counselors at these centers can also walk you through how to create secure passwords, turn off location sharing, and disable each device’s camera and microphone. They’ll discuss your options with you, and won’t pressure you to leave your partner, lock them out of your devices, or file a police report. If you’re panicky about taking steps to leave your abusive partner, it’s not the right time.

“The survivor is the expert in their own situation,” said Danielle Desrosiers, community advocacy program director at New Beginnings, a Seattle-based resource for domestic violence survivors with a dedicated technology-enabled coercive control clinic. “What can make one survivor safer, could create increased danger for another survivor.”

If you’ve weighed your options with a counselor and safely left your abusive partner, our experts agree that the first line of defense against future tech misuse and abuse is to increase the security of the technology you already use. No security setup is perfect, but these steps can make abuse much more difficult.

Make a list of shared accounts
If you share accounts with an abusive partner, they can use them to track much of your day. “Most commonly, abusers attempt to obtain or retain access to formerly shared accounts like iCloud and Google (and their associated email accounts) or social media like Facebook and Instagram,” said Ben Walker, a technologist volunteer at New Beginnings. This may include location apps — like Google Maps and Apple’s Find My — that are otherwise legitimate, or third-party location-monitoring apps, usually billed as child or family-monitoring apps.

In the case of iCloud or Google accounts, shared access can grant much more information, including browser history, notes, files, photos, and more. If you’ve ever shared accounts like this, or if an abuser potentially has a password because they purchased or set up the app or phone, make a note of it. Below, we’ll walk you through setting up a new email account and resetting your passwords.

Make a list of every account and device you have
Several experts we spoke with suggested making a list of the electronic devices you own. This includes phones, laptops, or tablets, as well as other connected devices like cameras, thermostats, smart speakers, and even newer models of cars. Don’t forget about the wireless router (what you connect to for Wi-Fi) in your home. If any of these items were gifts from an abusive partner, or if they set them up, the partner could potentially use the data they collect to gather information about you. If you have children, also make a note of any devices they use.

Tally up the rest of your (non-shared) online accounts, such as email, social media, cloud storage, journaling software, notes, and even to-do list apps. In many cases, an abuser can access data from those services with your username and password. Plus, some of these services, like Google, Apple, and Facebook, allow you to see which devices are currently logged in to the account. If you don’t recognize a device on your list, it may be an abuser’s.

Secure accounts with two-factor authentication and a password manager
Once you’re in a safe place to do so, you should secure your accounts to prevent further access. You can do this by setting up two security measures: a password manager, which creates complex passwords for you so you don’t have to remember them, and two-factor authentication, which requires access to a specific physical device to log in to accounts. But first, it’s a good idea to sign up for a new email address. With access to your email, an abuser can capture password-reset notices, create custom filters to hide messages, or gain access to any details you change. Sign up for a brand-new email account from a service like Gmail or Outlook, both of which have good security standards, including two-factor authentication (we’ll get to that below).

If you reuse the same passwords or create ones based on personal details (like your dog’s name or a birthday), an abuser can gain access to your accounts with an educated guess. To counter this, your best option is to not know your own passwords. You can do this with a password manager, which generates strong passwords that are impossible to guess and then locks them behind a single “master password” that only you know. When you create a master password, it should be something your abuser can’t guess.

There are many different password managers out there, but Wirecutter thinks 1Password is the best option for those who are new to password managers (if you can’t afford to pay for a password manager, Wirecutter also recommends Bitwarden). Once you get it set up, go through your list of accounts, change their passwords, and update them with your new email address. If accounts have security questions (for instance, “What’s your mother’s maiden name?”), you should change those answers to a random word. (You can save these responses in a password manager, if needed.) For a walk-through on getting started with a password manager, head over to this guide on the tech website How-To Geek.

Two-factor authentication is a security feature typically available for important online accounts, including those for banks, email, and social media. When you enable two-factor authentication, you’ll need two pieces of information to sign in to your accounts: your password and a multi-digit code. The code can come from either a text message or an app. For security purposes, an app is better than a text message, and Wirecutter likes the easy-to-use Authy app. However, this type of authentication assumes that only you have access to your phone — if an abuser can still get into your phone, they may be able to access the authentication codes, so it’s important to secure your devices before you set it up. You should consider using two-factor authentication for any accounts that contain private information, including bank accounts, Google accounts, Facebook profiles, and Apple accounts. Check out Wirecutter’s guide to setting up Authy to get started. If you’re comfortable with technology, Wirecutter recommends a physical security key as an even better option, but getting the hang of using it does take some technical skill.

Check privacy settings on social media
Accounts on social media platforms like Instagram, Facebook, or Twitter can leak location data or other streams of information to an abuser without you realizing it. Take time to run through Facebook’s Privacy Checkup, and lock down who can see your posts, remove any apps that may automatically share your location, and delete any other apps, games, or tools you don’t recognize, use, or remember adding. Be sure to set up alerts for when someone logs in to your account. You may also consider making your other social media accounts, like those on Instagram and Twitter, private. If you need help navigating the settings, The New York Times (Wirecutter’s parent company) maintains a social media security and privacy checklist for journalists that includes many of the settings you should change.

Google’s not exactly a social network, but its privacy controls are worth spending some time with. By default, Google saves every search you make on Google and YouTube, and Google Maps creates a record of everywhere you’ve gone throughout the week. If an abusive partner has access to these accounts, they may find something in your history. You can pause these settings from your account dashboard at any time.

Improve your smartphone’s security and privacy
Our smartphones provide near-instant access to everything about our daily lives. To prevent that type of access in the future, you should set up your phone as securely as possible:

Enable a passcode. Some abusers may try to unlock a phone using a fingerprint or face login when you’re sleeping, so it’s best to stick with a six-digit passcode instead. If you don’t have a passcode, enable one — while it adds a mildly annoying step to unlocking your phone, it makes your phone much more secure. Most Android users can open Settings and then tap Security to create a passcode. (Depending on which Android phone you have, you may need to poke around to find this setting.) On iPhone, open Settings, tap Touch ID & Passcode, and make sure the passcode option is enabled. (If you have a newer iPhone, you might see Face ID & Password instead.) Disable any Touch or Face ID options while you’re there.

Change notification options. Notifications on your phone may reveal personal information, like the first few lines of a text message or email, to anyone who happens to catch a glance at your device. To protect yourself on an Android phone, open Settings, tap Notifications, and choose Hide Content for any apps that might include personal information. On iPhone, open Settings, tap Notifications, and change the Show Previews option to Never.

Check location settings. Location stalking is a way to see where someone is throughout the day, so it’s a good idea to identify which apps have access to your location and make sure you want them to have that info. On Android, open Settings, tap Location, tap App permission, and then review the apps that have access. On iPhone, open Settings, tap Privacy, and then tap Location Services.

See which apps are installed. An abuser may install something on your phone to spy on you, or use dual-purpose apps, like child-monitoring software, to track your location. To see everything that’s installed on an Android phone, open the Google Play Store, tap the three-line icon, tap My apps & games, and then tap Installed. On iPhone, open Settings, tap General, and then tap iPhone Storage. If you see anything you don’t recognize, you may want to delete it, but beware the abuser may get an alert when you do.

Update the operating system. Updating your phone’s operating system improves security and wipes out certain types of stalkerware, so set your phone to update automatically. On Android, open Settings, select About Phone, and make sure Check Automatically is set under Software Update. On iPhone, open Settings, tap General, tap Software Update, and scroll down to Automatic Updates to make sure it’s enabled.

Smartphone security is also about recalibrating how you use your phone. Train yourself to avoid clicking links sent through email or text, change your passwords when you notice strange activity on your accounts, and be mindful of what information you store (and share) on your phone.

If you need to communicate privately with a friend, investigator, or counselor, it’s worth considering switching to a secure messaging app like Signal. Signal works exactly like Apple Messages or WhatsApp but offers privacy- and security-focused features like encryption, a second lock screen to open the app, disappearing chat history, and the ability to rename message threads to obscure a contact’s name.

What about stalkerware?
As the name suggests, stalkerware is any software used to spy on or stalk someone else. It often includes several tools, like GPS tracking and keyloggers (which record keystrokes). In extreme cases, it can also record audio from mics or capture photos from a camera. Stalkerware is expensive, often retailing for $20 to $80 per month, and with smartphones, installing the software requires an abuser to have extended access to the phone.

Joe Seanor, a security consultant who works with domestic abuse survivors, said stalkerware typically comes into play when a phone or laptop was a gift from an abuser, is an older model, or has gone missing for an extended period of time. Once installed, Mr. Seanor said you’ll notice your data usage skyrocket (you can check this on your monthly bill). “It’ll double,” he said, adding that you should ask yourself, “Does my battery wear out faster than before?”

Recognizing and removing stalkerware takes technical know-how and isn’t recommended for most people. If you want to search your devices for this type of software, the Coalition Against Stalkerware has a guide to help you, but Walker from New Beginnings said a factory reset is “a much simpler and safer process than attempting to audit a potentially compromised device to determine how compromised it is.” Also, uninstalling stalkerware alerts the abuser.

Ultimately, it’s important to contact an organization like the N.N.E.D.V. before you take steps to regain control of your devices on your own. And if you don’t have confidence that your partner is respecting your privacy, or if you’re unsure what constitutes abuse, lean into that feeling that something isn’t quite right.

“Trust your instincts and talk to someone if you believe this may be happening,” N.N.E.D.V.’s Ms. Olsen said. “You deserve privacy and safety — offline and online.”

Full Article