Well-meaning parents and suspicious partners could easily be ensnared in a litany of privacy, security and legal pitfalls created by using mobile-phone monitoring software, a university investigation has concluded.

The investigation – conducted with ACCAN supported by Deakin University academics and HackLabs security specialists – evaluated the terms of use, technological design and potential legal implications of spyware tools that surreptitiously monitor the activities of a targeted mobile phone user.

Such tools are being marketed to parents wanting to manage their children’s Internet use and social interactions, but evidence suggests they are also popular with suspicious partners and domestic-violence perpetrators.

The tools resemble those that cybercriminals have famously used to exploit exploited platforms like WhatsApp and Instagram – but consumer-friendly packaging and installation has made them so common in family violence cases that “workers in shelters have had to change their practices,” University of Technology Sydney academic Jenna Price recently noted in labelling the ‘stalkerware’ tools, “the next frontier for family violence”.

The tools’ shady nature means that user numbers are anybody’s guess, but several leading platforms claim over 1 million users each and Kaspersky Lab recently noted that scans of its users’ devices had identified over 58,000 instances of the apps being used.

Powerful tools, inconsistent marketing

Apart from the obvious dangers resulting from the ways they are used, Deakin researchers Dr Adam Molnar and Dr Diarmaid Harkin found that the tools’ highly granular data-extraction capabilities were legally and technologically problematic.

Nine retail spyware tools were evaluated and, researchers concluded, all offer a range of features that “exceeds what could be understood as proportionate or ethical ‘monitoring’.”

The apps, which can be hidden from view on the target phone, quietly record everything from details of phone calls and SMS messages to transcripts of social media apps, Tinder sessions, email and Web browsing, contacts, photos, videos, and location tracking.

Some can even spoof SMS identities to send fake messages; record live audio from the target’s phone; and offer live views through their camera – turning them into real-time surveillance devices that, the researchers noted, “are sufficiently wide as to not only compromise the private data of the user of the device, but anyone who also interacts with the user via their device”.

Deakin also analysed the marketing of the apps, with 8 of the 9 tools promoting themselves for monitoring children; seven appealing to employers for monitoring staff; five selling themselves as a way to catch and stop device thieves; and three brazenly promoting themselves for snooping on partners, despite privacy and domestic-violence concerns.

Existing laws never tested

Researchers excoriated the apps’ designs, with HackLabs concluding that many apps have a “low quality security design [that] only increases the vulnerability of the personal data of those targeted by spyware”.

Some tools communicated their stolen photos, recordings and activity logs to central servers over unencrypted connections that were themselves vulnerable to interception – meaning that stolen private information could easily end up freely available online.

Reports suggest that “incompetence” had seen 12 different spyware companies breached over the past two years, the researchers noted.

“This raises additional risks of privacy violation beyond already existing pernicious social uses,” they said, noting in a “cursory legal analysis” that such violations would be legally problematic on a number of fronts.

Spyware’s activities would likely be captured by existing laws around family violence, telecommunications interception, surveillance devices, data privacy, and more – yet Holding Redlich partner Angela Flannery told Information Age that the lack of spyware case law could make some laws inadequate in handling this particular use case.

For example, she said, section 474.4 of the Criminal Code Act 1995 (Cth) bans the sale of an “apparatus or device” for intercepting telecommunications but “there is the question of whether this offence is sufficiently broad enough to pick up the sale or licensing of software, as opposed to physical interception devices or apparatus… My view is that it is not.”

Stronger government commitment to stop online sales of consumer spyware could help stop its purchase and installation, Flannery said, while tighter legislation could make it clearer that the use of spyware – without the consent of the person being monitored – is a criminal offence.

For now, the discussion remains largely academic, the Deakin analysis notes.

“The practical and jurisdictional difficulties of targeting spyware vendors or identifying individuals in possession of spyware, and the unlikelihood of this issue being pursued by any enforcement body, makes it unlikely that test cases or prosecutions will be forthcoming.”