Stage 1
-
English
Live Translation
Talk
Everyone
When Spies Come Home: Inside the Consumer Spyware Industry

Short thesis

"I see you." That's the message Jessica received after her ex-husband planted spyware on her smartphone, giving up her location, messages, and much more. Our 'When Spies Come Home' investigative series into consumer malware, based on gigabytes of hacked data obtained from four spyware companies, reveals the scale of this industry: hundreds of thousands of ordinary people across the world have bought malware that can intercept emails, switch on microphones, steal WhatsApp messages, and more.

Description

This talk covers two areas: the inner workings of the consumer spyware industry, and how that industry has been repeatedly linked to cases of domestic and sexual violence, rape, and murder.

The first is based on a slew of internal spreadsheets, financial documents, customer records, and even live intercepts captured by malware which activist hackers stole and provided to us as journalists. This data shows the popularity of consumer spyware, how some companies explicitly market their products to jealous or paranoid lovers to spy on their spouses, and even some connections to the same companies that provide malware for authoritarian regimes. But our talk also offers the behind-the-scenes of an investigation that relied heavily on information provided by criminal hackers: how do journalists verify that data, and how do they handle intensely private information? And we explain why we purchased the malware ourselves to give readers a deeper understanding of how exactly it worked.

The second part brings together interviews with sexual violence victims, domestic violence researchers, and concrete evidence of malware being used to facilitate abuse. This malware may require physical access to install, but to ignore this issue would be to miss the point: in an abusive relationship, the attacker often stays in the same building, room, or even bed as the target. This scenario presents a complicated melding of physical and digital security that the infosec community may want to pay more attention to.