'Readily available' consumer spyware apps could violate raft of Aussie laws

A number of tracking and monitoring products available on most Apple and Android smartphones have the potential to break a range of Australian laws through their use, manufacture and advertising, according to a report released on Friday.

Research conducted at Deakin University, supported by the Australian Communications Consumer Action Network (ACCAN), found the consumer-grade spyware potentially violated a number of laws relating to harassment, stalking, identity theft and fraud.

Even family-oriented apps designed, to give parents peace of mind by tracking their child’s location and logging their communications, risked violating privacy regulations without clear consent from all spyware users and their targets.

Alfred Deakin Institute post-doctoral research fellow, Dr Diarmaid Harkin, one of the authors of the report with Dr Adam Molnar (now at Canada’s University of Waterloo), said that while some spyware users may have legitimate reasons for needing access to their child or partner’s location, the range of other functions offered by spyware tools exceed what would be regarded as proportionate or ethical monitoring in these circumstances.

These functions included capturing SMS data, voice recordings of phone calls, internet browsing data, access to photos and videos, and in some cases live access to a phone’s camera or microphone.

Some products sampled for the report also contained the ability to send spoofed SMS messages that assume the identity of a captured device.

All of these features could be performed without the knowledge of the targeted device’s owner despite the requirement for informed consent under the law, and posing an even larger threat to vulnerable people like those in abusive relationships.

“Spyware is a particularly acute threat in the context of domestic and family violence and, more troubling, is that multiple companies explicitly encourage and promote the use of spyware against intimate partners,” Harkin said

“Across our sample, a clear theme emerged from the promotional materials that the main targets of spyware were children and intimate partners as well as employees and thieves.”

While the report notes that Android and the Play Store was “significantly more permissive” in regards to how many systems permissions could be granted to spyware apps, iPhone users were by no means immune to the dangers of the apps analysed as part of the study.

Another issue is that the consumer spyware vendors themselves typically had lax back-end security, endangering any data collected through their apps.

“Technical analysis of spyware reveals that software developed within the consumer spyware industry often exhibits extremely poor data security practices,” the report said.

“For instance, inadequate precautions are taken to protect or encrypt data whilst it is in transit. This creates additional risks for the exposure of highly sensitive personal information and data.”

Limiting access

Even though consumer-grade spyware apps have the potential to violate Australian laws and policies in a number of ways, the authors of the report note that “offensive strategies for disrupting spyware companies operating online (and across multiple legal jurisdictions) are difficult”.

However, authorities and organisations that spyware vendors rely on to operate - including Rackspace and Cloudflare - can help promote “defensive strategies,” the authors said, for example by “leveraging influence over intermediaries or commercial actors who may inadvertently host or facilitate spyware (such as Google permitting the sale of Cerberus on its Play Store)”.

“The Office of the Australian Information Commissioner also has recourse against poor practices of spyware companies, which could spur changes in how spyware companies’ products presently operate to the detriment of the security and safety of consumers, particularly women and children.”

The authors also argue that proposed amendments to the Commonwealth Privacy Act 1988 which are slated for the second half of this year should “explicitly consider amendments that would further protect the personal information of individuals from the use of consumer spyware”.

The report’s analysis focused on these nine spyware vendors:
1. mSpy
2. Hoverwatch
3. Flexispy
4. TheTruthSpy
5. Highster Mobile
6. Teensafe
7. Mobistealth
8. Cerberus
9. Trackview