On Digital Privacy and Stopping Stalkerware with EFF's Eva Galperin
Joining the podcast this week is Eva Galperin, Director of Cybersecurity for the Electronic Frontier Foundation (EFF). She is also the co-founder of the Coalition Against Stalkerware and has long been a champion for providing digital privacy and security for vulnerable populations around the world. “What is stalkerware?” many may ask. Stalkerware is considered a more personal way of invading someone's privacy such as using malware to track a person’s activity on a device.
Eva shares insights from her many years on the frontlines of digital privacy both educating the broader population on how to protect oneself while also navigating the labyrinth of new regulations and laws being created that impact digital privacy of the future. Be sure to visit StopStalkerware.org to learn more!
On Digital Privacy and Stopping Stalkerware with EFF's Eva Galperin
[01:21] Overreaching Societal Concerns on Digital Privacy
Eric: We have a critically important topic. I don't understand it well enough and I think it has very large and overreaching societal concerns that we need to talk about. And we have an amazing guest today.
Rachael: Please welcome to the podcast, Eva Galperin. She is the Director of Cybersecurity for the Electronic Frontier Foundation. During our research, I have seen all the incredible work that you've been doing for so many years, your TED Talk, and you co-founded Coalition Against Stalkerware. How did you get on this path originally? What you're doing is groundbreaking, but also has huge implications for the future of how we live. That's a heady thing to get into and lead.
Eric: What is stalkerware? I think a bunch of listeners have no idea. They've never heard the term, stalkerware.
Eva: Let's go ahead and start by talking about what stalkerware is, then we can get into how I got like this. I feel like why are you like this is a less important question than what is stalkerware?
Stalkerware is the entire class of applications that are commercially available that are designed to be covertly installed on somebody else's device. That exfiltrates data from that device to the person who bought the application.
The way that it usually works is that somebody will grab the device because often they have physical access to the device. Sometimes they even have the password to the device. Often, they're trying to spy on somebody that they are related to, that they are close to, or that they live with and they download the app onto a person's device.
How Stalkerware Exfiltrates Data
Eva: The app then hides on that device and the person who bought the stalkerware then pays for a subscription and logs into a portal. It gives them access to the information that has been exfiltrated from that device. That information can include location data if it's like a phone or a tablet, keystrokes, collect passwords, and record phone calls. It can get photos and all of the information from somebody's social media accounts.
Essentially, if they are using the device for something, there’s a chance that stalkerware can be used to exfiltrate that data. That makes it incredibly abusive and also very scary and powerful. A lot of our advice to people around privacy and security online focuses on securing their accounts, on making sure that your social media accounts, email account, and your login to your devices are secure.
But if you have stalkerware installed on your device, then all of that security is for nothing. In the end, you need to decrypt or look at the contents of whatever it is that you're doing on your device. If somebody has compromised your device itself, it can be incredibly powerful as a way of circumventing all kinds of security and encryption measures that are taken by various platforms and applications.
Rachael: How is this legal?
Eva: It's not. The question of how is this legal is actually a little bit more complicated than it's totally illegal. It depends on what kind of information the app is exfiltrating. For example, the law around recording people's conversations is very different than the law around tracking people's keystrokes or their location.
Eva: Your location data is actually not very strongly protected by the law, whereas the contents of your communications are often very strongly protected by the law. Also, there is a big difference between something which is illegal to write versus something which is illegal to sell. Something which is illegal to buy versus something which is illegal to use for illegal purposes. The question of how is this legal is actually very complicated.
To make things even more complicated, there are jurisdictional questions. For example, what state are you located in? What state is the person that is being spied on located in? Where are the makers of the app, based? All of these places often have different and sometimes even contradictory laws around whether or not you can do this sort of thing.
But interestingly enough, in Australia, a young man was just arrested and is being prosecuted for having written a stalkerware app and for having spent years selling it. He racked up something like three or $400,000 in payments from having created an app that you can use to spy on people's computers. So he specifically marketed it as a way to spy on people that with whom you are in a relationship.
He was very specifically saying, go spy on your ex, go spy on your girlfriend, go spy on your boyfriend, your husband, your wife. Find out if they're cheating or whatever. He’s currently being prosecuted. There are definitely consequences for this kind of behavior, but they don't happen very quickly and they don't happen often enough.
Eric: Many times when I hear stalkerware, my mind immediately goes to Pegasus with an NSO group and the like. But that to me is like an extreme nation-state-level component.
Common Software or Service That Can Be Bought to Breach Digital Privacy
Eric: What you're talking about is really common software or service almost that can be bought and used right over the internet for pretty much anybody, governments, jealous boyfriends, whatever it may be.
Eva: The notion that this kind of capability is available only to law enforcement and nation-state actors is simply incorrect. The reason why Pegasus gets so much play in the security industry is that they make use of zero-click vulnerabilities. It allows them to install their software on a target's phone without the target doing anything.
Commercially available stalkerware very rarely takes advantage of these kinds of existing vulnerabilities because they're extremely expensive. Usually, the people who are making this kind of stalkerware simply can't afford them. The usual way that these apps are installed on someone's device, is that the attacker has physical access to the device. They unlock the device and download the files directly onto the device. It is a level of access that Pegasus absolutely does not require.
Eric: Let me give you an example, and see if I understand this. Rachael and I are in a relationship. She has access to my phone. So she downloads something to my phone so that she can track my communications and banking. Anything that happens through my phone, my laptop, or any electronic device I have without me knowing about it. Then obviously she can do what she does with that information. It's almost the inverse of what I want for my son's phone, which honestly I'm really struggling with. He changes his account every 15 minutes when I turn on Apple, find my iPhone, and tracking software on for him.
Eric: There are some really significant consequences to this. Do you have any examples of where people have been harmed or it's impacted people's lives?
Eva: Yes, actually there are many cases of stalking via these apps, which is why we call them stalkerware. It’s a prelude to other forms of abuse, including physical abuse up to and including murder. That's how that happens.
Rachael: Wow, that's so scary. I don't feel like people are really talking about this at all. We already know that there are challenges with domestic abuse and trying to get away from that. But this just adds a whole other layer of complexity and trying to get away from people who are trying to do you harm or others. Why aren't more people talking about this? It's crazy.
Eva: Well, people do talk about this. They look at it rather differently. The first is that often this software is sold as a way of monitoring your kids. Monitor your unruly teenager, and keep them from sneaking out of the house at night. Now, having said that, there are entire classes of software that exist that will
It will send you the messages that your kid is sending, or will report the location of your child's phone at all times. The difference between this sort of kidware and stalkerware is that stalkerware is designed to hide on your phone. It's designed to leave people with the impression that they are not being spied on, it's designed to lie to them. Kidware on the other hand is much more straightforward. The sort of family tracking.
[12:45] Why Spying Is Defacto Abusive
Eva: You know that you have Life360 installed on your phone, you know what it does. It sends you regular reminders that Life360 is there. That is different. In some ways, it can also enable abuse and it can also not be great, but it is not defacto abusive. If you are spying on your partner specifically in this way designed to make them think that they are not being spied on, that is in and of itself abusive.
The other way in which people frequently talk about this is, essentially, it’s somehow okay to track your partner or your ex, or your spouse if you think that they are cheating on you. This is something that I see really often. People come to me and say, my partner is cheating on me, is abusive, or is doing something bad. What I really need to do is I need to get proof that they are doing a bad thing. So I need to install this software on their phone or on their computer or on their tablet in order to get proof.
Now, this is actually not useful proof in a court of law. In order to get this proof, you have to break the law yourself. Furthermore, it is morally and ethically not great. Essentially, you are trying to prove abuse by becoming an abuser yourself, which is something that I very strongly discouraged.
But a lot of people simply think that the suspicion that their partner is cheating on them justifies this. That spying on a partner that you think is cheating on you is not in fact abuse and they're just wrong. If you think your partner is cheating on you, leave them. Just leave them. You don't need proof.
How Spyware Is Like an Ex-Boyfriend Spying on You
Eric: Such a practical answer. Rachael, did you ever have an ex-boyfriend or somebody who is spying on you, going through your stuff, following you, tracking you? Maybe not with spyware.
Rachael: A long time ago, when we broke up, he kept unbreaking up with me. He followed me everywhere.
Eric: He didn't want to break up. How'd you feel?
Rachael: It was horrible. It was scary. Broke down my door. It was a whole thing. Stole my dog. It’s like a country song. It was terrible.
Eric: That was before spyware and the ability to read your every, maybe not thought but action. Think about that from that perspective.
Rachael: I shudder to think. That would've been horrifying.
Eva: I'm so sorry this happened to you. I very frequently talk to people who have stories like this. Almost everyone I know has a story of a bad breakup in which something like this happened. I just want to emphasize that this is not just something that happens to women, I also hear from men who get spied on and who get followed. They get threatened. I don't want to turn this into a women-only problem. This can happen to anyone and it's abusive no matter who it's happening to.
Eric: It's an outright invasion of your privacy regardless of gender or anything else.
Rachael: It doesn't discriminate at all.
Eva: When we turn this into a gendered problem, we silence men who don't feel comfortable coming forward. I think that is also a terrible shame.
Eric: My mind is going now to the recent Supreme Court, Dobbs, what do we call it? Proclamation, a change in direction.
Who Will Feel at Risk Against Digital Privacy Spywares?
Eric: Yes. It concerns me, and this will be gender specific, but that's okay. It's our show. There are a lot of women who will at least feel at risk if not actually be at risk if the state, local, tribal, or government organizations are able to use this type of technology to track their money.
Eva: This is definitely a risk to all people who may become pregnant. I think that that is very serious. The kind of risk that we are seeing right now is different. If you look at the prosecutions of people who are being prosecuted for their pregnancy outcomes, usually the people who are being targeted are poor women of color. The evidence that is being used against them is usually SMS messages, phone calls, and emails.
I think also Facebook Messenger messages, as you can see from the recent case in Nebraska. That's one of the reasons why EFF is pushing really hard for people who run platforms to make sure that all of their communications are end-to-end encrypted by default. So that when the government shows up with a warrant for the contents of communications, then Meta simply does not have them.
Meta, in addition to owning Facebook, also owns WhatsApp. WhatsApp has two billion users and every single message on WhatsApp is end-to-end encrypted by default. It's not like they don't understand how end-to-end encryption by default works. They just haven't made it a priority to end-to-end encrypt all of their messaging options. Facebook Messenger has really come last and this woman in Nebraska has really paid the price for it.
Encryption Is Critical
Eric: I really think the way you said that the platforms need to ensure that encryption is so critical because we're dealing with uninformed users. I have no idea what percentage of Meta's users or anybody else's understand end-to-end encryption. Even know what it means or how to look for it and choose one communication mechanism over another. But if the platform provides it, even an uneducated user base will have the protections that they need. To me, that is the way to do this at scale.
Eva: We need end-to-end communications all the time by default for everyone.
Eric: But doesn't that go against the platform's desires for enhanced marketing data so that they can use it to better advertise? Sell their product and increase revenues if they can't see what's happening.
Eva: There are ways in which this does cut off one potential revenue stream. But surveillance capitalism is not the only possible way of making money while running a tech company. If you put your users at risk in order to continue selling them things, I think that that is really profoundly unethical.
Furthermore, we can actually see companies having moved towards more encryptions, specifically in the years following the Snowden revelations.
You could see that we essentially encrypted the web. One of the reasons why we encrypted the web was, it turned out that the NSA was spying on nearly all web traffic. That includes the web traffic of people inside of the United States, and the web traffic of Americans, which is something that the NSA is specifically prohibited from doing. The companies responded to this by essentially saying, no, this is our data.
Apple’s Structure Process for Digital Privacy
Eva: These are our users and we're not going to sell them out to the NSA. There's a precedent. Companies and platforms have done this before, and all I'm asking them to do is to do it again.
Eric: What is the response you're getting? Companies are making that decision consciously. I would say you see it with Apple where they've got a structured process that's not perfect. But I think it's pretty good to try to protect user data to look at only metadata which has no identifying characteristics down to the individual. But big data is big data. Even if you have the best-laid plans, that doesn't mean somebody can't take that data and correlate it down to an individual or a class of individuals in my experience. I don't know your thoughts there.
Eva: Certainly. But there's a difference between using that kind of aggregated data and giving governments and law enforcement access to the contents of people's communications. That's really where I'm asking for end-to-end encryption. I am also asking platforms and companies to look at the other forms of data collection that they are doing. To think about how they are going to protect people who are pregnant or who may become pregnant, who may be prosecuted for their pregnancy outcomes.
But that is a different question. That is not a problem that can be solved with end-to-end encryption. Having said that, location data is not very strongly protected by US law, and that's one of the reasons why. In addition to all of that, location data could give away a lot of very important information about what a person is doing vis-à-vis their pregnancy outcome.
[23:30] How the Government Is Stepping Up for Digital Privacy
Eva: For example, it is possible to essentially request the location information of everyone who has gone to a specific Planned Parenthood clinic and that information is for sale. Interestingly the FTC has just sued a data broker for making this kind of information available for sale. I think we're starting to see some really interesting government pushback and I'm excited about this.
Eric: When you say the FTC has sued a data broker, they're trying to stop the discovery and usage of location information to harm people?
Eva: Yes. Specifically they are suing a data broker that was selling location data having to do with health outcomes and trips to Planned Parenthood.
Eric: So we are seeing the government step up on the side of the individuals here, trying to protect them.
Eva: Well, it depends on what you mean by the government. There are many different government actors that have different priorities right now. And so we're starting to see some parts of government hit it against other parts of the government.
Eric: In this case, the FTC. But we may have a state or local government who's soliciting that data from the local provider, whether that's AT&T, Verizon, or whomever, to understand where somebody went.
Rachael: How could you protect yourself? If I wanted to lock it down, is there an app for that where I can block any app that can track me or shut it down? Is there a way to do that easily or is it something where you would have to really dig into settings and do it app by the app? How do we get ahead here?
What Information Are You Tring to Protect?
Eva: You need to start with what you mean by locking it down. What information are you trying to protect and who are you trying to protect it from? Because trying to protect everything from everybody all of the time is a good way to drive yourself crazy. I get people asking me, do you use social media, Facebook, TikTok, whatever?
Often if they have come to me as a privacy or security expert, they're surprised that I don't live on a mountaintop having thrown all of my devices into the sea. Or that I don't live in a state of constant paranoia. And I don't. I have sat down and thought about what information it is that I want to protect, who I want to protect it from, and how they are likely to try to get that information. How much trouble am I willing to go through in order to stop them?
There are a couple of things that all of us can do that are just good privacy and security hygiene. The equivalent of eating your vegetables and washing your hands that I recommend to everybody. Everybody should have a password manager. They should make sure that all of their accounts have strong, unique passwords and turn on the highest level of two-factor authentication that they're comfortable using.
Eric: We have a recommendation there. Rachael, how are we doing? I know we spoke last week about you trying one banking account with multifactor authentication. Sounds like that's a strong recommendation yet again.
Rachael: Well I did put multifactor on all my email accounts, and then I tried it on a shared bank account with my mom.
How Multifactor Authentication Protects Digital Privacy
Rachael: But since I guess it defaults to her number to verify, I had to call her to give me the number, which isn't very secure.
Eva: Does that account allow you to use an app for multifactor authentication? Because in that case, I recommend rather than using a phone number, you should use an app like Google Authenticator or Authy.
Eric: But regardless, multifactor authentication is critically important here. Along with unique passwords, which are managed by a password manager, which we're working on.
Eva: Yes. And 2FA linked to your phone number where the second factor is sent over SMS is the least secure and easiest to foil version of 2FA. It's better than nothing, but it's also not great. What I really recommend that people do is use an authenticator app like Google Authenticator or Authy.
Eric: It's been dozens and dozens of shows where we're trying to get some multifactor authentication into Rachael's life. She likes the ease of not using it.
Rachael: Well, that's the thing. It's inconvenient a lot of times and sometimes you just need to get something done very quickly. I have two phones and if you have to authenticate on a phone you don't have with you. Then you can't do what you need to do. I think a lot of people feel that way.
Eva: Well, the good news is there is an app for that.
Eric: So people are using multifactor authentication, they're using password managers. What else do you strongly recommend?
Eva: Take your security updates. It’s much like washing your hands and eating your vegetables. Most of the exploitation of systems that we see is not the result of the dreaded zero days, which are exploited by Pegasus.
Why Exploitation Happens
Eva: Usually, exploitation happens because of a vulnerability that is already known to the company. That has already been made public and that the company has already fixed. But if you don't download the fix and apply it to your device, then you don't get to benefit from that fix and your device or your application remains vulnerable. That’s a really serious problem. In addition to all of the things that you need to do in order to protect your account, you should also be protecting your apps and your devices by taking your security updates.
Eric: If a jealous boyfriend or girlfriend, doesn't matter the gender, installed an application and had admin access to your device. They installed the application and turned on keylogging or data capturing of some sort. Patching and updating will help you in cases where a known vulnerability that that application is exploiting is patched. But you still have the problem where if somebody gave that device, that application the ability to record location data and share it. Or the ability to capture data through the application, even if fully patched you may have a problem.
Eva: Yes. Dealing with stalkerware is different. That is a different sort of attack. The way that you deal with stalkerware is if you are concerned about your desktop machine or you're concerned about your Android device, you should download an antivirus program and run it. Because of my work with the security industry and with antivirus companies, it should detect most stalkerware, tell you that it's there and give you the option of removing it.
Eva: You may not necessarily want to remove the stalkerware because letting your stalker know that you are onto them might lead to some forms of escalation. But at least, that is a choice that you have, which I think is very important. If you are worried about your iOS device, then things are a little bit different. The iOS ecosystem is much more locked down than the Android.
Now, as a hacker and a security professional, I like a more open environment because it allows me to do lots of neat stuff. But with great power comes great responsibility and Apple has chosen to take the reverse approach. So we lock everything down and keep apps from being able to do things. And that includes being able to run effective antivirus. It also limits what you can install on a phone. You need to be able to get your app into the App Store.
Certainly, stalkerware is against the terms of service of the App Store. That doesn't mean that this stuff doesn't occasionally sneak in. Sometimes when it does, I find it and I have to go call Apple and we have a chat. But for the most part, if you are worried about the security of your iOS device against stalkerware, stalkerware is probably not the problem that you're having. It is almost certainly a person who has compromised your Apple ID.
If they compromise your Apple ID, then they can pull all kinds of information down off of your device without ever getting anywhere near your device. They just log in as you. They can essentially just pull down a saved copy of your phone on a regular basis.
[32:54] Personal Safety User Guide
Eva: Apple has a guide for how to shut down most of the common ways in which this works, and it is called the Personal Safety User guide. You can find it over at Apple Support.
Eric: But really the first thing that comes to mind as you're saying that is changing your Apple ID password. If you think somebody is spying on you, start there on your iOS device.
Eva: Yes. You should change your password. You should also have 2FA enabled on your Apple device. Also, you should go look through the Personal Safety guide. You should walk through their checklist for the ways in which these kinds of devices are most commonly compromised.
Eric: If somebody feels that they're being spied on in their relationship or really whatever, where would you recommend they go? Stopstalkerware.org is a good first stop, but how do they educate themselves? How do they figure out how to get help?
Eva: Well, stopstalkerware is a good place to start. We have an entire page of resources, including organizations such as the National Network to End Domestic Violence and Operation Safe Escape, which provide really excellent support. Additionally, you can go to ssd.eff.org, which is surveillance self-defense over at the Electronic Frontier Foundation's website. It’s where we have all of our privacy and security advice, which is not specifically about stalking.
It’s more broadly about the privacy and security of your digital devices. It has a bunch of different walkthroughs as well as a bunch of articles about how to think about security. For people who are concerned about their safety, who have a current or former partner or a stalker, or somebody with physical access to their device, I recommend a couple of different things to them.
A Bunch of Things We Can Do for Digital Privacy Protection
Eva: The first is that they should take all of the advice that I have already given about passwords and account security. They should change their passwords, download AV for Windows and Android devices, and walk through the Personal Safety User guide for Apple devices. Those are a bunch of things.
The other thing that I would caution people to look for is if you are still parenting children with your abuser. If you have children who are going back and forth and those children have digital devices, those are very commonly used as a vector of spying. And physical trackers, so things like Tiles and AirTags.
Eric: Tile, AirTags, they're basically the same thing. You may argue one company's security is better than the other. I'm assuming you're not a fan.
Eva: Not really into them.
Eric: So the benefit doesn't outweigh the risk.
Eva: It's not up to me. No one has called me up and said, should we just stop manufacturing physical trackers? Physical trackers are very commonly used for stalking and as tools of abuse. I have been working with the industry to create some best practices that will allow people to see whether or not those trackers are following them. Ideally by default on all phones, so people don't have to download the specific app for every type of tracker.
Run a physical scan for every kind of tracker using every kind of app, every time they think that they might be being followed. It is the situation that we are in now, just kind of a hellscape.
How a Stalker Tracks Your Movements
Eric: If you're in a relationship where you think you're being tracked, be aware that AirTags, Tiles devices, and whatever else may be out there, is a good way that a stalker could use to track your movements. If you find a random Tile in your handbag or in your luggage, recognize that there's some risk there.
Somebody's probably tracking you and you need to think about that problem and look at your device and understand. Probably go get informed here on what else they could be doing because somebody is obviously interested in your movements and activities.
Eva: The most common sort of tracking that we see is tracking someone's car. We often find these devices hidden under the bumper or sometimes even the inside of the car between the cushions and the back seat.
Rachael: I do want to talk about one aspect of your work with the Coalition Against Stalkerware. By the way, congratulations, I think you guys got the J.D. Falk award last year. You're making such great movement forward in what seems a very short amount of time. One of the things that struck me was talking about a Maryland bill.
It requires training for law enforcement agencies to recognize cyberstalking and electronic surveillance. From all the documentaries I've seen, that seems to be where a lot of the prosecution parts fall down because they just don't have the means. They don't have the know-how. This seems like a very important bill for more states to bring online.
Eva: I am very optimistic about the power of this training to change the way people who are concerned about electronic stalking are treated when they come to law enforcement.
A Computer Crime Versus a Digital Privacy Case
Eva: Because one of the big problems that I see and I have worked with people who have been stalked, and people in abusive relationships for many years now is that they go to the police. They bring them evidence, they bring them their concerns, and the police say, this sounds like a computer crime. A computer crime is very complicated and it needs to go to our computer crimes department, which is like these six guys. They're very busy and they have all been told to prioritize cases having to do with a financial component. And so they just never get around to your stalking case.
Now, in situations where someone is being followed by an AirTag, it's really easy to just send a subpoena to Apple and find out who's AirTag that is. In situations where somebody has found a stalkerware that has been detected with antivirus, it's possible to send a subpoena to the company. Find out who is using this stalkerware, who's logging into that portal, and whose credit card was used to pay for this.
You can find out a lot of information and you don't need to do forensic analysis in order to do that. That's the kind of training that I would really like all law enforcement to have. I think it would really improve the experience of people who are coming to law enforcement about these stalking situations. It would allow them to better respond instead of just gaslighting the victims.
Rachael: I've been reading more lately, I guess people who are so frustrated with law enforcement not really being able to help them. They just take matters into their own hands and sometimes in a very dangerous fashion.
A Dangerous Behavior
Rachael: They're like, I'm going to figure this out and I'm going to get what I need to get justice here. It's fascinating stories, like watching a movie, but that's very dangerous behavior too. But if you don't have recourse, what do you do?
Eva: Well, it depends on who you are and who are you being spied on, and what kind of resources you have. This is the thing that really varies from person to person. I try to really not to encourage people to do things that are going to be physically dangerous to them. As well as acknowledge that people have very different situations and also very different appetites for risk. I am never going to blame a person who is being stalked or abused for not taking action against their abuser because that is up to them. It's not my job to shame people, it's my job to help them do the thing that they want to do.
Rachael: It becomes a sense of power too to try to take the power back and people got to do what they got to do.
Eric: The last question for me is, do you see this problem getting better or worse in the future? Awareness is increasing, but so is the technical capability, and technical knowledge of stalkers. You started the show with, there are services out there for employing this capability. Do we get ahead of it or does technology take off and this problem becomes worse and worse in your expert opinion?
Eva: Neither. I can tell you exactly the same thing that I say about nearly everything in information security, which is that it will get better and it will get worse. That it will continue to be a cat-and-mouse game.
[42:56] An Appetite for Stalking and Invading Digital Privacy
Eva: There will always be an appetite for these kinds of stalking tools, but we can do a lot to make them less effective. We can do a lot to make them harder to install, easier to detect and increase the consequences of being caught using these tools. There's a lot of pressure on both sides. We need to keep pushing on the side of detection, on the side of consequences, and on the side of privacy and security, otherwise, it will absolutely spin out of control.
Eric: I'm just thinking education and awareness to me seem like the number one priority here. People don't even know what the art of the possible is.
Eva: They don't always know. And when they do, they don't understand what the limits of these tools are. More importantly, the people who use these tools still think that they're okay and they think that they are justified. This is a very common misconception. One of the things that we really need to do is to call out this kind of abuse as abuse when we see it every time. Whether it is parents secretly spying on their kids or someone secretly spying on their ex or someone spying on their current partner. Just tell them that no matter how justified you feel, this is unethical and also probably illegal and you should stop.
Eric: I have the visual in my mind, I'm going to go to the physical world for a second. It's almost like a burglar or a stalker sitting on your living room couch. Watching you do everything you do when you go home at night and just sitting there, except they're on your device.
Eric: They can read not just your thoughts, but really more what you're putting down. It's almost the physical world equivalent of having your stalker in, sitting on your couch, and watching every movement. It is scary.
Eva: It's incredibly invasive.
Eric: Stopstalkerware.org. There is a ton of good information up there, no matter what you think you know, I learned a ton on that site. Just how to reframe, and rethink the problem, I think it's outstanding. This is a problem that we'll continue to deal with as time goes on so get informed.
Rachael: Eva, thank you so much for joining the podcast today. I've learned so much, but also my mind's blown because I just wasn't thinking about it in these contexts. It's great to know that there are so many resources out there to educate and inform. I can be proactive about how I want to help better protect myself. And I know our listeners absolutely appreciate that.
We've got some big news to share with all of our listeners. For those that have been longtime listeners, Eric was one of the original hosts of To The Point Podcast when it started back in 2018.
Eric: Show one. What show are we at right now? 203? 204?
Rachael: We're in the 200s now. We just broke the 200s. That's a lot of episodes over the last four-ish years. I'm really sad to say that Eric is leaving the podcast after today's episode. This was his last episode. I'm just very sad to see him move on.
A Farewell to Eric
Eric: It's the best part of my week. Eva, I wouldn't have met you without the show. We wouldn't have had a platform to talk about this stalkerware challenge. There's a tremendous amount of learning that comes into my life because of these shows, and I'm really going to miss the show. But Rachael, I'm going to miss you more than anything. It’s been an absolute pleasure every week talking to you, to our amazing guests, and speaking so that people can learn more about the topics we cover.
Rachael: We're going to miss you, Eric. But I do hope that you will come back as a guest in the not-so-distant future. We'd love to keep up with what you're doing and what you're working on. I hope you're never a stranger to the podcast when we reach out.
Eric: How could I ever turn you down? Anyway, thank you to all of our listeners. It's been a great four years and you're amazing. Even though we don't really get to interact directly with you, it's very unidirectional, but it's so enjoyable each week.
Rachael: It really is. To all of our listeners, thanks again for joining us this week, and until next time, be safe.
About Our Guest
Eva Galperin is EFF's Director of Cybersecurity. Prior to 2007, when she came to work for EFF, Eva worked in security and IT in Silicon Valley. She earned degrees in Political Science and International Relations from SFSU. Her work is primarily focused on providing privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything. From organizing EFF's Tor Relay Challenge to writing privacy and security training materials (including Surveillance Self-Defense and the Digital First Aid Kit), and publishing research on malware in Syria, Vietnam, Lebanon, and Kazakhstan. Since 2018, she has worked on addressing the digital privacy and security needs of survivors of domestic abuse. She is also a co-founder of the Coalition Against Stalkerware.
Listen and subscribe on your favorite platform