Spyware increasingly a part of domestic violence

I remember when webcams first started showing up on laptops, it was not uncommon to see laptops with a physical lens cover. Even as late as 2007, you could find laptops with a lens cover (like the one pictured in this review).

Wondering if these are even available on laptops today, I did a little searching and found a Lenovo blog post from July 2010 talking about a designing a “standard physical on/off shutter” because “of government departments, utility plant operators and home office customers who have demanded a physical webcam cover” due to various privacy concerns. No mention of your typical home user, however.

I don’t want to descend into the realm of tin foil hattery, but I find it interesting that the more common webcams became, the less common any sort of physical cover or shutter became. Why were these phased out? Cost or convenience? Aesthetics?

In light of all the webcam spying by everyone from our principals to our presidents, I hope we can see a movement to pressure manufacturers to restore these covers.

Nope. He or she was only arskin’ if it’s OK to be neutral etc.

Is it OK for your employer to watch you in the toilet?

Maybe. As long as the employee can watch the employer?

Perhaps if everyone can ‘spy up’ as well as ‘spy down’? Such issues aren’t solely about the technology but about their use in power relationships. Maybe it was only when los poderosos appreciated that anybody can murder anybody that a law against murder was introduced. Or is that too cynical?

Being legal and being right is not the same. Owning slaves was legal too.

I’m glad for living and working in socialist Europe where people don’t lose their basic rights just because they’re employed. Even when working I have a right to privacy. If an employer gets funny ideas we have unions which will sue the shit out of them (I know in the US unions are seen as some sort of crossover between mafia and a communist fifth column …).

The arms race has already been on, for some years, and it isn’t pretty. Name any major antivirus vendor, and you have your pick of low-priced, relatively easy to use, ‘crimeware’ kits that run circles around them.

I don’t speak as an Elite Security Expert; but among workaday IT/sysadmin types, it’s gotten to the point where we don’t even bother trying to ‘clean’ an infected system anymore, and count ourselves lucky if antivirus software even warns us. We do sometimes inspect a system in greater detail before paving it flat, for forensic purposes and to provide samples to our vendors and try to mitigate future attacks and attacks on others; but we don’t even pretend that we are half as smart as the bad guys are.

Your average domestic-violence perp is probably dumb as a rock when it comes to computers; but the weapons you can buy are so far ahead of the defenses you can buy that that hardly matters. Once you add the possibility of physical access, social engineering or control of account information to gain control over ‘cloud’ services, customer service password recovery, etc. and possibly some violent coercion if subtler tactics fail, it’s game over man, game over.

In situations where ‘just nuke from orbit and start from clean media’ isn’t an option(don’t want to give up an email address/contacts, limited knowledge, partner retribution if a tap unexpectedly goes dark, etc.) you are talking a nation state/reasonably high end security contractor level problem.

There are some useful takeaways: “Webcam LED exhibiting any odd behavior? Odds that it’s a bug? Close to zero. Odds that it’s a problem? Alarmingly high. Nuke it to hell, yesterday.”, “Do you now, or have you ever, shared passwords, password recovery data, accounts, credit card numbers, etc. with somebody you are now experiencing togetherness problems with? Change it. All of it. Now. New passwords, new answers(preferably false and not trivially obtained from public biographical information) to security questions, revocation of any and all Oath or equivalent access delegation, warnings (if the company will accept them, and if not, why not?) that you have a persona non grata likely to try social engineering attacks against you specifically, wipe whatever you can, scorch the earth.”

The situation is hugely lopsided, though.

Thickness, I expect. Back when LCD assemblies, and enough lid/bezel to keep them safe, were pretty bulky items, the choice was throwing in a dirt-cheap webcam cover or a comparatively expensive superior optics package in the available extra space.

Now we want our laptops/tablets/cellphones thin, light, and so smooth and seamless that you’d swear they were built atom-by-atom from unobtanium by nanobots.

Corporate, where aesthetics still take (somewhat) of a back seat to the humorless demands of IT’s Security Hardasses, is probably the last holdout; but even they are increasingly offering a camera-less model, where that unit simply isn’t installed at the factory, or a consumer-standard camera arrangement, depending on which box you tick.

Perhaps less alarming from a ‘naked pictures of you showing up in the dark corners of the internet’ angle; but still an issue, have you seen what a contemporary array mic (almost certain not to have any sign of activation, ever) can do? Damn spooky, those things; and a good MEMS mic is maybe 1.5mm on a side, ~1mm thick, some don’t even need a hole in the case (just a direct coupling to a suitably resonant part of the outer shell) and they work like black magic.

Have you ever heard the term ‘mission creep’?

Quoted for truth.

It’s also how abusers get access to things like your computer or phone. You don’t have to hit someone to make them do what you want.

I have some experience with the concept of having sensitive business or governmental data access 24/7 and being expected to work on it outside normal office hours (and the normal office). In the cases I know of, the data is well protected: there’s an entire system to log on remotely and nothing is remembered on whatever device you are using if it is not a company-secured one.

Still, your point is valid: if a company trusts your judgment enough to have you working on such sensitive info, then they shouldn’t simultaneously treat you like a suspect. Except, the higher the clearance, the more temptation and the more ability to cause damage if ethics do become twisted.

Personally, I trust front-line workers a lot more than I do the executive suite gang, anyway: ambition and power draws ethically-challenged people like moths to a flame.

What if you have several user profiles on one machine and some of them are password protected (including the admin) but not all of them?

Yeah-I started off by saying whether it was OK-not somehow positing that spying was illegal. And while your reply sounds very concerned, I also mentioned that I don’t use the internet at my job and so I was talking about what was acceptable on a human dignity level and workers’ rights level. Many people can’t just ‘quit today’, and in a whole lot of the world, workers might not have computers at all if their companies didn’t provide them, so the syping goes way beyond knowing that there are trackers on this one of various first world machines you use.
For instance-in the country where I work, the government did a big push to get netbooks out to (supposedly) all schoolkids and public school teachers in the country to bridge the tech gap that disfavors working class and poor people. If the employer (in this case the national or city government) had put spyware on the machines to track what websites teachers and students go to, for instance, there would be a damning political advantage to knowing that in terms of propaganda for campaigns and considering that most teachers have to travel around to a few schools every day, they will probably get on social media on breaks using the tiny netbook, instead of schlepping aroung a huge laptop in addition to be more private (or they probably only have a desktop at home). There would be no cute little trick of chumming up to IT so that they didn’t get busted for using a machine on company time, because that doesn’t happen when you have 30-60 needy little mammals jumping all over the place in class, and because they would never know who IT even was, since it exists as an entity somewhere in the edu ministry. It’s just not OK to invade privacy in that way, and, as the original post stated, all these little invasions leak out into the market for use by violent spouses and other types.

Will there be an upcoming BB piece on the phenomenon? With pictures?

I have huge problems with it, but there are even bigger problems at workplaces that unions have to deal with so I don’t expect any action to happen soon. I do remember a while back reading that a UK company was blocking a union site (probably the IWW) as an extremist website, which is illegal. I don’t have any links to it and my memory of it is fuzzy though.

I was also horrified by the implications of ‘bring your own device’ as well.

I really think Mr. Riggen deserves the credit for that orthographic innovation.

I have this experience with ads in my iOS apps. I understand that ads are the cost of “free” applications, and to a point, I’ll put up with them (or purchase the ad-free version of the software). My “oh HELL no” point, however, came when some devs started allowing video/audio ads that auto-played. This breaks the rule of “my phone-computer should never, ever do anything that I don’t ask it to” in a very intrusive fashion, and any app that pushed such ads at me got immediately un-installed, with extreme prejudice, and a negative review left.

I know the tipping point would lie elsewhere for others (including some for whom iOS in general is a no-go) but for me, causing my device to make noise in public when I intended it to be silent was a declaration of war.

As a relationship counselor (aka Marriage and Family Therapist), my take is that it depends.

Trust violations like affairs, or addiction problems that cause serious consequences for one’s partner, sometimes require extraordinary efforts to repair. Janice Abrams-Spring, in “After the Affair,” talks about “high-cost” and “low-cost” behaviors that might be involved for a couple who decide to stay together after infidelity. The unfaithful partner is primarily accountable for doing “high-cost” behaviors if requested by the hurt partner, which might include “I want you to ask for a transfer to another office so you no longer work with the person you had the affair with,” or “I want passwords to your online accounts for a period of time so I can feel sure that you’re not communicating with the person you cheated with.” Worked out in an ongoing way with the help of therapy, in most cases.

So I could see a spouse who was seriously impacted by a partner’s gambling asking to have some way of “keeping tabs” for a period of time, until they felt like the gambling partner was solid in their recovery and was being honest with them. The overall point would be for the gambling partner to demonstrate trustworthiness, so that the hurt partner has something other than “trust me, it’s over!” to go on. And obviously, this would be a scenario in which the spyware was installed with both parties’ knowledge and consent.

Installing it without the gambling partner’s knowledge? I would caution against it in a situation where the couple was trying to stay together - the whole point is to increase trust, and acting in an untrustworthy way (spying without the other person’s knowledge) won’t help that. If I were seeing the hurt partner alone, I’d try to raise their awareness about the possibility for undermining the very thing they’re trying to build: a more secure, trusting relationship. (And I’d strongly suggest trying to get the couple in therapy together.)

I could see a client who’d decided s/he wanted to move toward a divorce making this decision in the belief it might help keep tabs on the joint finances while the separation and divorce were occurring. I would still caution them about how this would look if the information became known (say, through a set of demands in the divorce filing), and point out that this would be likely to escalate conflict between them and their ex, while also opening the option of the ex doing similar spying. Ultimately, if I were seeing the hurt partner alone, I’d have to let them make their own decision but I’d want to make them aware of the potential negative consequences.

I use workplace-issued computers and Internet (find me a business bigger than a taco stand that doesn’t, these days) and while my employer has made us all sign a MOA regarding appropriate use of work computers, there are several gray areas. What if I take my break and use my work computer to surf the web? I’m okay with some limits (porn would be inappropriate, for example) but within reason I should be permitted. I also do work-related searches that can be considered borderline, like looking on ebay for supplies when I have an ebay account of my own and will check it while I’m there. I have used the traditional Post-It pasted over the lens of the computer’s camera. There is a fine line between reasonable use and abuse, both for employees and employers.

Don’t be so sure. There’s a popular stereotype that (male) DV perps are poor, un-educated, drooling meat-head types whose homes are piled high with empty beer cans and overflowing ashtrays. Those are just the guys who get caught and prosecuted (and featured on COPS), though. The Genius Bar employee and the database engineer and the start-up CEO and the IT guy who wears a tie to work are just as likely to be possessive, controlling, and jealous with their partners (male or female).

That’s my breaking point too. One mindless game I play while waiting in lines does the auto-play thing, with military recruitment ads. I can’t exactly get mad at the Army or Marine Corp., so that just makes me madder.

What, MRAs? Already? Fucking hell. Welp, I’m tired and achy, I might go pick on them to make me feel better. How rude can I be without getting Dragoned?