Cybercrime investigator Eva Galperin, 45, forged her career investigating privacy violations against journalists and activists in dictatorships and conflict situations — she discovered cybercrimes in Vietnam, Tunisia and other countries.
Galperin’s trajectory changed in early 2018 when she heard from a friend that she was being abused and blackmailed by a male hacker.
The researcher herself, who today heads the cybersecurity area of the American network rights organization EFF (Electronic Frontier Foundation), called herself, at the time, a hacker, in the original sense: someone who dedicates herself to understanding and modifying computer systems.
The difference is that this male programmer used his technical knowledge to threaten to compromise the victim’s computers and smartphones. “I’m a punk, not everything I’ve done in the past is nice to look at. It could destroy my life,” the woman reportedly told Galperin.
The cybersecurity specialist then offered to help that acquaintance. First, she noted that the programs for carrying out this form of espionage were generally not complex. At the time, she also realized that commercial antiviruses were not good at recognizing these programs called stalkerware.
Afterward, Galperin took to Twitter to offer help to other women who had been sexually assaulted by a hacker who threatened to compromise their devices. The post went viral and received tens of thousands of retweets in just a few hours, when X was still called Twitter.
According to her, women, LGBT+ people and non-white people are more vulnerable to this type of crime.
In conversation with the report, the expert states that developing protections against these spousal espionage viruses does not provide money, such as solutions for companies, nor prestige such as discovering state surveillance against opponents and journalists.
“It doesn’t make headlines in the New York Times or the Washington Post.”
Galperin came to Brazil on Tuesday (12), to open the main cybersecurity conference in Latin America, Mind The Sec, held in São Paulo.
Galperin cites cybersecurity magic words to appear on the cover of a newspaper or magazine. “Zero click [vírus que infectam dispositivos sem cliques]day zero [primeiro evento do vírus] and billions of dollars are sexy terms that guarantee prominence. Companies in the area want to show that they are the smartest.”
Partner spying programs do not use complex strategies. The most common ones require the person to access their spouse’s device and install spy software, which then becomes invisible.
The virus then sends geolocation information, messages and social networks from the victim to the attacker.
Brazil, for example, has its own stalkerware, such as “Web Detective.” The spy program allows a free trial for 48 hours and then charges from R$66 per month (on the semi-annual plan) to operate.
“All plans include WhatsApp spy, Instagram spy, Facebook spy and location spy,” the virus website says.
There are also other Brazilian stalkerwares in this market, which should not even exist, as these applications are not allowed by the App Store (Apple) and (Play Store) regulations.
“People download the installer directly from the website”, explains the EFF director. To emulate legality, some of these applications present themselves as parental control programs, although the advertising on some of these sites cites concerns about cheating to encourage purchases.
“There is no justification for spying on someone without information and consent. It is always wrong,” says Galperin.
Internet stalking is included in the Brazilian Penal Code and has been considered a criminal offense since April 2021.
The article that typifies stalking describes the crime as the act of “persecuting someone, repeatedly and by any means, threatening their physical or psychological integrity, restricting their ability to move around or, in any way, invading or disturbing their sphere of freedom or privacy.”
Galperin states that, since offering help on Twitter, he has received requests for help from people involved in different relationship configurations. Still, abusive men are the most common.
The expert says that the male, white and heterosexual predominance in technology teams makes women, LGBT+ and non-white people vulnerable. “The industry as a whole has a bias towards protecting devices, not people.”
This does not, however, diminish the importance of monitoring explosive cybersecurity episodes, such as the invasion of a Russian journalist’s iPhone by the Pegasus spy app, which infects smartphones without clicking. The occurrence caused Apple to launch an emergency repair for its devices.
The report by the independent organization Citizen Lab triggered a rapid response from Apple that restored protection for millions of users around the world with an emergency repair.
An attack of this complexity, however, is unusual, as finding the necessary loopholes for a spy program to work without clicks is expensive.
In November 2019, Galperin founded the Coalition against Stalkerware to reinforce the fight against digital espionage.
The EFF director says that, since then, there have been advances based on court decisions, training of police forces and measures by regulatory bodies.
The United States Federal Trade Commission (FTC), for example, has already sanctioned some stalkerware companies for exposing victims’ data.
In Brazil, WebDetective experienced an information leak in August, which exposed 1.5 GB of sensitive data from around 76 thousand victims of the app.
Today, the efficiency of antiviruses in detecting stalkerware has also increased and is on average above 80%. Before 2019, this rate was below 50%, Galperin showed in a presentation at Mind The Sec.
Galperin also adds that stalkers can use, in addition to malicious programs, physical devices. One example is the Apple AirTag locator, which sends real-time location data to a synced iPhone, iPad, MacBook or iMac.
For anyone who has an Apple smartphone, the proximity of a new AirTag sends an alert. Android owners do not receive this warning automatically. All that remains is an audible alarm if the device spends three days away from the synchronized device.
“What if the person being spied on lives with the spy? If they see each other every three days”, asks Galperin.
After repercussions in the press and pressure from civil society, Apple developed the Android app Tracker Detect, which locates Air Trackers. The feature is not automatic, like on Apple devices.