Guide:Resisting technological domestic abuse

Nothing to hide, but nothing to show you either.
Jump to navigation Jump to search

Purpose of this guide is to help victims of technological domestic abuse resist surveillance and recover from privacy or security compromise by perpetrators of abuse, whether romantic, familial or otherwise.
Technologically savvy perpetrators have more options than ever before to keep tabs on their victims, take away control and agency and continue abuse from afar. We will try to give you the tools and knowledge to resist technological aspects of the abuse, and once you're able to leave the abusive situation, recover from the privacy compromise.

Core assumptions[edit | edit source]

In this guide we are assuming following:

  • The perpetrator is somebody who has physical access to you and to the devices (and potentially accounts) you use.
    • The perpetrator also controls your internet access, either by controlling the router or controlling the ISP's account.
  • The perpetrator is generally more technologically savvy than you.
  • The perpetrator is willing to deploy technological measures that are generally unacceptable, such as tracking your location, monitoring your search history, compromising your social media accounts, and so on.

But first[edit | edit source]

If you share the device you're reading this on with the perpetrator, DO NOT allow them to use your browser history to find out about your attempts to resist.
First, do the following:

  • Open this page in Private Mode/Incognito Mode.
  • Go into browser's options, and delete the browsing history for approximately last hour.

This will prevent them from finding this guide in your history and being aware of the advice you're following.

Methods and countermeasures[edit | edit source]

In this section we will survey and discuss most common methods of technology-enabled domestic and familial abuse.

Stalkerware[edit | edit source]

Coalition Against Stalkerware's brief overview of stalkerware.
Remember to open in Private/Incognito mode to avoid leaving a trace!

Potentially most concerning method the perpetrator could use is installing stalkerware, also known as creepware, on your devices. Stalkerware are apps and programs that are designed to keep track of another's person's activity and report it back to the perpetrator. Many of those apps masquerade as 'parental control' or 'employee monitoring' solutions, but most make little to no effort to limit the potential for abuse.
These are very difficult to counter as they are designed to be stealthy and avoid detection, much like any other malware. There are many stalkerware products, and new shady operations sprout all the time, therefore it may be impossible to give you specific advice.

The best advice we can offer you is to trust your instincts. Does the perpetrator seem to know details and pieces of information that you've never shared with them? Do they inexplicably know where you've been or who you've texted? Do they know the websites you've visited?
If you answered yes to any of those, you may be a victim of stalkerware.

Countermeasures[edit | edit source]

  • If you can, do not allow physical access to your device. Do not leave your device unattended. Most stalkerware has to be installed using physical access, so if you're not infected, this is the best method to keep it that way.
    • Use a strong screen lock method, and do not use fingerprint scan or face unlock (as those methods are rather easily fooled). There is no substitute for a good password.
  • Most stalkerware programs run in the background all the time, using your battery (if applicable). Be mindful of your battery performance, particularly if it suddenly drops.
  • Stalkerware programs must send the captured data to the perpetrator. Therefore, look at your data (and WiFi) usage and look for unusual patterns, like apps you don't know suddenly sending a large amount of data.
  • Look for apps that you don't know and have permissions that you do not remember granting.
  • Remove the apps you do not use. This will make it harder for stalkerware to hide in the crowd.

Canary trap[edit | edit source]

If you've seen Game of Thrones, you've seen a 'canary trap' in action. Tyrion Lannister uses it in season two of the show.

One method of narrowing down how and were you're being spied upon is the use of so-called 'canary trap'.

The basic idea is that you give different version of an event, document or a plan (bait) via different methods of communication and see which one the perpetrator brings up. For example, if the perpetrator is attempting to control your social life, you might text one friend about plans to meet up for drinks, and email a completely different one to meet up for coffee at the same time. If the perpetrator now brings up you going for drinks with a specific friend, you know they're monitoring your texts, and probably not monitoring your email.

Device specific tells[edit | edit source]

Android[edit | edit source]

On Android, most stalkerware apps will not be found in the Play Store, as the are likely to be removed by Google upon identification. This means that most of the time, the perpetrator has to install an external app from so-called 'Unknown sources'. Normally, when you try to install an external app, Android phone will prevent you from doing so, unless you enable it in the settings before installing the app. Look for a setting called 'Unknown sources', and see if it is enabled for you. All Android phones come with it being turned off by default, so if it is on for you, and you did not enable it yourself, the perpetrator may have enabled it to facilitate installation of stalkerware.

iOS[edit | edit source]
Cydia app store logo

Apple, like Google, also actively removes stalkeware apps from its store. To install external apps on iOS devices, generally the device has to be jailbroken (basically, unlocked to enable non-Appstore apps). Most jaibroken devices have an alternative app store on it, called Cydia. If your device has Cydia on it, but you did not jailbreak the phone yourself, you might be a victim of stalkerware.

Should you remove stalkerware?[edit | edit source]

We cannot say, given that this depends on your personal circumstances. The perpetrator is very likely to notice this, and if attempting to resist may result in further abuse, it may not be advisable.
Remember that in most jurisdictions wiretapping is a serious crime, it may be worth it to keep the stalkerware on the device as evidence.

If you suspect stalkerware there are couple reliable ways to remove it:

  • if it is an Apple device, take it to the nearest Apple Store; they should be able to help you
    • note that jailbreaking usually voids Apple warranty, but does not generally void any statutory warranty
  • with Android, in most cases, a simple factory reset will be sufficient.
    • If you're not confident in doing it yourself, any phone repair store will be able to do it for you.
  • for Windows devices, reinstalling Windows is the safest option (any computer tech can do this easily) but absent of that most reputable anti-virus solution will catch it
    • even in-built Windows Defender may be able to catch it; the perpetrator would have disabled it when installing, but if you simply make sure that Windows Defender is re-enabled it may be enough

Even if you cannot remove the stalkerware, just knowing it is there empowers you to make better decisions about your situation.

Connection monitoring[edit | edit source]

Even if your devices aren't spying on your directly, the perpetrator can monitor your online activity if they control the internet connection your use.

Gateway/Modem/Router[edit | edit source]

If you share your WiFi with the perpetrator, there is potential that they could execute a so-called man-in-the-middle attack. Because of how most WiFi setups work, all the internet connections on single WiFi network flow thought a central device (called router, but you might know it as modem or gateway), which means that this device can see all the unencrypted traffic. This is something you need to be mindful of.

DNS[edit | edit source]

DNS is essentially internet's phonebook. It allows your computer to convert a website, such as to an IP address which the computer can actually use to deliver you the website. For various complicated historical reasons, this traffic has not been protected by encryption by default until very recently, and anyone who is on the network can observe you as you access websites. By doing this they can tell which website you access, but they cannot tell what you were doing on that particular website. So, in case of PrivacyWiki, they would be able to tell you accessed, but not not that you looked up this particular page.

Countermeasures[edit | edit source]

If you use Chrome or Firefox, the solution to this is to make sure your browsers are up to date. Both have recently enabled their encrypted DNS by default, so this should kick in with an update. You can check if your DNS is encrypted by running a test found on this page.

TLS[edit | edit source]

Look for the 'lock' in your browser; those pages are encrypted

Vast majority of internet traffic nowadays is encrypted by Transport Layer Security (TLS, formerly SSL). You may know it as the little padlock in your browser. This is good for you and your privacy, but it does have couple usability issues.

Server Name Indicator[edit | edit source]

To establish a secure connection, TLS needs to perform a 'so-called' handshake. Because intermediate computers who carry your connection need to know where to send your data, this handshake has to have the address (so-called Server Name Indicator (SNI) and IP address) of the destination website in the plain text. You can think of this in terms of sending a physical mail letter. If you want your letter to be delivered, you need to make the recipient's address public.

That being said, just like unencrypted DNS mentioned above, the perpetrator using this technique can only see the domain of the website you're using, not the content of the website or the exact page.

Countermeasures[edit | edit source]

There is no easy solution to this currently. A VPN would be effective at hiding this, but VPNs are paid for and have their own issues. You can access sensitive sites occasionally with TOR Browser, but conducting all your browsing through TOR can be cumbersome.

There is a proposal to encrypt this 'address field' too, called Encrypted Client Hello, but it is not yet ready for primetime, and thus most websites don't use it. Here's hoping this changes soon.

Certificate errors[edit | edit source]

When you access TLS protected site, the browser automatically checks if the encryption is valid, and verifies nobody is interfering with it. If it cannot do so, it gives you a certificate error, like so:

This indicates that somebody may be trying to intercept your connection, and might be serving you something your browser does not expect. Try your very best to resist the urge to click 'Add exception' as doing so is basically giving permission to the perpetrator to continue observing and interfering with your traffic. Just come back to the website later. If it is a genuine certificate error, the website will fix it soon (because everyone, not just you, is seeing this error). However, if you are the only person seeing this error, or all your websites show this error, this is a good indicator of a man-in-th-middle attack.

Account compromise[edit | edit source]

Another way to compromise you is to compromise your online accounts, such as your email, social media or Google account.

On sharing passwords[edit | edit source]

You may be used to sharing passwords and giving access to your partners, parents or people you trust. As a privacy resource, PrivacyWiki always advocates against sharing passwords. But, it may be worth considering that other resources focusing on the interpersonal aspect of this decision warn that this is not a healthy relationship dynamic.
Privacy is a human right, and our thought and actions cannot just be sorted into good/transparent and bad/hidden. Exercising your right to privacy is not something you need to apologise for.

The remainder of the 'Account compromise' section assumes you do not willingly share your passwords with the perpetrator.

Methods[edit | edit source]

Keylogging[edit | edit source]

While genuinely hacking a major online service like Amazon or Google is very very difficult, a much easier way way to compromise an account is to simply keylog the password while it is being entered by the legitimate account owner.
A keylogger is software which simply records everything that is type on a particular device and makes it available to the perpetrator. This of course includes all the private conversations you may have had (at least, your side) but it also means that all your passwords will be recorded (as you enter them using the keyboard). Keyloggers may be stand-alone malware, but keylogging may also be a feature of the aforementioned stalkerware.

Countermeasures[edit | edit source]
A typical login screen requiring another factor, in this case a temporary password.

Best countermeasure against any password based attack is multi-factor authentication (sometimes know as second factor authentication). When you provide a password, this is considered one piece of evidence (a so-called factor) that you're authorised to access the account. A password is 'something you know'. However, if you simply add other factors (bits of evidence) to the authentication process, now you have a login which requires more than just a password; multi-factor authentication. The end result is that the perpetrator cannot log in even if they know the password, and they cannot keylog the temporary password, because it expires very quickly.
In practice, the most common multi factor authentication method is an one-time password. This can take shape of a SMS message being sent to your phone with a time limited code or an authenticator app which calculates a temporary password using the OTP protocol.
Many online accounts support multi factor (or two factor) authentication. Usually you can find this setting next to the option to change your account password.
If the service requires you to use an authenticator app, a good choice is the open source Aegis for Android, or open source Tofu on iOS.

Most keyloggers are also detected as malware by most antivirus packages, so consider scanning your system. See our advice on antivirus software.

Phishing[edit | edit source]

Phishing is the act of creating a fake login page for a service that looks identical to the target login page of a legitimate service and using it to harvest the login details of the victim.
Given that the perpetrator has physical access to your WiFi, they could use either a man-in-the-middle attack to force your browser to the fake page, or more common external page.

Man-in-the-middle[edit | edit source]

By executing man in the middle attack, the perpetrator can force you to a fake login page even if you took care to make sure you're on the right site. However, all modern browsers will detect this, and give you a certificate error, as detailed in the 'Certificate error' section.
If you see such an error, do not simply click 'Add exception'. Instead, try accessing the website using a different internet connection (such as using your mobile data) or ask a friend if they see the same error. If your device does not give you an error from a different connection, or your friend does not see it, you are likely a target of a Man-in-the-middle attack.
Although possible, it is very very unlikely that a major service such as Gooogle, Facebook or Amazon would have a legitimate TLS certificate error (this is a sort of super basic error that gets website administrators of major companies fired).

Normal phishing[edit | edit source]

You could also be a target of a more conventional phishing attack, where the perpetrator sends you to a website which looks like the target website, but in fact is on a different address. In these cases, the browsers will not popup a warning, because there is no man-in-the-middle being detected.
The best advice here is to not blindly trust links sent to you. Instead, enter the web address manually in the address bar, and go from there. If you must follow a link, look at the page address in your browser, such as Do not get distracted by any anything after the address, even if it looks convincing.

Setting up a safe computing environment[edit | edit source]

While we cannot possibly anticipate every exact combination of technology-enabled domestic abuse you may face, we can help you set up a safe working environment that you can use for your essential computing needs without the fear of being spied upon or intercepted by the perpetrator.
The basic idea is that we will setup a portable computing environment consisting of an operating system and persistent storage on an encrypted USB device. This portable computing environment will be protected by strong encryption and designed to resist even the most capable adversary. It may look a bit daunting, but if you persist, you will finally have one way of accessing the internet in a way that you can completely trust (as long as you keep your encryption password secret).

About Tails[edit | edit source]

If you suspect stalkerware or man-in-the-middle, Tails is the only way you can be sure you're not being spied upon.

To achieve this, we will rely on the excellent work of the Tails project. Their objective is to produce a safe computing environment for journalists, activists, human rights defenders and domestic abuse survivors. You may read more about the project on their website, but in short Tails:

  • is discreet - it leaves no trace on the computer it is used on. It does not write to the hard disk, it does not leave your files or browsing history behind. Even the most skilled computer forensics professional would struggle to prove that Tails was ever used on a particular computer.
    • it does, however, leave trace on the computer where it was initially installed to the USB; remember to delete any downloaded files and to delete your browsing history or try to install it using the computer from a trusted friend
  • protects your connection - all traffic to and from Tails is protected by the TOR anonymity network; it leaves not trace on the router or DNS server you're using, even if they're monitored
  • strongly encrypted - once you shut down the computer that is using Tails, getting the data on the USB stick without knowing the password is, for all intents and purposes, impossible
  • separate from your compromised computer - because all the files that Tails needs to run are on the USB device which you control, it does not matter if the device you're using it on is riddled with stalkerware; Tails uses it's own trusted operating system, and can be used safely on computers that are being actively monitored
    • because all the contents are encrypted, it also cannot be tampered with while in the shut down state
  • amnesiac - by default, when shut down after use, Tails will forget and discard all the files that may have been generated (such as browsing history) which leaves less opportunity to somebody to compromise you further should they obtain your encryption password
    • you can, optionally, set it up to remember certain files. This is called persistence. It is generally safe to enable persistence (those files are encrypted as well), but if you do, you have to be sure to not disclose your encryption password

This point cannot be overstated, but everything really depends on the strength of the encryption password you select while creating a Tails USB stick. If you reuse a password that the perpetrator knows, you will be putting yourself at risk (particularly if you use persistence). For advice on how to come up with better passwords, see our advice on choosing better passwords.

Installing Tails[edit | edit source]

Installing (so-called, flashing) of Tails is really simple and can be done using a free program called Etcher. Just remember to remove it once you're done.

Rather than reinventing the wheel, we will instead point you to the excellent installation guide maintained by the Tails project itself.

Using Tails[edit | edit source]

Once you start up Tails, it looks like any ordinary computer you've used before.

Using Tails is much like using any other desktop operating system. You have access to a browser, email client, and an office suite. You can connect to all your normal online services. It may look slightly differently, but don't let that intimidate you. 95% of the normal use of Tails is same as Windows or Mac.

Taking back control and reasserting your privacy[edit | edit source]

Below is a checklist of things you should review to ensure there isn't some hidden method by which the perpetrator continues to be in control of your technological or online life.

Fundamentals[edit | edit source]

If you're going to go through the effort, it is worth putting your future privacy at stronger foundational footing.

  • Use a password manager.
  • Think about your future passwords, and familiarise yourself with choosing better passwords.
  • Learn about 2FA and consider using it.
  • Start think about your devices and your accounts as what they are; an extension of your mind. You wouldn't let people read your mind, no matter how much you trusted them, so don't share your passwords with anyone, not even with people you trust now. Remember that sharing passwords is not a sign of trust, but paranoia.
    A trustworthy person will keep you trust whether or not you have means to verify their trustworthiness. This goes both ways.

Devices[edit | edit source]

Make sure your devices aren't still spying on you.

  • Factory reset your mobile devices. This should eliminate 99% of all stalkerware.
  • Reset (or reinstall if possible) your desktop operating system.
  • Log out and/or delete any user accounts perpetrator may have used on all the devices.
  • Round up all the electronic devices you don't recognise and dispose of them or at least turn them all off by unplugging them from power or removing batteries.
    • This applies to your car too.
      A Tile tracker, such as this one, can be slipped into your car or backpack. It's battery lasts up to two years, and it does not need to have it's own internet access, via a SIM card, to track you.
  • Factory reset your router/gateway device. Perpetrator may have installed monitoring software.
    • If you're not sure how, call your service provider; they will generally be able to walk you through the steps and help you reconnect.

Websites and social media[edit | edit source]

Take back your accounts.

  • Change your account passwords and set new unique password for all sites and services you use.
    • Pay particular attention to email and mobile phone provider's account as those are probably your identity anchors.
    • Remember to change your secret questions and check that the account recovery method isn't something the perpetrator can access.
  • Find 'current sessions' screen (the one that shows all the currently logged devices) and either reset all login sessions or at least remove all unfamiliar sessions.
  • Enable 2FA on every website that supports it.
  • Block the perpetrator on social media.
    • Make yourself harder to find on social media by setting your profile private or to undiscoverable mode.

Other[edit | edit source]

  • Ask your financial institution to reissue your credit cards.
  • Remove them from utilities or bills.
  • Sweep your car for unknown electronics. Consumer grade trackers are easy to come by and don't even need external power (such as Tile).

Closing thoughts[edit | edit source]

Although facing a perpetrator of domestic abuse is always difficult, please remember that domestic abuse is primarily a social/legal problem. No amount of technological knowledge and intervention can solve the fact that the perpetrator is committing a crime by wiretapping your communications and that you may benefit from help by specialist services with resources and knowledge to help.

In this guide we've tried to equip you regarding technological aspects of domestic abuse but more help is out there. Seek it and reach out. Do not let the perpetrator control you.
We wish you the best of luck, and thank you for indulging us.