Data Protection Stories  , Data Protection Stories

Addressing stalkerware and gender-based abuse through data protection law

Digging into Citizen Lab’s report on the illegality of stalkerware and tech-enabled, gender-based abuse in Canada


The Issue

Technology has enabled new ways for abusers to surveil and control romantic partners. Stalkwerware—commercial software built to covertly monitor someone’s mobile device activities—is often used in the context of domestic abuse, but has not been thoroughly addressed by Canadian courts, lawmakers or regulators.

The Role of the GDPR

The University of Toronto’s Citizen Lab recently published a policy and legal analysis of stalkerware in Canada. In addition to assessing the ways stalkerware use should be considered illegal under Canadian criminal and civil law, the report also considers obligations for stalkerware companies under data protection and privacy law—such as informed consent for collecting personal data. The report’s authors outline the GDPR as a model for Canadian privacy law to work towards, particularly in reference to its enforcement powers, which could enable regulators to issue significant financial penalties to stalkerware companies for non-compliance.

Key Takeaways

There are concrete ways that Canadian lawmakers can update the enforcement powers of the Office of the Privacy Commissioner in Canada to address stalkerware. As such, data protection law presents one possible avenue for shutting down stalkerware companies. However, reducing this abusive technology to an issue of data protection runs the risk of axing a critical discussion around gender and intimate partner abuse.

Published September 10, 2019

In the age of smartphones and the Internet of Things, technology has enabled new, insidious avenues for intimate partner and gender-based abuse. Tech writer and lawyer Sarah Jeong has highlighted the ways in which, often, “surveillance begins at home”, with abusers using GPS to track their partners, or women arriving at shelters with mobile devices that have been compromised by intimate partners. More recently, advocates have been raised concerns around the ways that smart home technology, such as Internet-connected locks and thermostats, give abusers new tactics for monitoring and intimidation. 

While the above tools primarily point to the repurposing of everyday technologies for intimate partner abuse and monitoring, an alarming breadth of commercial software also exists for the explicit purpose of covertly tracking another’s mobile device activities, remotely and in real-time. This could include monitoring someone’s text messages, call logs, browser history, personal calendars, email accounts and/or photos. Designed to be installed on another person’s mobile device, these spyware applications, such as FlexiSPY or Hoverwatch, are considered as “stalkerware” in the context of intimate partner and gender-based abuse. Dozens of covert spying applications can be found across the Google Play Store and the Apple App Store. In addition to these, a range of parenting and employee-monitoring apps are often repurposed for intimate partner surveillance. 

A new report from Citizen Lab, a tech policy and human rights research group at the University of Toronto, offers a deep dive on the unlawfulness of stalkerware. The report, Installing Fear, presents a Canadian legal and policy analysis of the stalkerware industry and its use. We spoke to Cynthia Khoo, a research fellow at Citizen Lab, about how the EU’s General Data Protection Regulation (GDPR) has informed this work. Given that women* are disproportionately impacted by stalking and intimate partner abuse, we also discussed the usefulness of data protection legislation more broadly in addressing technology-facilitated, gender-based abuse.

* Note: While outside the scope of Citizen Lab’s report, research indicates that intimate partner violence disproportionately affects members of LGBTQ+ communities, and that trans people—trans women, and trans people of colour in particular—experience increased rates of physical and sexual violence in their lifetimes

Illegal in so many ways

At almost 200 pages, Citizen Lab’s report is comprehensive in its assessment of the myriad ways in which stalkerware could be considered illegal. They discuss how use of stalkerware is likely a criminal offence under Canadian criminal law and could be considered a wrongful act under Canadian civil law. For example, text and social media message interception, a common feature of stalkerware apps, are already offenses in the criminal code of Canada. However, the report states that few cases on this issue have appeared in Canadian courts. The report authors recommend more public legal education, law reform and better resources for law enforcement and regulators to address the use of stalkerware in Canada. This parallels some of the scholarly work being done in the US on the inadequacy of US laws for addressing spousal abuse through spyware, and the need for legal reforms.  

The report also provides a legal analysis of selling stalkerware, comparing Canadian privacy obligations under PIPEDA (the Personal Information Protection and Electronic Documents Act) and data protection obligations established under the EU’s GDPR. Khoo says it was important to include the GDPR as part of their legal analysis despite the report’s Canadian focus. For one, the GDPR applies to Canadian stalkerware companies processing or holding data on EU residents and to EU-based stalkerware companies that operate or sell their products in Canada. Including the GDPR in their analysis ensured that this issue would not be siloed within the Canadian context and could be part of a global conversation on stalkerware and intimate partner abuse technologies. Most importantly, the GDPR sets a standard for Canadian privacy law and regulators to look towards, with respect to addressing stalkerware and other invasive technologies. 

GDPR’s strong enforcement a model for Canadian regulators

Under Canadian data protection and privacy law, companies collecting or using consumer data are required to obtain informed consent before collecting personal information. The GDPR has similar obligations—companies must obtain explicit consent, and must have a lawful basis, for collecting personal, sensitive data. The GDPR also requires companies to integrate “privacy by default” and “privacy by design” into their data practices—a concept inherently at odds with the purpose of stalkerware. 

While the data practices of stalkware companies should be considered unlawful under both PIPEDA and the GDPR, data protection authorities in the EU can carry much stronger enforcement powers. This is an important difference: under the GDPR, DPAs in the EU have the power to administer significant financial penalties, as well as the power to enforce compliance through orders, imposing bans on data processing or suspending cross-border data transmissions.  On the contrary, the Office of the Privacy Commissioner of Canada (OPC) is only able to open an investigation and make a set of recommendations. It is not able to administer financial penalties, nor make orders to comply with PIPEDA. The OPC can only obtain a court order by first applying to the Federal Court of Canada. 

The report authors say that the GDPR presents “a model to which Canadian privacy law may aspire when it comes to addressing abusive technology”. They recommend that lawmakers provide the OPC, as well as its provincial counterparts, greater enforcement powers which would allow them to impose financial penalties on stalkerware companies. 

Advancing the dialogue on tech, consent, and gender-based abuse 

The last few years have seen more nuance in mainstream media discussions about consent in the context of sexual abuse and harassment. There has been greater acknowledgement that communicating consent is not always as simple as “no means no” and that there are usually power dynamics inherently at play. Perhaps surprisingly, this understanding of power imbalances and consent is captured within the GDPR in the context of personal data. Recital 43 states that consent is invalid when there is a “clear imbalance” between the data controller and data subject. Citizen Lab’s report authors point out the significance of this, particularly as it relates to technologies enabling intimate partner abuse: 

“…it is significant that the GDPR recognizes the invalidating impact of power dynamics on the validity of consent. This recognition could, and should, also apply to power imbalances associated with the context of intimate partner abuse and gender-based violence in which the stalkerware industry operates.”

While this is a noteworthy aspect of the GDPR, Khoo expresses cautious skepticism around the regulation’s ability to meaningfully advance conversations around consent in technology. The GDPR has indeed encouraged corporations to change some of their practices around user consent, but this likely stems from efforts to avoid hefty financial penalties rather than from a renewed, genuine interest in consent as an issue itself. 

Still, we wondered if data protection laws could provide an effective, pragmatic legal mechanism for addressing technologies used in intimate partner abuse. Khoo says there are two ways to look at this question: that “you can either attack an issue instrumentally, or on its substantive merits”. In theory, it is possible to use the GDPR as a legal instrument to shut down stalkerware companies due to non-compliance around consent and collection of personal data. However, reducing an abusive technology like stalkerware to an issue of data protection runs the risk of axing a critical discussion around gender and intimate partner abuse in tech, and bypassing the root of the issue.

The conversation around intimate partner abuse and stalkerware is also taking shape outside of Canada. In the U.S., for example, Eva Galperin, a security researcher with the Electronic Frontier Foundation, has been pushing for a number of interventions to address stalkerware outside of a strictly legal context. These include improvements amongst anti-virus’ ability to detect stalkerware, as well as a need to shift norms in the security industry. Currently, many security researchers do not consider stalkerware “real” hacking, and Galperin highlights a need for the industry to take the issue more seriously. In Australia, groups like Technology Safety Australia have created popular education resources for women to learn to identify, remove, and prevent mobile spyware. Outside a Western context, the Association for Progressive Communications has also conducted research on legal remedies to tech-enabled gender-based abuse in seven countries across Latin America, Africa, Southeast Asia, and Southeast Europe. Importantly, their work emphasizes a survivor-centered, rights-based approach, and also highlights the need for an intersectional approach to these conversations. Across countries, they found that law enforcement were less likely to record cases of tech-related violence against women when survivors were poor or marginalized.

All things considered, changes to PIPEDA and OPC enforcement powers do present one concrete avenue for addressing stalkerware in Canada, alongside additional legal reforms and industry interventions. However, if the goal is to also address root issues related to gender-based and intimate partner abuse, strengthening data protection laws are only one piece of the puzzle in shutting down this harmful and problematic technology.