Collaborating with the New York City Mayor’s Office to End Domestic and Gender-Based Violence, the collaborative team created and piloted a questionnaire, a spyware scanning tool and a diagram for assessing clients’ digital footprints.
The model, which the team said is the first of its kind, can help assist counsellors without tech expertise pinpoint online abuse and protect the safety of abuse victims and their advisers.
Using this strategy, the researchers found potential spyware, compromised accounts or exploitable misconfigurations for 23 of the 44 clients they advised.
“Prior to this work, people were reporting that the abusers were very sophisticated hackers, and clients were receiving inconsistent advice,” said Diana Freed, Cornell Tech doctoral student in the field of information science.
“Some people were saying, ‘Throw your device out.’ Other people were saying, ‘Delete the app.’ But there wasn’t a clear understanding of how this abuse was happening and why it was happening,” she added. “We felt that a methodical approach through a uniform, data-driven consultation would yield better results so we can help other advocates do this type of work at the level it’s needed.”
The motivation for the research is to improve the technology safety and security for survivors of intimate partner violence. Nicola Dell, assistant professor at the Jacobs Technion-Cornell Institute at Cornell Tech, and associate professor Thomas Ristenpart, who are part of the team, have recently been awarded a $1.2m (£1m) grant from the National Science Foundation to continue their research examining the role of tech in intimate partner abuse.
According to experts, abusers use a range of digital tools to stalk or harass their victims, from traditional spyware to tracking apps intended for more benign purposes, such as finding one’s phone. Furthermore, it can be extremely challenging to detect vulnerabilities within the sheer number of apps, digital devices and online accounts most people use daily – particularly for counsellors without tech skills.
“They [counsellors] were making their best efforts, but there was no uniform way to address this,” said team member Sam Havron, a doctoral student in computer science at the university. “They were using Google to try to help clients with their abuse situations.”
On the other hand, the researchers said tech experts don’t have the background to advise clients how to fix problems in ways that won’t endanger them, such as angering an abuser who just noticed a deleted app or a changed password.
As part of the study, the researchers ran a weekly tech clinic in New York City’s Family Justice Centres, which provide a full range of services for intimate partner abuse victims. The team then went on to develop and pilot its Technology Assessment Questionnaire, which included such questions as, “Does the abuser show up unexpectedly or know things they shouldn’t know?” and “Is there a chance the abuser knows (or could guess) the answers to your password reset questions?”
The team also created the “technograph”, a diagram which helped summarise clients’ digital assets; and ISDi (IPV Spyware Discovery), a spyware scanning tool. ISDi scans devices for known spyware apps through a USB cable, rather than a downloadable app, making it impossible for an abuser to detect.
“This sort of tool doesn’t exist anywhere else,” Havron said. “In earlier work, we did a comprehensive scrape of the Google Play Store and eventually compiled a list of thousands of apps across marketplaces, and that’s what the ISDi is based on.”
The researchers added that, although the research focused on intimate partner abuse, this method could prove beneficial for any victim of abuse, such as activists, political figures or journalists.
“It’s consistent, it’s data-driven and it takes into account at each phase what the abuser will know if the client makes changes,” Freed added. “This is giving people a more accurate way to make decisions and providing them with a comprehensive understanding of how things are happening.”
The paper ‘Clinical Computer Security for Victims of Intimate Partner Violence’ was presented at the USENIX Security Symposium in Santa Clara, California, on 14 August.
Last August, UK victim support charity Refuge revealed how domestic abusers are using technology to spy on their partners and control them, stating that, in 2018, it has seen nearly 1,000 cases of abuse in Britain involving devices such as home hubs, smart TVs and fitness trackers.