I want you to travel back in time with me,
to the before time, to 2017.
一起回到 2017 年。
I don't know if you can remember it,
dinosaurs were roaming the earth.
I was a security researcher,
I had spent about five or six years
doing research on the ways in which APTs,
which is short for advanced persistent threats,
就是高级长期威胁（advanced persistent threats）的缩写，
which stands for nation-state actors,
spy on journalists and activists
and lawyers and scientists
and just generally people who speak truth to power.
And I'd been doing this for a while
when I discovered that one of my fellow researchers,
with whom I had been doing this all this time,
was allegedly a serial rapist.
So the first thing that I did
was I read a bunch of articles about this.
And in January of 2018,
在 2018 年 1 月，
I read an article with some of his alleged victims.
And one of the things that really struck me about this article
is how scared they were.
They were really frightened,
they had, you know, tape over the cameras on their phones
and on their laptops,
and what they were worried about was that he was a hacker
and he was going to hack into their stuff
and he was going to ruin their lives.
And this had kept them silent for a really long time.
So, I was furious.
And I didn't want anyone to ever feel that way again.
So I did what I usually do when I'm angry:
And the thing that I tweeted
was that if you are a woman who has been sexually abused by a hacker
and that hacker has threatened to break into your devices,
that you could contact me
and I would try to make sure
that your device got a full, sort of, forensic look over.
And then I went to lunch.
Ten thousand retweets later,
I had accidentally started a project.
So every morning, I woke up and my mailbox was full.
It was full of the stories of men and women
telling me the worst thing that had ever happened to them.
I was contacted by women who were being spied on by men,
by men who were being spied on by men,
by women who were being spied on by women,
but the vast majority of the people contacting me
were women who had been sexually abused by men
who were now spying on them.
The one particularly interesting case
involved a man who came to me,
because his boyfriend had outed him as gay
to his extremely conservative Korean family.
So this is not just men-spying-on-women issue.
And I'm here to share
what I learned from this experience.
What I learned is that data leaks.
It gets in places you don't want it.
Your friends give away information about you.
Your family gives away information about you.
You go to a party,
somebody tags you as having been there.
And this is one of the ways
in which abusers pick up information about you
that you don't otherwise want them to know.
It is not uncommon for abusers to go to friends and family
and ask for information about their victims
under the guise of being concerned about their "mental health."
A form of leak that I saw
was actually what we call account compromise.
So your Gmail account,
your Twitter account,
your Instagram account,
你的 Instagram 账户，
your Netflix, your TikTok --
I had to figure out what a TikTok was.
If it had a login,
I saw it compromised.
And the reason for that is because your abuser is not always your abuser.
It is really common for people in relationships to share passwords.
Furthermore, people who are intimate,
who know a lot about each other,
can guess each other's security questions.
Or they can look over each other's shoulders
to see what code they're using in order to lock their phones.
They frequently have physical access to the phone,
or they have physical access to the laptop.
And this gives them a lot of opportunity
to do things to people's accounts,
which is very dangerous.
The good news is that we have advice
for people to lock down their accounts.
This advice already exists, and it comes down to this:
Use strong, unique passwords for all of your accounts.
Use more strong, unique passwords
as the answers to your security questions,
so that somebody who knows the name of your childhood pet
can't reset your password.
And finally, turn on the highest level of two-factor authentication
that you're comfortable using.
So that even if an abuser manages to steal your password,
because they don't have the second factor,
they will not be able to log into your account.
The other thing that you should do
is you should take a look at the security and privacy tabs
for most of your accounts.
Most accounts have a security or privacy tab
that tells you what devices are logging in,
and it tells you where they're logging in from.
For example, here I am,
logging in to Facebook from the La Quinta,
where we are having this meeting,
I took a look at my Facebook logins
and I saw somebody logging in from Dubai,
I would find that suspicious,
because I have not been to Dubai in some time.
But sometimes, it really is a RAT.
但是有的时候， 真的是 RAT 在作祟。
If by RAT you mean remote access tool.
RAT 的意思是远程访问工具 （remote access tool）。
And remote access tool
is essentially what we mean when we say stalkerware.
So one of the reasons why getting full access to your device
is really tempting for governments
is the same reason why getting full access to your device
is tempting for abusive partners and former partners.
We carry tracking devices around in our pockets all day long.
We carry devices that contain all of our passwords,
all of our communications,
including our end-to-end encrypted communications.
All of our emails, all of our contacts,
all of our selfies are all in one place,
often our financial information is also in this place.
And so, full access to a person’s phone
is the next best thing to full access to a person's mind.
And what stalkerware does is it gives you this access.
So, you may ask, how does it work?
The way stalkerware works
is that it's a commercially available program,
which an abuser purchases,
installs on the device that they want to spy on,
usually because they have physical access
or they can trick their target into installing it themselves,
by saying, you know,
"This is a very important program you should install on your device."
And then they pay the stalkerware company
for access to a portal,
which gives them all of the information from that device.
And you're usually paying something like 40 bucks a month.
你一个月只需要支付 40 美元。
So this kind of spying is remarkably cheap.
Do these companies know
are being used as tools of abuse?
If you take a look at the marketing copy for Cocospy,
如果你看看 Cocospy 公司的 市场报告——
which is one of these products,
it says right there on the website
that Cocospy allows you to spy on your wife with ease,
"You do not have to worry about where she goes,
who she talks to or what websites she visits."
So that's creepy.
HelloSpy, which is another such product,
had a marketing page in which they spent most of their copy
talking about the prevalence of cheating
and how important it is to catch your partner cheating,
including this fine picture of a man
who has clearly just caught his partner cheating
and has beaten her.
She has a black eye, there is blood on her face.
And I don't think that there is really a lot of question
about whose side HelloSpy is on in this particular case.
很容易看出 HelloSpy 是站在哪一边的，
And who they're trying to sell their product to.
It turns out that if you have stalkerware on your computer or on your phone,
it can be really difficult to know whether or not it's there.
And one of the reasons for that
is because antivirus companies
often don't recognize stalkerware as malicious.
They don't recognize it as a Trojan
or as any of the other stuff that you would normally find
that they would warn you about.
These are some results from earlier this year from VirusTotal.
这些是今年早些时期来自于 VirusTotal 的数据结果。
I think that for one sample that I looked at
I had something like a result of seven out of 60
在我测试的 60 个平台中
of the platforms recognized the stalkerware that I was testing.
有 7 个都能识别跟踪软件。
And here is another one where I managed to get 10,
这是另一个样本，在 61 个软件中
10 out of 61.
有 10 个可识别跟踪软件。
So this is still some very bad results.
I have managed to convince a couple of antivirus companies
to start marking stalkerware as malicious.
So that all you have to do
if you're worried about having this stuff on your computer
is you download the program,
you run a scan and it tells you
"Hey, there's some potentially unwanted program on your device."
It gives you the option of removing it,
but it does not remove it automatically.
And one of the reasons for that
is because of the way that abuse works.
Frequently, victims of abuse aren't sure
whether or not they want to tip off their abuser
by cutting off their access.
Or they're worried that their abuser is going to escalate to violence
or perhaps even greater violence
than they've already been engaging in.
Kaspersky was one of the very first companies
that said that they were going to start taking this seriously.
And in November of this year,
在今年的 11 月份，
they issued a report in which they said
that since they started tracking stalkerware among their users
that they had seen an increase of 35 percent.
他们发现该软件的使用率 增加了 35%。
Likewise, Lookout came out with a statement
saying that they were going to take this much more seriously.
And finally, a company called Malwarebytes also put out such a statement
最终，一家名叫 Malwarebytes 的公司 也发表了声明，
and said that they had found 2,500 programs
in the time that they had been looking,
已经发现了 2500 个
which could be classified as stalkerware.
Finally, in November I helped to launch a coalition
最终，在 11 月份， 我帮助创立了一个
called the Coalition Against Stalkerware,
“反跟踪软件联合会” （Coalition Against Stalkerware），
made up of academics,
people who are doing this sort of thing on the ground --
the practitioners of helping people to escape from intimate partner violence --
and antivirus companies.
And our goal is both to educate people about these programs,
but also to convince the antivirus companies
to change the norm
in how they act around this very scary software,
so that soon, if I get up in front of you
and I talk to you about this next year,
I could tell you that the problem has been solved,
and all you have to do is download any antivirus
and it is considered normal for it to detect stalkerware.
Thank you very much.