People who are the victim of stalkers have a startlingly different cybersecurity risk profile.
I heard the idea articulated and clearly defended by Allison Bishop at CyberWeek. Here is her twitter, proof that she is funny and evidence that she is wicked smart.
She articulated several specific positions that are worth carefully articulating.
First, she discussed passwords on post-it notes. Now, old-school cyber-security people will say that written passwords are always a bad idea. But in reality, there is good evidence that writing passwords down, as long as you take the steps needed to secure the object they are written on is a pretty decent idea. Motherboard has a good discussion on this, but I have also heard the point made by cyber-luminary Bruce Schneier who has pointed out simply that we have a long history of securing access to physical things and we understand it pretty well. I think he makes this point in one of his excellent books, but it also might be on his excellent blog.
The new-school wisdom is that having a written password book, or post-it-note pad is an OK idea, as long as it is at home or if you have a good means of securing it.
What Allison pointed out is that very frequently Stalker Victims have a person going through their stuff when they are not at home. Frequently from an ex-romantic partner who “still has the keys”.
The second point she made was the stalker victims are more vulnerable to being forced to unlock devices using their fingerprints and faces under duress.
For most people, having fingerprint or face-based access control allows them to set their devices to “time-out” and require login much more frequently, which on balance can serve to improve device security. Without this change to the time-out period, it should be noted that the addition of biometric login pathways (to the current pin, pattern or password methods that most cell phones support) generally serve to open another authentication pathway, which inherently makes the devices less secure overall. One has to change the timeout to get a benefit.
All of this is based on the normal calculus of threat modeling for the typical person. The typical person (certainly me) assumes that the threat that they are mitigating is having their device stolen from them and accessed by a thief that might be attempting to use saved passwords to a bank or to share personal/naughty pictures with the Internet.
In fact, if you have a stalker, the notion that your phone can be opened, without a password, by a potential attacker using your unconscious face, or a limp finger, is pretty scary.
Her third point was that these women definitively need a “sanitized environment” to be able to be loaded with a false pin on their devices. I will not describe the proposal with her elegance, but basically, it means that if you open your phone with pin “4321” normally, that if you enter a second pin, say “5678” the phone will automatically open into a sanitized environment, but hide certain data and/or apps. This way, if you are forced to open your phone under duress, you can open it in a way that does not reveal your data, but satisfies the person who is threatening you with physical violence.
Her fourth point is that the “nanny” rootkits that are especially available in the Android ecosystem are a significant problem for stalker or abuse victims. They can easily be in a position where they lose access to their phone to a person who is violating their physical security without their knowledge. This temporary loss of physical control can snow-ball into a long-term escalated threat as the abuse or stalking victim cannot understand how their stalker/abuser seems to “always know” where they are and what they are doing. Rootkits might also subject other online resources to break in, as the stalker/abuser uses the key-logging capabilities of the rouge app to gain greater access.
Taken as a whole, Bishops points provide a characterization of the stalker victims threat model. They have an ever-present, nearby, physically dominant threat that typically demonstrates that they have no respect for either morality or the weight of the law.
I imagine that the only two frequently cited threat models that come close are nations where there is an omni-present authoritarian government that is willing to threaten or enact violence against any evidence of disloyal of thinking. (Taliban/Trump et al). And the troubling pattern of US border patrol requiring device surrendering upon entering the United States.
These two threat models and corresponding use cases are certainly the subject of concern for me, but I mostly avoid them by not traveling to autocratic countries. And only infrequently “re-entering” the United States. I assume that most world citizens can take the same steps, and therefore these problems are limited to those trapped in autocratic countries or who are performing critical international journalism. Both of those are critically important, of course, but Bishop reminded me that there are people living next door to me, who essentially have to navigate the same type of threats, without the benefit of the massive amount of attention that the cybersecurity gives to the previous two use cases. At least, I have never before heard a cogent talk given about the cybersecurity issues that these communities face.
It should also be noted that in the typical case, although the stalker might have the advantage of surprise, timing and domineering physical presence they might not have the advantage of technical sophistication. That detail is critically important because it changes important conversations like this one: about whether the Signal Iphone app should have a secondary access pin. Now Signal uses a system creates a “secondary locking” without a “secondary pin” for the Android or iPhone for this use case, that is not the best design. It would be best, for instance, to give these victims the choice to insist on pin-only access (and not biometric) even though they had both biometric and pin based access to their main device.
The stalker or abuser who knocks his victim unconscious (or attempts to access a phone while a victim is asleep) using a biometric access control method, might have the sophistication to “check every app for something interesting” and might even have the sophistication to “use” a nanny rootkit. They might have the the capacity to even use passwords gained from a rootkit to abuse access to online resources. But they are still unlikely able to get around a simple additional pin code function on a phone. It means that certain features that are simple to implement on the part of apps like Signal or other privacy enhancing applications might be much more worthwhile then they originally appear.
The difference between the “stalker” threat and the “crooked state police” threat is that the stalker only has momentary physical superiority over the victim. There are many different cyber solutions that justifiably need to be abandoned because they cannot resist sustained physical threats. But this community presents valid use-cases for solutions that fail against persistent physical threats, but do not fail against temporary threats.
This is critical because it obvious that efforts to create tool-kits for this particular community of people is worthwhile. They have specific, reasonable requirements that are not always difficult to implement. There is low-hanging fruit here, that could dramatically improve the day to day lives of this community which is surprisingly large.
It is also obvious that there is work to be done educating this community with specific advice that they might find helpful given the currently available cybersecurity tools. For instance, now that Signal piggy-backs on the authentication mechanism of the phone to provide its additional layer of locking, It is likely to be excellent advice that people threaten by stalkers avoid using biometric unlock mechanisms for their devices. They should probably avoid android devices, until that platform makes it more difficult to install nanny rootkits. I am sure that Bishop has dozens of other specific points of advice that are relevant. For the purpose of this article, it is enough to point out that specific advice exists and would be valuable to disseminate.
It is also worth pointing out the critical connections between other classical women’s health issues and this one. Most victims of stalking and domestic abuse are women. Frequently, stalking and reproductive health (in all kinds of ways) become intertwined. Thinking about cyber, from the perspectives of women’s health should always include some kind of check “are you the victim of a stalker or other forms of physical abuse”? Because the advice changes. How a person should manage passwords changes, and there are likely to be many other interactions between a woman’s cybersecurity needs and her potential status as an abuse victim.
Sufficed to say, Bishops talk was eye opening and served to challenge multiple assumptions that I had, that I did not know I had. The best type of technical talk, really. I believe that the University of Tel Aviv plans to release most of the CyberWeek content on their Youtube channel eventually, and when that happens I will try and update this paragraph with a link to the original talk. In the mean time, thanks for reading my celebration of her ideas, which are worth spreading.
-ft