]> Intimate Partner Violence Digital Considerations Brave
cherenkov@riseup.net
Derechos Digitales
juliana@derechosdigitales.org
CDT
mknodel@cdt.org
General None Internet-Draft This document aims to inform how Internet protocols and their implementations might better mitigate technical attacks at the user endpoint by describing technology-based practices to perpetrate intimate partner violence (IPV). IPV is a pervasive reality that is not limited to, but can be exacerbated with, the usage of technology. The IPV context enables the attacker to access one, some or all of: devices, local networks, authentication mechanisms, identity information, and accounts. These kinds of technical compromise exist in addition to on-path attacks, both active and passive . In this document we describe the tactics the IPV attacker uses and what kind of counter-measures can be designed in IETF protocols. Discussion Venues Source for this draft and an issue tracker can be found at .
Introduction Intimate partner violence (IPV) refers to physical, emotional, verbal, sexual, or economic abuse of a person by a current or former intimate partner. It is understood that in IPV cases there is an unequal power relationship that enables the abuser to cause harm in romantic or sexual relationships, as well as child or elder abuse, or abuse by any member of a household. Digital technologies are central in modern lives and can be used as a way to enable and enhance IPV. At the same time, IPV is not considered enough when designing digital technologies, networks, or Internet protocols against threats. This lack of consideration has put pressure on health professionals and social workers to mitigate technology-enabled abuse and its effects. In turn, survivors and targets develop ad hoc strategies for digital privacy and safety for themselves alone and only in rare cases are protocol design or cybersecurity best practice available tactics. This type of abuser, "the attacker you know", is neither on- nor off-path, they have complete access to-- perhaps even share-- devices and local networks. They can even coerce their targets. This document describes the tactics used in technology-based IPV. It provides recommendations for the design of protocols and implementations to mitigate those tactics. In what follows, we first describe IPV and related terminology, the kind of tactics attackers use, and we end with the recommendations.
Definition of technology-based IPV Technology enables and enhances IPV attacks with pervasive surveillance, overt monitoring, and coercive access. IPV refers to physical, emotional, verbal, sexual, or economic abuse of a person by a current or former intimate partner. By "partner" we mean anyone with a close relationship with the victim that can exercise abuse in a romantic or sexual relationship, as well as child or elder abuse, or abuse by any member of a household. In cases of IPV there is an unequal power relationship that enables the attacker to cause harm. calls this "digital coercive control" whereby Internet-enabled technology-- through access to local networks, devices and accounts-- becomes a mechanism to exert control, to conduct surveillance, or to aggravate and harass.
Terminology In the rest of this draft, we will use this terminology:
  • Attacker: By "attacker" we mean an abuser in an IPV situation that is using digital tools to enable and enhance abuse. An attacker can also be referred as "perpetrator".
  • Victim: By "victim" we mean the subject of a attack. Notice that we are using this term only in the context of an attack scenario: we prefer the term "survivor" otherwise.
Technology-based IPV attacks In order to describe IPV attacks that are enabled or exacerbated by Internet technology, we first describe our assumptions about the attacker and common tactics that can be used. Then the types of technology-enabled IPV attacks are described.
The intimate attacker The attacker we present in this document is one that either has forceful control of accounts, devices, and/or authentication information for accessing systems, or uses public information to exercise control. The kind of attacker can be technologically savvy or not. We define this attacker as one of the strongest ones as it can have unlimited access to systems and devices. The attacker has some kind of physical access to the victim (or has had it in the past), and often shares a common social network with them. In some cases, it can be the legal owner of the devices/accounts a victim uses.
Tech-based IPV tactics There are many ways in which digital and networked technology can facilitate an attacker perpetrating IPV. Here we informally list their main groups:
  • Ready-made tools: Attackers can use applications or devices that are solely built to facilitate IPV. These apps are sometimes called "stalkerware" or "spouseware".
  • Dual-use tools: Attackers can use applications, control settings or devices built for beneficial or innocuous purposes and repurpose them for harm. This is the case, for example, of anti-theft devices that can be repurposed for stalking.
  • Impersonation attacks: Knowing personal information coupled with access to authentication mechanisms gives an attacker the ability to fully authenticate to services and accounts of the victim, effectively impersonating them. This can be executed to the degree that the victim can no longer successfully authenticate themselves.
  • UI-bound impersonation attacks: Attackers can abuse technology to enhance IPV by abusing the UI of a specific tool. In this case, attackers become authenticated but adversarial users of a system. They cannot, however, escalate to root privileges or access other underlying functionalities of the system. They are bound to whatever system they managed to authenticate to. We will explore later the ways attackers use to forcibly gain authentication to a system.
  • Social media and forums: Attackers can learn and share information on how to use technology to enhance IPV through the usage of these tools. They can also receive narrative justification to condone their behaviour. They can also perform cyberstalking, cyberbullying, doxxing with the usage of these tools.
  • Perception of threat: The mere presence of a pervasive threat is a form of control. The perception that technology can be used to enhance IPV is a tactic of attackers to control victims, take away agency and abuse them. This can lead to lack of trust in technology and further isolates the victim from seeking and receiving support.
Kinds of tech-enabled IPV attacks
  • Monitoring: One of the most prevalent methods to enhance IPV is the usage of active monitoring of any online account that the victim has or of any action that the victim does in the digital world. This includes a variety of behaviors that feel unwelcomed and intrusive, and can involve threats. The monitoring is "active" in that is a permanent action that the victim can be aware of or not, and that the abuser might want to make them aware or not. It can include:
    • Monitoring e-mail, chat-based or social media communication, or browsing history either directly on the victim's computer or through specialised applications.
    • Monitoring location and whereabouts by looking at the metadata of communication, by using location-help applications, or by using specialized applications.
    • Monitoring any data sent over the network by mounting DNS attacks or other specialised attacks.
    • Monitoring any information found on the UI by looking at laptops screens, or other device's screens while the victim is using them.
    • Using the Internet to seek public or private information to compile a victim's personal information for use in harassment.
    In this type of attack, we see these dimensions:
    • Monitoring of the content of communications either at the application layer or other layers.
    • Monitoring of the UI content of application tools.
    • Monitoring of location information.
  • Compromise of accounts: Research suggests that in IPV, an attacker may demand access to a victim's accounts for continuous monitoring and/or restricting their communication with others. This is different from the previous point in that the perpetrator demands access (or uses invasive tools) to tools and contents, rather than using "publicly available" tools or by monitoring without coercion. This type of attack is mounted in order to reduce the "life space" or "space for action" that the victim-survivor may have to perform activities that do not involve their attacker. Once an attacker has access to an online account, they can use that to:
    • Delete data, which can be communication data, documents and more.
    • Have access to friends, family and contacts.
    • Have access to communication, audio-video content, and any associated metadata.
    • Lock out or change the authentication mechanisms that grant access to the account.
    • Impersonate by using the victim's online identity to send false/forged messages to others or to purchase goods and services.
    • Impersonate by using the victim's online identity to publicly post information that can be private or fake.
  • Compromise of devices: This attack is similar to the above, but the attacker demands access to the victim's devices. The goal is the same as the above but the result is more impactful as it restricts access to accounts that are accessed through the device. It can also prevent any connection to the Internet. Once an attacker has access to the device, they can use it to:
    • Phisical prevention of use of the device (the device can be used, for example, to call police services, which is restricted with this attack).
    • Access contacts and data (media or messages) stored in it.
    • Access to accounts and authentication mechanisms for other accounts (saved passwords or authenticator apps -2-factor authentication-, for example).
    • Perform impersonation.
    • Perform denial of access to the device, networks or the Internet in general.
    • Destroy the device itself and any information stored in it.
    • Impersonate by using the victim's online identity as accessed through the device. to publicly post information that can be private or fake.
  • Exposing of private information or media: This attack builds on top of other attacks. Once an attacker has access to an account or device, they can use this access to gather private information or private media stored in it. This can later be used for threatening, extortion, doxing (posting private information), and more. It can also be used to gather information regarding bank accounts, tax information and more.
  • Denial of access: This attack can be built on top of other attacks. It can consist of denying access to a device, but also denying access to the Internet in general by destroying routers (or network devices), changing Wi-Fi passwords or network settings. The goal is to disallow access to services, or contact with family and friends. It can also take the form of disrupting digital communications by flooding a victim's communication tool with unwanted messages or by sending a virus program.
  • Threats: This attack can be considered as a dimension of the previous attack as it can result on a denial of access attack. It consists on sending e-mail, chat-based messages or social media messages that threatens, insults, or harasses a victim.
  • Harrassing: This type of attack seems to appear in different dimensions:
    • On-going harassment with the goal of intimidation, humiliation and monitoring.
    • Harrassment that appears after a victim has "disconnected" to continue coercion: "[Disconnecting] often makes it worse. Clients are much more at risk when they actually separate from their abusers because he suddenly no longer has any control over that victim. So often the only thing left is through the phone, so he's going to start harassing you, calling, texting. If you change your number, now he's most likely going to go crazy. So that's when he's going to start stalking you any way he can."
    Harrassment can be anonymous, but a victim often knows from whom harrassment messages/actions come from; but, due to its anonymity, it is unable to hold atackers accountable. The systems we have in place often need that harrassment content is permanently available so that an investigation takes place. This enhances the abuse a victim is suffering.
Means of attacking The above attacks can be carried out in different ways. We list there the most common ones:
  • Installation of spyware or spoofing: This form of attack consists of installing unwanted tools into a device in order to gain access to accounts or for active monitoring. It can also take the form of remote access by remotely "hacking" security questions, passwords or any authentication mechanism. Most of the time, these tools are installed without the victim's knowledge.
  • Coercion and control: This form of attack consists of using coercion and control (which can be physical, emotional or psychological) to gain access to devices, network devices, accounts or digital information. It often takes the form of forcing victims to reveal passwords or account/devices authentication mechanisms.
  • Shared network plans between family/relationship members: Often times, an attacker is the legal "owner" of a device (owning children's devices, for example) or accounts (a bank account, for example), or they have access to accounts/devices as they are part of a shared family plan. This enables an attacker to carry out the previously mentioned attacks without the knowledge of the victim and without the need for installation of tools.
  • Monitoring: This means of attack consists of the abuse of social media and any public information found on digital tools from the victim that has been shared through them. It also involves installing tools for active monitoring on devices or using "bening" applications in a dual-use manner (applications, such as the "track my phone" one).
  • Exposure: This means of attack consists of the abuse of social media to enhance harassment. It consists of using social media to post harmful content to humiliate, to harass family or friends, for doxxing or to non-consensually share intimate/private media.
Specific abused technology In the research of the ways attackers use technology to enhance IPV, we see this specific technology being abused:
  • Passwords and authentication mechanisms: all authentication mechanisms can be used to enhance IPV as they are the single point of failure used by attackers to get access to the account and/or devices (and, once they have access to those, they can get further access to other accounts or devices). Attackers can use specialised tools (to be installed in devices) to record authentication mechanisms, they can coerce victims in order to get access to devices, and more. They can also mount these attacks against fingerprints and biometric authentication mechanisms, 2-factor authentication devices/applications and more.
  • Media and private information: attackers can use the access to accounts/devices to gain access to media and private information. This media can later be used to bribe a victim, to humiliate them (by publicly posting it), to enhance harassment and more.
  • Recovery of account mechanisms: as with authentication mechanisms, attackers can use 2-factor authentication devices, accounts and/or applications to get access to other accounts or profiles
  • Lack of blocking mechanisms and abuse of anonymous mechanisms: Often times attackers carry out abuse by:
    • Contacting through fake numbers
    • Contacting through fake accounts
    • Sending messages to applications that have a "open" chanel for receiving any message.
    • Abusing of read-recipes to enhance control.
    • Abusing the lack of blocking mechanisms.
Recommendations We list here some recommendations to protocol designers to mitigate technology-enabled IPV:
  • Build proper authentication systems: authentication mechanisms should provide:
    • A non-deletable and non-modifiable list of who has access to accounts/devices.
    • A way to recover access to an account and to change authentication mechanisms.
    • Provide mechanisms to revoke access.
  • Storage and sharing of media: media should be stored/posted in such a way that:
    • It can be taken down at the request of a victim if it consists of private media posted without consent.
    • Provide good and private mechanisms for reporting the posting of non-consented media.
    • Provide a way to destroy media once a device is in the hands of an attacker.
  • Social media: social media can be a way for attackers to enhance monitoring. They should:
    • Provide proper blocking systems that are not limited to an individual account.
    • Provide mechanisms by which only "accepted" people are able to send messages to an account.
  • Browser history or searching information/metadata should be deleted by default.
  • End-to-end encryption must be the default in order to prevent network monitoring.
  • Considering local attackers when designing sensitive applications.
  • Plausible deniability for sensitive applications.
Security Considerations
IANA Considerations This document has no actions for IANA.
Informative References Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement Since the initial revelations of pervasive surveillance in 2013, several classes of attacks on Internet communications have been discovered. In this document, we develop a threat model that describes these attacks on Internet confidentiality. We assume an attacker that is interested in undetected, indiscriminate eavesdropping. The threat model is based on published, verified attacks. National Statistics Domestic Violence Technology facilitated coercive control: domestic violence and the competing roles of digital media platforms Understanding and Addressing Violence Against Women: Intimate Partner Violence
Acknowledgments Thanks to:
  • Lana Ramjit and Thomas Ristenpart for their insipiring work on this area, and guidance for this draft.
  • Shivan Kaul and Pete Snyder for discussions, guidance and support.