chevron-down Created with Sketch Beta.
    Feature

    The Perils of Spyware: A Quick Overview

    By Fernando M. Luna

    As family law practitioners, we are called to counsel clients on matters that range from formulating parenting plans to dividing business interests. The broad range of issues involved in family law is unparalleled in any other area of law. We communicate with our clients via email, telephone, and in-person meetings about sensitive and personal issues and strategies for presenting their cases. We vigilantly endeavor to safeguard the attorney-client privilege.

    What if your opposition had access to your client’s private communications and exact whereabouts and could even listen in on your attorney-client communications, all without anyone knowing? How could that happen?

    Spyware.

    Isn’t the use of spyware illegal? In many circumstances it is, but not always. Is the possibility of criminal or civil penalties sufficient to deter the opposition from attempting to gain a sizable litigation advantage? Would it prevent a perpetrator of domestic violence from exercising dominion and control over a former partner by accessing his or her whereabouts, text messages, or emails? To answer these and related questions, let’s step back and take a look at the bigger spyware picture.

    What Is Spyware?

    Merriam-Webster defines spyware as “software that is installed in a computer without the user’s knowledge and transmits information about the user’s computer activities over the Internet.” A broader definition for spyware would be, to paraphrase one tech website, a range of software installed on any kind of electronic device, from a home security system to a mobile phone, that can be used to conduct surveillance, obtain private information, or retrieve sensitive data without the user’s knowledge. See http://www.virusradar.com/en/glossary/spyware.

    What Can Spyware Do?

    Through the use of various spyware or apps (which are a type of software program), a client’s location, email communications, text messages, computer keystrokes, passwords, financial accounts, driving habits, and conversations can be surreptitiously accessed.

    Types of Spyware

    Spyware comes in many varieties and a wide range of capabilities. Common varieties of spyware are software programs that we knowingly install on our own electronic devices. These include GPS trackers; cellphone apps (location services, Find My Phone); car apps (connected vehicle smartphone apps); smart home security systems (e.g., Ring and Nest); and family-shared apps that capture contacts, call logs, personal information, and SMS (text) messages and track “lost” devices. Other varieties of spyware are surreptitiously installed apps or programs, such as keyloggers, downloaded malware, or remotely installed monitoring apps.

    How Is Spyware Installed?

    Software previously installed on a party’s phone prior to the initiation of a family law case can be turned into spyware. However, spyware can also be installed secretly and remotely.

    Previously Installed Apps

    In today’s digital society, many couples have interlaced digital lives. Sharing bank, credit card, social media, and online accounts is not uncommon. We knowingly and willingly install software or apps onto our electronic devices that provide us with easy access to our accounts. Many of our mobile phones also have apps installed for home security, location services, shared photo accounts, shared file storage accounts, online banking accounts, and shared messaging accounts. Apps are available to parents to monitor their children’s Internet browsing, social media usage, and even driving habits. Sharing such apps or accounts might commence as a convenience to a couple, but they are essentially tools that track activities, locations, and purchases.

    To better understand what information can be obtained through these previously installed software programs, it is helpful to have a general understanding of their features.

    • Smart Home Apps offer features such as automatic door locks, automated lighting systems, and surveillance systems. For example, Nest and Ring home security systems record everything (video and audio) to an application service provider that can be accessed remotely. Many homes have multiple cameras installed, affording a resident complete coverage of the property inside and out. You can remotely listen and view any area covered by the camera in real time or from a digital recording of past events.
    • Vehicle-Connected Smartphone Apps allow drivers to find their car’s exact location on a map, lock or unlock the car doors from anywhere, and access the car navigation system, which often display previous routes (driving directions).
    • Location-Based Services identify the location of a person or object. They can reveal the nearest banking cash machine or the whereabouts of a friend or family member. Such apps store additional information about locations visited, including the date, time, and duration of the visit.
    • Family Monitoring Apps run on your mobile device to allow you to view your family members on a map, communicate with them, and receive alerts when your loved ones arrive at home, school, or work. These apps can provide in-depth information about each of your family member’s driving habits, including whether a family member is texting, checking email, or changing the music on a cellphone during a drive. You can be alerted to instances of unsafe phone use while driving and even access thirty days of family members’ location history.

    These apps can become problematic for the party in a divorce proceeding who fails to disable such apps or who changes the password, access code, or log-in information. The app will continue to be accessible to anyone with the log-in credentials. Without changing the password, disabling the app, or expressly revoking the other party’s access, that other party will continue to be able to access the app or joint account from his or her device. This other party will continue to be able to log into the smart home system or perhaps the family monitoring app on a smartphone and track the first party’s whereabouts 24/7 or view video from the home security system. The apps and accounts previously installed as a convenience or security feature can now easily be used to wrongfully listen in on private conversations, view without consent, and, generally, spy.

    Surreptitiously Installed Apps

    More nefarious spyware can remotely record phone calls, capture keyboard outputs, and track financial information. Variations on this type of spyware can allow access to a mobile device’s camera and microphone. A phone can be set in “listening mode,” even during a meeting occurring miles away—say, for example, at your office. The perpetrator could be able to hear everything said within earshot of the phone, becoming the proverbial fly on the wall.

    An app not available on Google Play or through the Apple App Store but offered for download through a third-party provider is sold by a company that dubs itself “the only cellphone spying company that offers one-of-a-kind Remote Installation Support.” This app is able to record and listen to phone surroundings by accessing the microphone on the target device. “Turn on target iPhone’s front or back camera remotely. Take photos or videos using the iPhone’s camera and view it later from your web account,” the advertisement reads.

    Generally, this type of spyware is surreptitiously installed in a few ways. The target could open a disguised email attachment containing the spyware installation file. The target could also be sent a link, which, once clicked, would lead him or her to a site that installs tracking software or an app on the device. A party could install spyware on the child’s phone and use the device to track the phone’s location while the child is in the other parent’s physical custody.

    Spyware takes just minutes to install. Other ways in which spyware can infest your device include “drive-by-download” (whereby spyware loads when you visit a page), phishing links, and even tools disguised as “anti-spyware” apps. It can also be downloaded through physical devices such as USB drives.

    Once installed, spyware can capture incoming and outgoing messages from the target’s phone, Web searches, and even keystrokes—the letters someone types, say, when logging into a bank account.

    Information Obtained Via Spyware: Admissible in Court?

    Many jurisdictions have statutes that make evidence collected by eavesdropping inadmissible. Information obtained through the use of spyware would certainly fall into the ambit of illegally obtained evidence.

    However, if a party knew or should have known that the other party had access to a previously shared app, home security system, or location information, would such evidence still be considered illegally obtained? The answer to this question is not well-settled.

    When Your Client Wants to Spy

    A prudent practitioner should advise clients not to use any form of spyware to collect information. Spyware use may result in violation of your jurisdiction’s penal code and civil statutes. Accepting illegally obtained evidence may make you, the lawyer, a party to wiretapping and intercepting electronic communications and subject you to criminal or civil liability.

    Civil Penalties and Criminal Prosecution

    The use of spyware may result in a civil restraining order or order of protection being issued against the perpetrator.

    Accessing a home security camera or webcam or using cellphone cameras in situations where an individual has a reasonable expectation of privacy is illegal. Surreptitiously installing spyware onto another person’s computer or cellphone is illegal. With limited exceptions, recording telephone conversations without consent is illegal. Recording a conversation of another person without his or her knowledge or consent is against the law. Tracking another person with a GPS device is likewise illegal, unless there is consent. 

    Some states have enacted statutes similar to California Penal Code section 637.7(a), which states that “no person or entity in this state shall use an electronic tracking device to determine the location or movement of a person. . . . (d) As used in this section, ‘electronic tracking device’ means any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals.”

    Protect Your Clients: Dissuade and Educate

    Notwithstanding the illegality of the conduct, a party might be more interested in the information that can be collected through spyware than the consequences of collecting it. The improbability of detection and difficulty in proving the identity of the culprit might only serve to encourage a more sophisticated party to use spyware. Be proactive in dissuading clients from the use of spyware and educate them on ways of protecting themselves from becoming targets of spyware.

    How to Detect Spyware

    Detection of spyware can be extremely difficult and expensive. Spyware is relatively inexpensive to install and very expensive to detect and remove. Antivirus and malware detection programs are generally behind the curve and fail to detect spyware. In fact, some app developers advertise their apps as “undetectable.” So how do we know if we are victims of spyware? Generally, clients will have the sense that the other party simply knows too much about them. This is a sign that something is amiss. You could ask a party during discovery to admit that he or she has used spyware or has access to apps that share location services or personal information about the other party.

    It is incumbent on the prudent practitioner to discuss with a client whether the other party has access to his or her email, online bank accounts, location services, home security system, or smartphone apps. Questions during a consultation about such online accounts can help prevent an intrusion. Inquire about home security system access and suggest changing passwords and disabling accounts. A client may wish to disable a vehicle app, Find My iPhone, or any GPS tracking app that may contain rather revealing information. Clients will not appreciate opposing parties having knowledge of the exact location of their mobile phones, tablets, or vehicles at any particular time of day. iOS location services, such as Find My Friends or Family Sharing, both of which are “native” to iPhones, even allow devices to receive notifications when a family member leaves or arrives at a location. Clients should consider turning these services off.

    Protection of Evidence and Communications

    Many practitioners advise their clients at the outset of the litigation to turn off their social media accounts. Any advice to turn off social media should not instruct the client to delete the account or any evidence. Known as spoliation, evidence loss or destruction may be punishable in a number of ways. Courts may issue monetary, evidentiary, or even terminating sanctions to punish and deter spoliation by a party to litigation. Criminal and disciplinary penalties have evolved to punish any individuals involved in spoliation, including attorneys.

    As family law practitioners, we must focus on helping our clients to safeguard their private and sensitive information and on keeping our communications with our clients secure. While some information obtained by spyware is discoverable, the proper discovery procedures should be utilized to obtain any nonprivileged, relevant information. Our clients should not have their right to privacy violated.

    Recently, a client was directed to a cybersecurity specialist for ascertaining whether spyware was installed on her phone. The cybersecurity specialist’s services, however, were cost-prohibitive. Moreover, the specialist was unable to guarantee complete protection and removal of the threat. He suggested that it would be far less expensive and more secure for the client to buy a new device, change all account passwords, opt for two-factor authentication, and set up a new email account.

    You need only a little imagination to see how spyware can undermine your case, whether your client is the target or the offending party. We should advise our clients to govern themselves accordingly and act in a dignified manner during litigation. The use of spyware will sabotage that approach. If a client uses spyware, he or she may end up going from your family law office to a criminal defense attorney’s office instead.

    Tips for Keeping Digitally Secure

    We should advise our clients to be security conscious at all times.

    • Avoid clicking on suspicious links.
    • Avoid downloading software or applications from unreliable sources.
    • Use reputable security software to keep yourself constantly protected.
    • Keep up with operating system updates.
    • Use strong passwords to protect your accounts.
    • Change app and account passwords.
    • Change app and account access codes.
    • Change security questions to reset passwords.
    • Open a new email account.
    • Change banking passwords.
    • Update security questions.
    • Use two-factor authentication, when available.
    • Disable location services and family sharing services.
    • Contact an IT professional or replace the device if you believe your device or account has been compromised.

    —F.L.

    Fernando M. Luna

    Fernando M. Luna, of the Law Offices of Fernando M. Luna in Pasadena, California, focuses his practice on family law. He has been listed as a California Super Lawyer, California Super Lawyer Rising Star, and a Pasadena Magazine Top Attorney, and he has served as an executive committee member of the Southern California Family Law American Inn of Court. His volunteer experience has included work for the Los Angeles County Bar Pro Bono Domestic Violence Project, the Harriet Buhai Center for Family Law, and the Los Angeles Superior Court Northeast District Judgment Clinic.

    Entity:
    Topic:
    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.