Escaping Big Brother (Or Your Ex): Counter Surveillance For Women's Shelters

Welcome everybody. Are you having a good time? Well, that's about to change. [Music] >> There we go. No. Oh, come on. I fixed this just before. Okay, I got it. Hi, I'm Erin. H I refer to myself as Oins Freak. I dig up crap on people for the security company I work for. And uh because of a cooperation that we have with a nonprofit in my home country of Sweden, I also get to merge information security and feminism in active helping uh women's shelters with uh digital security, which turns out to be a bit of a a challenge. Uh so this talk comes with a trigger warning, content warning, uh domestic violence, uh possibly also

lots of terrible jokes. Uh, so I'm sure we'll all be great together. Um,

if you apply cyber security theor theory on the realm of domestic violence, you could theorize that uh domestic violence is when the admin or like uh the attacker started as an admin or the super user uh a trusted user in your system. they are already in uh they may be the ones who set it up for you and they're sleeping next to you in bed. Um so applying uh I thought we would play a game uh and apply uh cyber security um theory to domestic violence by using the metra miter no mitra attack framework from the perspective of an abuser. So, sorry. This is uh applicable for your uh average domestic abuser uh as well as human traffickers, uh pimps,

patriarchs, local crime lords. So, step one, reconnaissance. You have a girlfriend. What does your girl have? What can you exploit to control her? What connections does she have? What is she good at? Uh what does she enjoy? Make a plan to take them away from her. Resource development. I've decided to interpret as um the de developing the resources necessary to assume control and one highly such exploitable resource is children. Making her pregnant is uh essentially inserting her with a payload that she will treat as a critical asset which is [ __ ] brilliant uh and quite popular in like the human trafficking and sex trade uh sex slavery trade. So because apparently people are willing to

do virtually anything uh for their offspring which is well highly exploitable uh you gain your initial access by sliding into her DM's house and or uterus. Step two uh execution uh run malicious gaslighting code. Um, you can attack her sense of self-worth and identity uh that by running malicious gaslighting code that degrades her defense capabilities. Uh, known vulnerabilities in women uh include [ __ ] shaming, uh, internalized misogyny and uh, heterosexuality. Uh, I am straight so I'm allowed to make that joke. uh once you gain persistence for instance by achieving children persistence is uh virtually guaranteed for uh biological reasons as well as supported by the legal system because you're you're now a legal guardian while

uh uh so creating children is uh open source knowledge uh but the terms and conditions and licenses are legally binding and widely enforced in society meaning if uh even if she manages to leave you are almost certain to be allowed access to her via the kids VPN. Privilege escalation. It's not enough to control her mind and body. Uh patriarchy recommends controlling her financially as well socially and legally. Escalate your privileges to control her bank accounts uh ability to exercise legal action uh using EIDS for instance and her communications i.e. her socials um social media defense evasion. Depending on your victim's environment, defense mechanisms may vary. Solutions include abusing trusted processes like having her defend your actions uh having her

defend your actions or lie on your behalf to friends and family networks or disconnect her from such networks completely. You can attempt to hide artifacts associated with your adversarial behavior such as um shaming her into covering covering her bruises. uh with uh increasingly modest clothing. Credential access covered in uh privilege escalation mostly. If uh coercion is not yielding 100% success rates of credential capture, you can always install security cameras in your home and uh uh watch her input her passwords or pins on her devices. Sorry, too far. Um, if you haven't already found out everything about her and control all aspects of her life, investigate what relationships relationships seem prone to survive sustained attacks such as and may remain

trusted even after you've assumed control such as mother. Uh, then take uh then make sure to sever that connection as well. Next up, lateral movement. Um, I suppose the Mitra framework is not entirely applicable to the domestic abuse situation. Uh, it's becoming a bit wonky here. Um, I'm thinking ensuring uh you also monitor her lateral movements uh is the way you can interpret this. Uh, for instance, having a tracking device in her car or if it's a car that's new enough, it is a tracking device. um and that you can get credentials to um collect assorted amounts of nudes, luds, and other materials that you can use to reinforce coercive measures as leverage or compromise.

Make her an agent under your command and have her transport your drugs, hide your guns, take out loans for you, buy stuff for you. In general, just sign her name wherever you would prefer not to have yours. Uh not sure how exfiltration is applicable in this scenario, not going to lie. Uh I mean at this point like your girl is just like a ghost in the shell of the person she used to be. Impact the adversary is trying to manipulate, interrupt or destroy your systems and data. That's the that's what Mitra uh defines as this um at this step. Yes, people are also getting destroyed. Women are getting murdered. uh and when she's completely pawned uh

from following all of these steps, the extreme violence is usually the last step to take, the last means of escalation. Um every year about 15 women are killed by a man they loved uh in Sweden, which is where I'm from, and that's like one of the good countries. It's not too much, I guess. Uh but an unknown number is currently suffering uh in some of these stages uh previously mentioned. And so one question that always comes up is why doesn't she just leave? Uh actually that's the point where most people are killed. Um either because she is leaving or because he thinks she is leaving. And I'm saying he and she uh due to the like 955%

uh disparity uh of of uh known victims and abusers. um [Music] when she's starting to take action is most often the most dangerous point. Um digitally controlling loved ones is uh exploding in prevalence. Uh I'm sure people in the crowd here have a like a live 360 app where their kids are, you know, on on it so that you know when they're back home for football practice. um you know when to start dinner because uh you get a ping that your partner has start has started driving home from work etc. So leaving such a relationship used to be hard and then came the surveillance state internet where everyone uh knows everything about uh each other online.

So I will now uh tell you some examples from uh real cases that we have uh assisted on and that illustrates how all encompassing the possibilities of surveillance and control are. So some ways of exerting control including home camera surveillance. Um there was a woman uh who spoke to a shelter. uh she didn't think she was being monitored in her home, but there were so many things that he knew that he shouldn't be able to know. So, they asked, "Do you think you're being surveiled in your home?" And she's like, "No, of course not. He doesn't know how to." Yeah. But then uh once uh one night he was out and so she turned the lights out and used her

phone's camera to like video the inside of her apartment and she saw that the small uh purplish blue infrared sensors looking back at her from every corner and she's like hidden cameras great. Uh but she managed to get out and she's free today. uh tracking hardware. Uh it's not enough uh that you had have to guard uh against the surveillance that is possible through your uh like known um uh like the things you know can follow you around like your phone uh or other uh devices. There there is also completely like widely available and legal tracking hardware um which for instance Apple Watch uh for your kids uh it's literally advertised for kids uh that

the parents uh like uh that you you should get Apple watches uh for your kids. Uh a lot of us walk around with these watches. Uh I mean they're of course also uh like usable for monitoring adults. Uh but I mention them specifically because they uh mention uh there's my pointer. They mention uh geo fencing for kids. Uh so and and like they're essentially just a complete smartphone. Like they have the eim, they have the GPS connection, everything on it. So it's not it doesn't show anything less than a real uh than a full on smartphone. So they can look, listen and locate uh someone as much as uh a whole phone. So um I was uh doing a

digital like counter surveillance training for a shelter where they had also invited local social services and police officers. Uh so we we all could share in in uh talking about the challenges. And so the police told me that they had a case where they had uh credible evidence that a child was being abused so they picked them up at school so they could secretly take them to another location, interview them, and then put them back at school uh so the parents wouldn't know. Only the kid had an Apple Watch. So, they thought that they had a they thought that they had um a conversation in private, but probably the parents could hear everything through through the Apple Watch.

Probably they got a freaking notification when the kid left school because it's a geoencing capability. And the cops were like, "Oh, we didn't know that." Like, how is this possible? How uh I don't know what happened to the kid. Um secondly, same story with air tags in my opinion. Uh lose your neck for losing things or your wife. They last for months and months, even years, easily hidden. Uh shelters have found them stitched into the lining of the kids bags, clothes, shoes, toys. Uh a lot of toys have lots of electronic uh uh com like um components today. Like how do you know which is supposed to be there and which is a like covert uh

tracking uh advice like tracking device? Um they have uh they released air tags, people got killed and then they created a fix for like ping it, find it. um only this works better uh this doesn't work as well as uh advertised. So, uh, a women's shelter being excellent security researchers tested this themselves and so they put a an air they bought an air tag, activated it, put it in a colleague's bag, and then uh sent her home with it and they are so Apple is advertising that it uh playing starts playing a sound that you're being followed by someone else's Air Tag after a while. the the shelter got notified after 18 hours, which is more than

enough for someone to have gone back to their new secret location uh after, for instance, uh having a handover um with the abuser. Uh and these are these are like the popular mainstream world's biggest like world's most valuable company maybe still uh devices. There are of course a ton of uh less reputable products uh that are not covered by the define my networks and such. Uh hope it works. Yes, there we are. In case you were wondering where I got my information, um social media is essentially also um just tracking software straight up. Uh it's very hard to disentangle yourself and like remove yourself from the internet once you're up there. Um you know how there's an

XKCD for everything. I'm using two for this talk. Um so you might be sharing your location through social media and other apps. This is known. However, uh if you're not like in the security business, if you're not um like a techie, how do you really know like uh where all these things are sharing their location? And it could be uh also covert coververt location sharing uh like a notes app or something that you don't expect and then so you're sharing a an old login for instance and then you can see like this note was created blah blah blah. uh the the ubiquitous uh eid solution uh in Sweden for instance uh logs uh where your

location is every time you sign use make a signature um a verify yourself uh which creates uh essentially a a um a map of your locations. Um camera and photo apps often store location. So um and include that information if you send that photo over. And one uh thing that the social services and courts are doing at least in Sweden is that even after you've left someone, they have uh the right to see their kids uh which means that you as the other parent has to provide uh for instance photo evidence that they're having a good time or a video call which uh people the social services and courts are like that's better than having to physically meet

because then it's just a video call. Yes. Do you control for what information could be leaked through that video call? What do you mean leaked? Do you clean off the XF data, the metadata from the photos uh before you forward them to the abuser? What is metadata? You see the and so like the level of knowledge in these uh in this area uh is uh frighteningly low in some cases and this is still you know, a very digital society. Uh friends, uh might and family might share your location by uh checking you into a certain location or tagging you in a photo like we went to dinner. And if uh that photo contains information, uh you can like go in your way to

finding where that location is. Um this slide summarizes the whole problem. uh with trying to keep your stuff private when you're sleeping next to your attacker. They always have the option of coercion or violence. and they've spent uh if if you follow my uh guide to the domestic abuse as provided by Mitra attack framework um you will know that uh breaking breaking down sense of selfworth and um uh self-defense is a a necessary component. Sorry. Hello. No there. psychology of control. So, it's better if I just do what he says is the most common um response to an escalation of control uh from the victim. Uh so, once you've inserted enough malware to degrade her

integrity, you can teach her to take the path of least resistance uh to your benefit, usually doing whatever necessary not to provoke the next attack. So, always be dancing around your attacker uh saying obeying in advance, a term that's been increasingly popular uh online. So, is there a comparison here between fascism and like abusive relationships? Yes, but I feel like that's a that's a for someone much smarter than me to write a an essay on. Uh nudes as extortion extremely common. Uh this is also something that kids use against each other, which is uh lovely. Um, it's very common to also like trust someone with your nudes. Uh, and then, uh, that someone abuses your trusts by

sharing them or threatening to share them. And it's, um, but it's not necessarily something that you actively shared at some point. They could also have been taken uh there can also be nudes that have been taken of you covertly or against your will like uh either either through force. Um and then he creates this compromat to use them as leverage in the future [Music] and depending on your context uh that literally so if he holds nudes as ransom that literally also holds your future uh as ransom uh as you might um you know lose your entire career, reputation family uh if they are revealed. Um

this is also the very common like comes with the territory of uh um living with your attacker. They can either sit next to you as you're entering your your details or uh force you to also have biometric access granted on your devices uh with your abuser which is also something that's very common that people do for each other. like I have my husband's uh thing on my phone as well so that he can open it for me if if we need to do something and it's like that that sort of level of trust can be um exploited in the future. Um coerced location monitoring um there was this woman who was um uh in the process

of escaping her abusive husband uh who needed special help because he was constantly monitoring her geoloccation. like he didn't have a job. His job was to sit at home and look at her geoloccation moving around town like from her workplace and stuff. And she worked in a very like large area where he could see even like which part of her building uh she was in. And so whenever she was in a meeting uh she had to send photo updates uh of the like if they were sitting around the table, she had to sneak a photo of of the the people's shoes so that he would know who was in the room. So she wasn't talking to

someone she w wasn't supposed to. Uh so in order to create a situation where she could speak to uh this women's shelter that was helping her, she prepped by taking photos of another meeting and then uh using those to send when uh she was actually in another room talking with the women's shelter. Um and this is this is like an absurd level of of having to manage uh the the persistence of an attacker. Uh but he then the the attacker was also um absurdly possessive and uh persistent. So um she's free today trying to escape. Um it's all about the threat model really. Um one thing they'll tell you at women's shelter is that uh it's not the

capacity of the threat actor, it's his persistence, his motivation. Like the [ __ ] who's never going to give up is worse than than the person who knows everything but actually could move on with their life. Uh it's a battle of attrition. So the first to be exhausted is the one to lose. The first losses. Um so uh if you get the feeling like honestly what's the point? It's impossible to to protect uh against all of these like security challenges. Uh it's an understandable response. Uh but it's not an acceptable attitude when your life is at stake and we have to uh we have to do what we can to survive. Um why is this not sorry?

At least my photos are working this time. Okay. Some examples of uh persistence. uh we've seen um so-called parental control on devices. Uh it seems to be a feature that uh there are iCloud uh iCloud accounts that can be like uh subordinate uh a parental um accounts and obviously Apple is not going to write out easily how to escape that uh hierarchy because that would allow like teenagers to break out of their you know um so um it's it's like it's legal, it's default uh and it's being exploited and it's unclear how to uh escape if your if your iCloud account has that relationship with another account. And so uh this is of course being used and it's really insecure

because of obscurity. And so we this is part of my thesis that we've also designed a society for surveillance as a feature rather and surveillance by default uh which is um uh creepy. And it also makes it so that people who have technically never done anything wrong still find themselves in a situation where someone else controls all their devices or all their accounts. Uh the car Tesla's l uh so this is from a couple years ago. I heard that this is uh this is uh uh not quite as simple as it used to be, but like why would you stake out like why would you wait outside someone's home to see when she comes out so you can intercept her when

you can just park your Tesla and like look at the look at the all the angles and see when she leaves. Uh so um this uh this is something that was used um uh in in real life uh to to surveil people. Uh also parking apps. Uh I this is a I think this is a thing here. Uh but like I don't know camera parking where you is a fancy like parking system where you just drive in and it reads your license plates and it says like uh yeah welcome to you know uh leads uh city center parking space blah blah and that notification can be sent to someone else essentially pinging where you drive in.

And there and then like they we build out these parking spaces and there's no other option uh other than to use camera park camera parking. So that means that you don't know where you are you can drive safely. I mean this is a terrible uh future to be in. Um of course anything that the kids has like uh if you're if you're friends with them on Steam or Xbox uh they you have access to them that way. uh social media, the smartwatch. Um, one infuriating case, cuz kids always find a way, uh, there was a safe house uh, run by, uh, municipal like social services. Um, and they tried to enforce uh, um, no devices allowed policy uh, in

the safe house because it was a secret location and they didn't want to um, uh, want it known. Uh, so kids found like the one device like the the the managed iPad that the safe house was sharing for entertainment purposes and they recorded themselves doing a Tik Tok dance or whatever the kids are doing these days. I'm sounding very old, I realize. Uh, but they did not post any geoloccation data. They did not like do anything wrong. It was a relatively anonymous account. But in the damn comments, another kid um posted like, "Oh my god, you guys are at Safe House 11. I was there too last week because kids I recognize the bed sheets. That's what

they said. I recognized the bed sheets. So like you never know what it is that's going to reveal you and that makes uh it endlessly difficult like um to keep your attacker out the so-called defenders this advantage or dilemma. um they need to be success that the defender needs to be successful in hiding everything all the time while the attacker only has to be um successful once. Um I mean I I see but it's a pretty defeatist attitude. I don't find it very helpful. Um doesn't mean it's not true I suppose. Um however worst part when it comes to then trying to train someone to defend themselves. >> Yeah. from uh from attacks in the future is that

traumatized people are terrible learners. Uh it's hard to focus uh and remember every small detail when you're panicking and uh you have um so we've we've learned that all any and all defensive measures that we recommend and we train uh people in have to be very difficult to do wrong. uh there is a vulnerability of a supply chain attack I the network of humans in the in the near in your uh environment as well as the kids uh new school or football team uh the other parents can leak uh information um in future uh and as the uh previously mentioned court order to provide the attacker with oint materials such as um it's cons yeah yeah

considered a patch by the state security nightmare in my opinion. Uh so a consequence of a society built around surveillance. I am not doing this as fast as I needed to. Crap, I still have a bunch of presentation left. Okay. Uh I argue um that we find ourselves in this situation. uh we have for some reason uh conditioned the human rights of privacy with also being knowledgeable enough, skilled enough to preserve that privacy and we've made it [ __ ] for everyone else. And this is not generally how we treat human rights. We want them to be universal, accessible to everyone and it's supposed to be something that is um that we design uh society to uh organize

around. So um instead we have this data hoarding uh surveillance states uh internet that is being uh very helpful to abusers and very difficult uh for victims to escape. It's essentially stalking. Once the data is out there it's very hard to remove. Uh we recommend building a new life uh not only so uh socially uh legally and geographically. We also recommend doing so digitally which is a lot easier said than done. Uh again these systems are surveile are def um designed for surveillance by default. Um we do not consider these vulnerable groups when we decide designed things like this. Uh or we did and said [ __ ] them. Um both are possible I suppose. Um because

of the situation I find myself in, I get to tell uh social services and politicians and cops about this situation which is very good. Uh we are slowly improving things but we all can help. So now I'm towards Yes, we should always report the abusers even if it's like even even this particular case is not going to lead to something it create it adds another piece of the puzzle to someone who is who might take care of this later. Uh it gives um uh it gives uh weight to any future police reports saying that this person has been reported in the in in the past. Uh they do it, abusers do it because they get away with it, because we let

them. Too many of us are silent. So uh please assist your local women's shelter with uh counter surveillance, uh digital forensics, uh or training in general. Like we all need to we all need to like go hands in all hands on this uh because it's escalating. Uh, it's getting worse fast. Uh, hope you're feeling okay still. Thanks. >> Cool. Thanks. >> I'm afraid we don't have time for Q&A. Uh, just so that the next come in and get set up. Will will you be around for the for the evening and that? >> Yes, I shall be around. I I'm I look like this. Uh, you cannot stop me from talking more about this. >> Uh, so please come up and ask.

>> We should all talk about this. So, thank you very much. >> Thank you.