Weaknesses in the cyber security of internet-connected consumer devices can undermine the privacy and safety of individual users and can be used for large-scale cyber-attacks. This briefing looks at the cyber threats associated with consumer devices and their causes, as well as initiatives to improve device security, and the related challenges.
- Technology can be used in a variety of ways to monitor, stalk, harass and impersonate victims. For example, software installed on a victim’s mobile phone or smart home devices can be used to record their location and conversations.
- A survey by Women’s Aid found that 81% of domestic abuse service providers said they had experienced an increased demand for telephone support during COVID-19.
- A range of Government policies and legal frameworks deal with the different dimensions of tech abuse, including domestic abuse law, government online harms policy and cyber security policy for internet-connected devices.
- The Domestic Abuse Bill 2019-21 (HC Bill 96) was introduced into Parliament in March 2020. It includes a new definition of domestic abuse and establishes extra protections for witnesses and victims in court. The bill does not explicitly mention the role of technology in domestic abuse, but the Government has said that it is designed to be “future-proof” to combat emerging trends including tech abuse.
- Designing technology products in a way that minimises the opportunities for abuse may help address this issue.
- There has also been a focus on providing victims and support workers with education and technological knowledge about tech abuse, so that it can be more easily recognised and prevented.
- Some academics have highlighted that while resources on tech abuse are available, services currently lack the awareness and technical capacity to adequately respond to it.
- Technology can also offer a lifeline to victims, enabling them to access support services and information or record evidence of their abuse.
There is currently no statutory definition of domestic abuse, however it is defined by the Government and criminal justice agencies as: “any incident or pattern of incidents of controlling, coercive or threatening behaviour, violence or abuse between those aged 16 or over who are or have been intimate partners or family members regardless of gender or sexuality.” The Domestic Abuse Bill 2019-21 is currently going through Parliament. The bill will introduce a legal definition of domestic abuse and establish extra protections for victims and witnesses in court.
This rapid response focuses on the role that technology can play in domestic abuse. It gives an overview of the ways in which perpetrators may misuse technologies to harm victims. It discusses how technology-facilitated abuse can be prevented, including through government policies, technology design and education. It also looks at the role of technology in supporting victims.
What is tech abuse?
Internet-connected ‘smart’ technologies including laptops, tablets, smartphones, home assistants (such as Alexa), smart watches and internet-connected home security systems are becoming increasingly popular in everyday life. These devices, together with the networks and services they connect to, are often referred to as the Internet of Things (IoT). It is difficult to predict the growth of the IoT, however, one estimate predicts the number of IoT devices worldwide will reach 125 billion in 2030. While connected devices offer many potential benefits, such as greater convenience and improved home security, they also provide tools that can facilitate domestic abuse.
Perpetrators of domestic abuse may misuse technology in a variety of ways to monitor, harass, threaten, impersonate, intimidate and stalk victims. This is commonly referred to as ‘tech abuse’. The scale of tech abuse is not fully understood, however, domestic abuse charity Refuge reported that 72% of women who accessed its services in 2019 identified being subjected to tech abuse. Most victims experience tech abuse alongside other types of domestic abuse, such as physical violence and sexual abuse.
Does research show tech abuse is happening?
Research on tech abuse to date has mainly focused on common internet-connected devices such as smartphones and laptops, and has shown that they have been used routinely for online stalking, harassment and abuse (for more information on stalking and harassment see POSTnote 592). Preparators may exploit the location tracking features of certain apps (such as Apple’s ‘Find My’ function) in order to track their victims. They may also use dedicated spyware to monitor and track victims. Spyware (also known as ‘stalkerware’) refers to software or apps that are designed to covertly monitor and gather information about a device, allowing a perpetrator to look at a victim’s messages and photographs, access the device’s cameras, record screen activity and track its location, usually without the victim’s consent or knowledge. Cyber security company Kaspersky reported that the number of people who discovered a stalkerware installation attempt on their device increased by 35% in the first 8 months of 2019, compared with the same period in 2018.
Research shows that social media often plays a role by providing a platform for perpetrators to track, impersonate, harass and abuse victims online, sometimes under a concealed or false identity. Technology has also expanded the ways in which sexual abuse can be perpetrated, for example, it can facilitate the non-consensual creation and/or sharing of sexual images.
Some experts have expressed concern that as IoT devices continue to grow in popularity and become more widespread, they may provide perpetrators with a wider and more sophisticated range of tools to monitor, control and coerce victims. Researchers from University College London’s Gender and IoT research project have highlighted some of the ways in which IoT systems could pose a risk to victims of domestic abuse. Examples include:
- Smart home security systems, such as internet-connected video doorbells and home locking systems, could provide a way for a perpetrator to monitor a victim or control access to doors. A case of a victim being monitored with an internet-connected video doorbell during the pandemic was recently reported by the BBC.
- Wearable devices, such as internet-connected fitness trackers, could allow perpetrators to track a victim’s location and monitor their behaviour.
- Remote control of heating and/or lighting within the home using smart home devices may be used to coerce or intimidate victims.
The first UK conviction for stalking using a smart home device occurred in 2018, in a case where a perpetrator listened in to his ex-partner’s conversations through accessing an iPad mounted on the victim’s kitchen wall, which was being used to control internet-connected home appliances.
Experts have said that when technology is used to facilitate domestic abuse, it is likely to be the perpetrator who sets up and manages the devices used, meaning that the victim has little control over the device’s settings and what it is able to do, and may find it more difficult to escape their situation. In some cases, the device’s ability to monitor and collect data may be disguised, meaning the victim could be unaware they are being observed. Conversely, a perpetrator may tell a victim that a device has functionality that it actually does not have, in order to intimidate and frighten them. Studies have also shown that abusers may use technologies to create a feeling of constantly being present in a victim’s life, making them feel like they have no privacy or safety.
Some academics have highlighted that the way internet-connected smart technologies are designed may overlook their potential for harm, and that often it is assumed that users of internet-connected devices within a shared household trust each other and are happy to share information. Technologies may lack robust cyber security and privacy features, with stakeholders expressing concerns about the poor security of many devices (for more information on the cyber security of consumer devices see POSTnote 593).
Has tech abuse increased during COVID-19?
Concerns have been raised that the misuse of technology to perpetrate abuse and victims’ use of technology to seek support have become more prevalent during the COVID-19 pandemic. Lockdown and social distancing measures have meant that technology is increasingly relied upon to access services, contact loved ones and work from home. There has been a widely reported increase in people accessing domestic abuse support services in the UK during the pandemic. In an August 2020 survey by Women’s Aid, 81% of domestic abuse service providers surveyed said they had experienced an increase in demand for telephone support, and 91% said they had experienced an increase in demand for online support.
Evidence of the impact of the pandemic on tech abuse specifically is limited, however cyber security company Avast reported that globally there has been a 51% increase in the use of spyware in the period March–June 2020, compared with January–February 2020. The Revenge Porn Helpline (a helpline for victims of image-based sexual abuse) reported a 98% increase in cases in April 2020, compared with April 2019.
How can tech abuse be prevented?
Researchers and charities have suggested that tech abuse can be combated in a number of ways, including targeted government policies, designing tech products in a way that mitigates against opportunities for abuse and providing victims and support workers with the knowledge and skills to recognise and prevent tech abuse.
Aspects of tech abuse are addressed in several different UK Government policies and legal frameworks, including domestic abuse law, online harms policy and policy on the security of IoT devices.
Domestic abuse law
There is no single criminal offence of ‘domestic abuse’ in England and Wales. Instead, it can be prosecuted under a range of different offences depending on the context and circumstances. This may include (among other laws) stalking and harassment law, and coercive or controlling behaviour in breach of the Serious Crime Act 2015. For a detailed overview of current laws relevant to domestic abuse in England and Wales and a summary of domestic abuse policy more broadly see Commons Briefing Paper CBP 8787, Domestic Abuse Bill 2019-21. In Scotland, domestic abuse is a specific criminal offence under the Domestic Abuse (Scotland) Act 2018. In Northern Ireland, the Northern Ireland Assembly is currently considering the Domestic Abuse and Family Proceedings Bill.
In March 2020, the Domestic Abuse Bill 2019-21 (HC Bill 96) was introduced in the House of Commons. It includes a new definition of domestic abuse, including that domestic abuse is not limited to physical or sexual abuse but may also include emotional, coercive or controlling behaviour, and economic abuse (including through the use of technology). It establishes extra protections for victims and witnesses in court and specifies that consent to offences involving violent or abusive behaviour is not a defence. It also makes provisions for the establishment of a Domestic Abuse Commissioner. More detail on the Domestic Abuse Bill 2019-21 and its progress in Parliament can be found in:
- Commons Briefing Paper CBP 8787, Domestic Abuse Bill 2019-21,
- Commons Briefing Paper CBP 8959, Domestic Abuse Bill 2019-21: Progress of the Bill
- and Lords Library Research Briefing Domestic Abuse Bill: Briefing for Lords Stages.
The bill does not explicitly mention technology; however, it encompasses abusive behaviour conducted using technology. The Government has said that the bill was designed to be “future-proof” to combat emerging trends including tech abuse. However, some academics have called for it to include explicit recognition of the role that technology can play in facilitating and exacerbating domestic abuse, stating that it should acknowledge emerging technologies.
Online harms policy
In 2019, the UK Government published its Online Harms White Paper, which outlined proposals to establish a duty of care for internet companies, including social media platforms, that will make clear their responsibilities to keep users safe. This would be enforced by an independent regulator whose powers will include levying fines and may include holding senior management individually liable. Consultation on the white paper closed on 1 July 2019. The Government has said it will publish its full response to the consultation before the end of 2020, and expects online harms legislation to be ready in early 2021.
The white paper recognises that the internet can be used stalk, harass and intimidate people, and listed online stalking and harassment as a clear form of online harm. The Government expects that the independent online harms regulator will produce a code of practice outlining measures that internet companies will take to tackle online harassment. It expects the code of practice to cover many areas including (among others):
- Steps companies will take to ensure their services are safe, including outlining measures to ensure internet platform users have easy to use tools to control the privacy and visibility of their accounts and are able to control who contacts them.
- Tools to help users experiencing harassment, such as the ability to mute, block or stay hidden from other users.
- Measures to prevent banned users creating new accounts to continue harassing their victim.
- Steps to ensure that users who have experienced harassment are directed to, and can access, adequate support.
Security of IoT policy
The UK Government has highlighted the cyber security risks of using internet-connected smart devices, and has carried out work to encourage manufacturers to make and keep their products secure. In its National Cyber Security Strategy 2016–2021, it stated its objective for most new online products and services to be cyber secure by default by 2021.
In 2018, the Department for Digital, Culture, Media and Sport (DCMS) consulted with industry and academia to produce a voluntary Code of Practice for Consumer IoT Security, which outlined good practices for the development, manufacturing and retail of connected consumer devices. The Government plans to legally enforce parts of this code and recently held a consultation on regulating consumer smart product cyber security, which closed in September 2020.
The draft proposals state that any IoT devices supplied to UK consumers must comply with three overarching legal security requirements, including:
- A ban on universal default passwords in consumer smart products.
- A requirement for device producers to establish a vulnerability disclosure policy (meaning there must be clear route for users to report security vulnerabilities when they are discovered, and a process for remediation)
- A requirement for device producers to explicitly state how long a product will receive software security updates for.
Some experts have called for greater consideration of the potential for domestic abuse when designing technologies, including the privacy and security needs of domestic abuse survivors. For example, some have called for better prompts and notifications for users to make it clear when their location data are being shared.
Various industry-led initiatives have been established to consider this issue. For example, in July 2020, IBM published a set of five design principles for technology developers, which aim to make technology products resistant to coercive control. These principles include:
- Promoting diversity. Ensuring a diverse design team to broaden the understanding of user habits.
- Guaranteeing privacy and choice. Allowing users to make informed choices about their privacy settings.
- Combating gaslighting. Making it clear when settings have been changed and when functionality of devices is triggered.
- Strengthening security and data. Ensuring that products only collect and share necessary data, limiting the risk that data are used maliciously.
- Making technology more intuitive. Giving users greater confidence to use technology by making it simpler to understand; limiting the risk of abusers exploiting a victim’s lack of technical ability.
Other initiatives include app-based bank Monzo’s ‘share with us’ feature, which allows customers to discreetly alert the bank if they are in a difficult situation or have concerns about certain transactions. Monzo also has the option for customers to set up a code word in case they are concerned that their activity is being monitored.
Education and resources
Increasingly, organisations have started to produce guidance on the safe use of technologies and how individuals can implement better privacy protections. Some organisations have also produced specific guidance on tech abuse for victims and professionals working with victims. Domestic abuse charity Refuge hosts a variety of resources on tech abuse and tech safety for victims and professionals. Examples include guidance on how to document tech abuse, information about spyware and surveillance, and guidance on privacy and security features of social media platforms like Twitter and Facebook. Other guidance and resources available include the digital and online safety resources provided by domestic abuse charity Safelives, and resources provided by the National Resource Center on Domestic Violence and hosted on VAWnet. Researchers at University College London have compiled a list of available resources for victims of technology-facilitated abuse and support workers. It includes organisations that produce guidelines and advice, and highlights common methods of tech abuse.
Despite the growing availability of resources to help educate victims and practitioners on tech abuse, some experts have highlighted that support services currently lack the awareness and technical capacity to adequately respond to tech abuse, and that is it not often explicitly considered in risk assessments and safety plans for victims and survivors.
What role can technology play in supporting victims?
Tech can also offer a lifeline to victims, enabling them to access support services and information. It can also provide a way for victims to record evidence of their abuse. Research suggests that technology is increasingly providing a source of information and support to victims of abuse and being used to provide access to support services. In a 2017 study involving over 200 domestic abuse survivors, commissioned by Comic Relief, over 1 in 5 survivors said that technology had helped them recognise that they were in an abusive relationship. However, the study also highlighted that there was scope for practitioners to make better use of online tools to help support victims.
Some of the ways in which technology may help victims include:
- Finding information. Victims may use internet searches to access information about domestic abuse, such as information and advice about abusive relationships, legal and financial information, and advice on safeguarding children and support services. Information about abuse and support services is also available on apps such as the Tech Safety and Bright Sky apps.
- Accessing support services. Victims may use the internet to connect with domestic abuse support services, including those offered by charities and local authorities. Refuge and Women’s Aid are among several charities offering an online live-chat service for victims.
- Connecting with other victims. Social media support groups and forums allow victims to connect with each other and find emotional support. A survey of over 200 victims in the Comic Relief study found that 43.5% had used technology to connect with other survivors and share experiences. The survey found that Facebook was a particularly popular platform for support groups.
- Gathering evidence. Technology may also help victims gather evidence of domestic abuse. The Comic Relief survey found that almost 1 in 5 women had used technology to record evidence about their abuse, for example using a phone as a recording device or forwarding incriminating emails. Specific apps are available to help victims record evidence, for example the Keep App, which provides a secure diary function for victims to document their abuse.
- Protecting and alerting victims. A range of technology solutions exist that aim to help protect victims, including specially designed devices and apps. Some private companies (mostly US-based) have developed ‘wearable’ panic alarms that are easy to hide or disguise. For example, Vodafone Foundation has developed a specially customised mobile phone device (known as TecSOS) that can give victims direct access to the emergency services. When the device is activated, the police are alerted and provided with the victim’s location. Apps and software also exist that can prevent a victim being monitored with stalkerware. For example, Incognito and Certo are apps that can detect and remove stalkerware from a person’s device.
Research shows that the way technology can support victims varies depending on what stage of an abusive relationship they are in. For example, if a victim is in the early stages of an abusive relationship, they may use online information to help them determine whether their relationship is abusive, while a victim in the process of leaving such a relationship may use technology to gather evidence about their abuse.
The 2017 Comic Relief survey asked how technology can be improved to help survivors of domestic abuse. Of the 92 survivors that responded, the most common answers were: being able to ask lawyers questions online without making appointments (14% of respondents), offering a way to safely record abuse (13%), making it difficult for an ex-partner to stalk me (11%), and providing online counselling (9%).
While technology offers access to information and support, a victim’s circumstances and the complex dynamics of their abuse may limit how easily they can use it. For example, in the Comic Relief study, victims and practitioners highlighted that often victims only have a short time window to access information or contact support services, but in many cases, online information was difficult to find, duplicated or didn’t answer their key questions. It also found that certain information was lacking such as financial and legal information. Some survey respondents also emphasised that while technology played an important role in helping victims to find information and support, it did not replace face-to-face interactions with services or other survivors.
Stalking and harassment both involve any repeated behaviour that would cause alarm, distress or fear of violence in a victim. Common stalking or harassment behaviours include unwanted contact online or in person, following a victim, and interfering with property. Stalking is characterised by a perpetrator’s fixation or obsession and can have long-term psychological and social effects on a victim. Stalking also has the potential to escalate to other crimes, such as sexual assault or murder. This POSTnote describes stalking and harassment before presenting evidence on the effectiveness of approaches to identifying, preventing and prosecuting these crimes.
Online technologies are an integral part of many children’s lives. In 2017, the Children’s Commissioner for England identified shortcomings in online safety education and a number of stakeholders have called for action to increase ‘digital literacy’ in the UK. Upcoming changes to the curriculum mean that aspects of online safety will be taught in all schools from 2020. This POSTnote gives an overview of how children use the internet and the opportunities and risks it presents. It provides an overview of current online safety teaching in schools and elsewhere and how this will be affected by changes in the curriculum. It also looks at the role of content filtering and age verification technologies to improve online safety.