Internet spying as part of domestic abuse. How can one protect oneself?
November 17, 2014 9:45 PM   Subscribe

The question pertains to the linksys smart wifi router but it could be applicable for anything comparable. My sister is in an abusive marriage and is working on figuring things out at this point. She has noticed that her husband is increasingly making it difficult for her to get online (starting with blocking websites). I know blocking websites can be done on any new router that has a companion app but is it possible to actually snoop on a computer within the home network? If so, how much data can be gathered (web history, key logs, passwords etc) ? Secondly, how can she protect herself from being spied on? Is it possible to encrypt all data leaving a computer/ipad before it hits the router? She is not particularly computer savvy. I am a bit more advanced user than her but networking technologies aren't in my skill sets.

Ethically and legally, anything learnt from spying is probably not admissible but this seems like such a violation that I find it hard to believe a technology like in-home spying doesn't have some counter measures for protection. Please help me find them.
posted by anonymous to Computers & Internet (20 answers total) 10 users marked this as a favorite
 
She needs to not use the Internet at home for anything related to abuse, domestic violence, divorce, new apartments, any male's Facebook pages... anything at all related to her situation or trying to leave. She should not look at this thread or send emails about her abuse or anything like that either. I know that's an intensely problematic solution but seriously: she needs to not use the Internet at home for that stuff. He could find out that she is actually considering leaving him by monitoring her traffic or even her keystrokes. This probably won't happen but it's technically possible to do and if he's already messing with the Internet and her access it's something to be very mindful of.

It is a very dangerous time when an abused spouse tries to leave and being caught planning things is not safe. Please strongly advise her to not look up anything about domestic violence or abuse on her home computer. Other things she does online could and will probably become points of contention and catalysts of abusive episodes for her, but this one is particularly dangerous.

There is no technical solution I would trust enough for this. This is a social problem, not to be solved by technical means, as they say.

Best of luck to you and her.
posted by sockermom at 9:58 PM on November 17, 2014 [31 favorites]


is it possible to actually snoop on a computer within the home network? - Yes, if he has control of the router, he can easily snoop on everything going through it.
If so, how much data can be gathered (web history, key logs, passwords etc) It's safest to assume the answer is "Everything". In theory things like HTTPS should make it tougher, but if he has router control, he could strip HTTPS. I'd also be cautious about the actual device she's using.

Secondly, how can she protect herself from being spied on? Is it possible to encrypt all data leaving a computer/ipad before it hits the router? You're looking for something called a VPN (Virtual Private Network). They encrypt data between the device and the endpoint, bypassing the router. I generally like PrivateInternetAccess, but it doesn't look like they have a user-friendly setup for Apple devices, so if you need it to run on an iPad, you'd want to look for another provider.

I will note that if you want to go this route, you'll want to be careful about searching about VPNs and downloading the software for them on an internet connection not going through the compromised router. Ideally, she'll have a laptop and you could put the installation and instructions on a flash drive (or go to a coffee shop or something).

All this being said, though, depending on how computer-savvy the husband is, he could detect this.

Best of luck to you and her. I'll defer to others as to whether this is the best approach, but if she does need secure Internet, a VPN is the best approach in my opinion.
posted by CrystalDave at 10:01 PM on November 17, 2014 [2 favorites]


ps - Even if the abuse is "only" emotional (hah), or she's saying things like "he hasn't hit me yet," my advice above pertains. Monitoring and blocking sites she wants to visit is an escalation of abuse and if I learned anything from my abusive relationship it's that escalations often beget escalations and it always gets worse.
posted by sockermom at 10:07 PM on November 17, 2014 [10 favorites]


usb flash drive with a linux live disk on it(easy to set up with unetbootin and ubuntu, even for a newbie) to prevent keylogging software and such, only use a laptop to prevent hardware keyloggers(i mean, yea, you can do that on a laptop but that's pretty advanced modification), VPN service.

some vpns are really, really cheap.

Is it possible to encrypt all data leaving a computer/ipad before it hits the router?

yep, that's what a VPN does.

at that point the level of sophistication to spy on what she's doing would need to be VERY high. like, i'm an experienced network person and general purpose IT guy and it would take me probably the better part of a day to figure out a way around that, and most of them would involve modifying the USB key.

make sure she continues to use the normal install of windows/osx/etc for everything BUT looking at that kind of stuff or communicating with certain people.

i wouldn't use an ipad for this, it's too easy to forget to enable the vpn or forget to enable private browsing, etc. and a wiped history is as bad as an incriminating one, imo since it's "hiding things". You want a completely normal history and log of traffic that just doesn't include this stuff.

note that i wouldn't create the USB key on any system he has ever seen or used before. not just because of the potential for logs or traces of deleted files, but also because that's a failure point where something could be manipulated.

note that i partially agree with sockermom, but you asked for a technical solution, and there you go. If he's seriously heavily spying, i'd do all this AND take the machine to a coffee shop or somesuch and use their wifi. public wifi in and of itself is not safe. he could be on the same network from his car snooping her traffic(and VERY few public networks are set up to disallow communication between clients, ugh ugh ugh), or have various remote access or monitoring software on the machine. you want a hard to modify machine, running a read-only install of an OS(i forgot to suggest this above, but an SD card with the read only tab glued in the read only position after you create it is a good cheap and low tech idea here. or use a DVD-R) that does not reside on the machines drive, with a VPN. Not even using the same network or physical location is optional, but i understand the argument for it. I just wanted to clarify that just changing physical location is not a solution if you're using the same machine, OR you're on a network he could possibly access.

This kind of stuff is fairly easy to discourage(i'm not going to say prevent, just make increasingly difficult) to a fairly high level if you do what i describe.
posted by emptythought at 10:23 PM on November 17, 2014 [8 favorites]


Also be careful of things like google history. If he has her password for her google account, and she signs in to search, even if its at a library/webcafe/friends place, it will be stored there and can be retrieved easily.

If he has control of the router AND is somewhat network savvy, if she uses a VPN on the home network it will give away tell tale signs (sudden jump in traffic over port 443 to a single source).
posted by Admira at 11:54 PM on November 17, 2014 [9 favorites]


He may have installed keylogger software or similar spyware on her laptop or smartphone.

Once she is out the door, she should take her computers and smartphone to an old-fashioned computer shop and pay a technician to sanitize them and write up his or her findings. Her lawyer can recommend a computer forensics technician although this may be overkill.

She should change all her passwords once she is out the door, and work as though he is currently reading her email (and sent emails), browser history, phone texts, etc. This includes keylogged stuff on a laptop used away from home, but also emails or facebook activity from an account he has the password for. And he has had the opportunity to get those passwords.

This also includes all activity on her smartphone, via installed spyware or just looking through its apps' histories when she is home. Note that smartphone spyware can report location and also eavesdrop on conversations. Here are instructions on making an iphone or android safe.

I think emptythought is right that using a usb flash drive with a linux live disk on it at a coffeeshop is safe, as long as it's not stuff like sending emails or facebook activity from an account he has the password for.

A library computer or family member's computer is even more safe, as it's not stuff like sending emails or facebook activity from an account he has the password for.

I don't think using a VPN at home to get around a locked down router is safe; it is too easy for him to shoulder-surf her passwords, skim her histories, spot her nervously alt-tabbing, or see something odd in the router logs. She's also more likely to act twitchy on her laptop and have him subconciously pick up on it.

All of the above is guesswork on my part rather than experience; these pages at womensaid.org.uk on
covering your tracks online
and
digital stalking
are probably the sort of resources she is looking for.
posted by sebastienbailard at 12:11 AM on November 18, 2014 [4 favorites]


Her local domestic violence shelter or agency will have advice for her, and possibly resources. Until then, library. And an innocuous birdwatching hobby.
posted by Eyebrows McGee at 1:16 AM on November 18, 2014 [4 favorites]


The womens aid UK site has stuff about covering your tracks. If the a.hole is doing that he is likely rooting prolifically through ANY EMAIL ACCOUNTS she has ever used if there is any trace of them. She should keep them on to throw him off the scent but discuss anything sensitive in a new one not used at home.
posted by tanktop at 1:44 AM on November 18, 2014


Yeah, stuff like gmail tracks EVERYTHING you do if you do not specifically log out of your account. Simply closing the tab does not "turn off" the account.

I've been in the habit of locking down stuff like this for years, and I still forget sometimes.

I agree she should ONLY use public machines for sensitive communication, DEFINITELY create a new email with a service she has never used before and never ever ever EVER access it from home. And ALWAYS manually log in and out of new email account, and only from a public machine.

She should assume everything she does at home and on devices he has access to is monitored.

Similarly, if she goes to the library or Internet cafe, she should leave her phone at home. He can track her movements (and possibly listen to conversation) on her phone. He can guess a lot by tracing her movements on a map and knowing what places she visits.

Similarly, she might buy and hide a cheap pay-as-you-go phone for sensitive calls and such, but she'll have to turn it off, turn off the ringer and vibrate, and if possible, pull the battery out. That's assuming she has a safe place to hide this phone.
------

I don't think there is a good technical solution (because being suddenly unable to spy on her will escalate everything) and her BEST bet is to professionally wipe any devices she is taking with her immediately upon leaving the guy for good. YES get documentation on any spyware for divorce court.
------

Everything I just wrote about her smartphone goes double if she has a newer car with OnStar or similar gps/communication software.

Sorry for this info. I wish your sister the best. I hope she stays safe.
posted by jbenben at 3:03 AM on November 18, 2014 [1 favorite]


> she should just go to the library and use a computer there. There are ways to thwart most snooping, but many of them are highly technical and hard to get right. And the consequences of getting them wrong might be considerable in this case.

Not only that but if the abuser has control of the network and is knowledgeable enough he will see the encrypted traffic and while he might not be able to see the content, he'll know that "she's up to something and doesn't want me to know," which might make things worse.
posted by Gev at 5:49 AM on November 18, 2014 [1 favorite]


Are you able to buy your sister a "burner" smartphone with an unlimited data plan to access the internet or email? Turn off wi-fi and do a factory reset every time it may have been compromised (to remove any key loggers) or preferably, each and every time, period. That would be my first move, a secret second phone.

1 Blackphone is $600 but as secure as you get, including remote wipe. But, any smartphone that can be restored to factory settings (hard restore) will do.
posted by rada at 6:14 AM on November 18, 2014 [6 favorites]


I find it hard to believe a technology like in-home spying doesn't have some counter measures for protection.

Email as we know it is over 20 years old and yet we still have spam. Internet as we know it is over 20 years old and yet web companies that have entire departments dedicated to computer security (on top of what is already provided by the data center) still get data breaches. Which is to say, you and your "not particularly computer savvy" sister are no match in this game (speaking as an experienced internet software engineer).

Get a burner phone, or use the computer outside the home. Best of luck.
posted by rada at 6:33 AM on November 18, 2014 [2 favorites]


Your sister can't use any device on the wifi. None.

If he's that suspicious he may have GPS enabled in her phone and he may have put one on her car, so if she goes to the library a lot, he'll figure that out as well.

Your sister can't be too paranoid about this. Controlling abusers should not be underestimated.

If she works outside the home, she should stop accessing her emails at work, and/or get a new one that he doesn't know anything about. A burner phone is an excellent idea, unless he finds it, then it may spark a serious abusive episode.
posted by Ruthless Bunny at 6:46 AM on November 18, 2014 [1 favorite]


Agreed that a "burner" smartphone with an unlimited data plan with WiFi turned off is a wise way to access Internet when at home ...if there is a safe way to use it, charge it and hide it while home. If all of her belongings are searched, it might be too dangerous to have one at the home.

For the most-secure email account possible, she could sign up for a free email account from ProtonMail.
posted by apennington at 8:18 AM on November 18, 2014 [2 favorites]


Note that most of these webmail services may be blocked at her workplace if it's large enough to have its own firewall, but will be accessible at a library or shelter. For many homeless, those are their only email access points.
posted by Mogur at 9:22 AM on November 18, 2014


Ethically and legally, anything learnt from spying is probably not admissible but this seems like such a violation that I find it hard to believe a technology like in-home spying doesn't have some counter measures for protection. Please help me find them.


In the hodgepodge of communications-intercept law, Rasch notes, the federal ECPA law is not the only law that has to be considered. Every state has its own laws, with 12 considered to be so-called "all-party consent" states where it's necessary to obtain consent from all parties to monitor communications.

It is illegal in some states but not in others. Even in states where it is not explicitly illegal I'd guess it would be negatively considered in divorce court, restraining orders, etc., so it would help to have a computer technician document its existence.
posted by sebastienbailard at 9:57 AM on November 18, 2014


She needs a new smartphone he has never touched, that is never on the home wifi, and a set of new email/fb/whatever accounts WITH A DIFFERENT PASSWORD.

Or, use devices and networks outside the home, again with a new set of accounts with different passwords.

Also assume that everything done online or on a device in the home may have been read by the husband, including all email sent and received up to now.
posted by i_am_joe's_spleen at 11:29 AM on November 18, 2014


Adding to the chorus: your friend should not be using the home network for anything she wouldn't happily look at with him sitting next to her, because that's effectively what it's going to be.
posted by toomuchpete at 1:10 PM on November 18, 2014


If you're living with a sociopath with technical skill, assume that every thing you do on the computer at home is vulnerable, from banking to facebook to gmail.

In other words, if she doesn't want her husband to know, she shouldn't do it at home.

Use the public library exclusively or something like that to access the internet.

If she's going to use a phone, get a prepaid phone, using cash, and never bring it home. Leave it at a family members house or at a friends house.

Ethically and legally, anything learnt from spying is probably not admissible

It may not be admissible in court, but abusive people will use information they glean to abuse their victims, and possibly friends of their victim, anyway they can.
posted by empath at 2:05 PM on November 18, 2014 [2 favorites]


> She needs a new smartphone he has never touched, that is never on the home wifi, and a set of new email/fb/whatever accounts WITH A DIFFERENT PASSWORD

And with different security questions. He probably knows the name of her first pet, etc.
posted by The corpse in the library at 7:50 PM on November 18, 2014 [1 favorite]


« Older Left Wallet in Cab in Chicago. Need Help...   |   How do I handle a potentially awkward job... Newer »
This thread is closed to new comments.