“Jolie,” a middle school teacher in her 20s, had no idea how her ex knew where she would be after work. He confronted her at the supermarket, public library, and doctor’s office. It turned out that without her knowledge or permission, Jolie’s ex had gained real-time access to her phone.
This happened in 2014. But what if this was late June 2022, and Jolie, an Alabama resident, had searched for and obtained an abortion in violation of state law? Jolie’s ex would have had incriminating evidence to pass on to law enforcement.
All too frequently, people monitor our intimate lives in betrayal of our trust—and it’s often those we know and love. They don’t even need to be near us to capture our data and to record our activities. Surveillance accomplished by individual privacy invaders will be a gold mine for prosecutors targeting both medical workers and pregnant people seeking abortions.
Intimate partners and exes download cyberstalking apps to personal devices that give them real-time access to everything that we do and say with our phones. To do this, they only need our phones (and passwords) for a few minutes. Once installed, cyberstalking apps silently record and upload phones’ activities to their servers. They enable privacy invaders to see our photos, videos, texts, calls, voice mails, searches, social media activities, locations—nothing is out of reach. From anywhere, individuals can activate a phone’s mic to listen to conversations within 15 feet of the phone.
Now and in the future, that may include conversations that pregnant people have with their health care providers—nurses, doctors, and insurance company employees helping them determine their life’s course and the future of their pregnancies. Victims of such privacy violations are never free from unwanted monitoring. Abusers count on them to bring their cellphones everywhere, and they do, as anyone would.
For abusers, finding cyberstalking apps is as easy as searching “cellphone spy.” Results return hundreds of pages. In my Google search results, a related popular search is “spy on spouse cell phone.” More than 200 apps and services charge subscribers a monthly fee in exchange for providing secret access to people’s phones. When I first began studying stalkerware in 2013, businesses marketed themselves as the spy in a cheating spouse’s pocket. Their ads are more subtle now, though affiliated blogs and videos are less so, with titles like “Don’t Be a Sucker Track Your Girlfriend’s iPhone Now: Catch Her Today.”
Though we don’t have precise numbers of stalkerware victims, domestic violence hotlines in the United States help more than 70,000 people every day, and according to the National Network to End Domestic Violence as many as 70 percent of those callers raise concerns about stalkerware. A 2014 study found that 54 percent of domestic abusers tracked victims’ cellphones with stalkerware. Security firm Kaspersky detected more than 518,223 stalkerware infections during the first eight months of 2019, a 373 percent increase from that period in 2018. Millions of people, right now, are being watched, controlled, and manipulated by partners or exes. The United States has the dubious distinction of being one of the leading nations in the number of stalkerware users around the world. That destructive accomplishment has a disproportionate impact on women, LGBTQ individuals, and people from marginalized communities.
Abusers will use intimate data obtained from stalkerware to terrorize, manipulate, control, and—yes—incriminate victims. Now that a woman’s exercise of her reproductive liberty is soon to be, or already is, a crime in many states, abusers have even more power to extort and terrorize victims. They may threaten to disclose information about abortions unless women and girls give into their demands, including having unwanted sex or providing intimate images, both forms of sextortion. (Sextortion routinely involves threats to disclose intimate information like nude images unless victims send more images or perform sex acts in front of webcams.) If victims refuse to give into their demands (and even if they do), privacy invaders may post information about abortions online and report it to law enforcement. Two birds, one stone: the ability to humiliate, terrorize, and financially damage victims and to provide evidence to law enforcement. Exes can extinguish victims’ intimate privacy by enabling their imprisonment.
The law’s response to intimate privacy violations is inadequate, lacking a clear conception of what intimate privacy is, why its violation is wrongful, and how it inflicts serious harm upon individuals, groups, and society. Legal tools—criminal law, tort law, and consumer protection law—tackle some privacy problems, but few (if any) capture the full stakes for intimate privacy. In criminal law, privacy violations are mostly misdemeanors, which law enforcers routinely fail to pursue when reported. Criminal law is woefully underenforced when the illegality involves gendered harms, like privacy violations and sexual assault where victims are more often female and LGBTQ individuals. (Yet when the very same people are the alleged perpetrators, law enforcement eagerly investigates.) Because policymakers fail to recognize the autonomy, dignity, intimacy, and equality implications of intimate privacy violations, we have too few protections.
Our conceptual problems are paired with practical ones. Policymakers tend to view privacy violations in silos, so they pursue reforms in a piecemeal manner. One day, proposals focus on nonconsensual pornography; the next, deepfake sex videos, still another, the confidentiality of people’s COVID statuses; and so on. To the extent that the law is updated, the reforms are often overly narrow.
The conceptual and practical problems compound. When reforms make their way into law, they don’t fully capture the wrongs done and the harms suffered. As a result, they are ineffective and weak. Without the proper conceptual apparatus, lawmakers have an easier time walking away from reform efforts. Far too many times, federal and state lawmakers have told my CCRI colleague Mary Anne Franks and I that they tried, but, alas, could not get sufficient support. We are left with deficient and outdated laws. We need lawmakers to treat the constellation of intimate privacy violations—such as stalkerware, sextortion, doxing, and nonconsensual disclosure of intimate data—as a single problem.
We need a civil right to intimate privacy.
In an ideal world, the criminal law would help deter intimate privacy violations and educate the public about the wrongfulness of this behavior. It would make clear to perpetrators that intimate privacy violations like stalkerware and sextortion are so serious that they warrant criminal punishment and the potential deprivation of their liberty. The business of stalkerware is illegal, and law enforcement must step up. To date, the FTC has brought enforcement actions against two stalkerware companies; it shut one down, under the agency’s authority to combat unfair and deceptive business practices. But, no matter, Spying Inc. is alive and well in search results.
The criminal law also should include enhanced penalties for bias-motivated privacy violations. This would draw attention to the structural impact of the abuse and signal that the eradication of stigma, shame, and discrimination is a central legislative goal. I say this knowing full well that the burdens of the criminal law disproportionately fall on the shoulders of nonwhites—especially Black individuals—due to discriminatory attitudes and practices. The law should not protect intimate privacy at the overall expense of equality. At the same time, women, sexual and gender minorities, and nonwhites need the criminal law to deter and address crimes that they too often face. We need to ensure that comprehensive criminal law reforms do not disproportionately fall on the shoulders of Black individuals and people of color due to invidious attitudes.
We also need the judicial system to work for victims, letting them sue pseudonymously and helping them obtain counsel on a pro bono basis. Victims won’t sue privacy invaders if they must bring those suits under their real names. Legislatures should require courts to allow (or to accord a heavy presumption in favor of allowing) plaintiffs to sue under pseudonyms in civil cases involving intimate privacy violations. Defendants will know who’s suing them.
We have a tall task before us. Intimate privacy is even more in jeopardy now that women’s reproductive choices may render them in violation of state criminal law.