They generally masquerade as parental monitoring apps, software that allows moms and dads to locate young children or monitor teenage drivers.
But the cover stories barely belie the apps’ more sinister purpose: allowing jealous partners (or ex-partners) to hijack their spouse’s smartphone geo-location data and surreptitiously track their movements.
These widely-available apps, marketed with sketchy names like “BoyfriendTracker” or “FlexiSpy,” usually operate in stealth mode, meaning there is no icon and no way for victims to know they’ve been installed. The apps may even tout their ability to detect cheating.
Stalking is a federal crime. But while the Electronic Communications Privacy Act (ECPA) bans the creation and sale of software that intercepts calls, texts and emails, apps that facilitate surreptitious geo-tracking are perfectly legal – for now.
Sen. Al Franken, D-Minn., is on a mission to change that.
His Location and Privacy Act of 2014 would ban these so-called “stalking apps” and criminalize the app developers.
At a Senate Judiciary Committee hearing Wednesday, Franken recalled a domestic abuse victim who fled 700 miles across three states for refuge, only to be pursued by her abuser, who was using her phone’s geo-location data to track her whereabouts.
The man watched as she traveled from a shelter to her friend’s home, where he assaulted her.
Witnesses at the hearing cited more extreme examples.
Cindy Southworth, Vice President of the National Network to End Domestic Violence, pointed to a Seattle father who used geotracking software to follow his estranged wife to a local store. When he spotted her talking to a man there, the father shot and killed their five children, then turned the gun on himself.
“In some tragic cases, GPS devices and apps may have actually aided the offender in locating the victim to commit murder,” Southworth said in written testimony submitted to the committee. “No one should profit from encouraging or enabling criminal acts, and stalking app and device developers are creating and selling crime-facilitating products with abandon.”
Some of the offensive apps even seem to condone violence: One popular app advertised its services next to a photo of a man roughly grabbing a woman with “visible abrasions” on her face.
Southworth said she believes Franken’s bill would “narrowly impact a handful of bad actors that design or operate products created and sold to facilitate terrifying crimes.”
But not everyone believes legislation is the answer.
Dr. Robert Atkinson, President of the Information Technology and Innovation Foundation, testified that “at a technical level, there is little difference between a stalking app and a legitimate app” that helps users locate lost or stolen devices or allows people in dangerous situations to transmit their location to friends.
“Congress could and should ban the marketing and sale in the United States of apps advertised and marketed as stalking apps, but that would not prevent would-be stalkers from using a legitimate tracking app for ‘off-label’ purposes,” Atkinson pointed out.
“Tracking itself is not a problem; rather the problem is its use by stalkers,” he said, noting a provision that would require geotracking apps to send reminder alerts might not be technologically feasible, as they would require apps to override user notification preferences.
Instead of trying to ban problematic apps legislatively, the Department of Justice should work with victims’ assistance organizations to show them how to disable location services and foil stalking apps, Atkinson says.
But according to Detective Brian Hill, who also testified at the hearing, most police departments and victims’ aid organizations do not have the sophisticated technological resources to identify, much less deinstall, surreptitious stalking apps.
Instead, he said, stalking victims are forced to discard their phones, which “isolates victims … from the social connections their phones provide,” including victims’ advocates.
But stalking victims aren’t the only people who would benefit from Franken’s bill.
It would also require companies that aggregate GPS tracking data — including the popular dating app Tinder, which Franken called out specifically - to obtain a user’s permission before they share that information.
“The companies that make the software on your phone, including apps, can access extremely sensitive location data that reveals … the church you attend and the doctors you visit,” Franken said in a written statment. “I believe Americans have the right to control … that information. But right now, companies — some legitimate, some not — are collecting your location and giving it to whatever you choose.”
The bill also require companies that collect GPS tracking data from more than 1,000 devices to outline the kinds of location data they collect, what happens to that data, and a way for users to halt data collection.
But as with stalking apps, some experts say legislation is not the answer.
At Wednesday’s hearing, Atkinson argued that regulation could stymie innovation and advocated for self-regulation.
“Innovation is better served by self-regulation,” Executive Director of the Digital Advertising Association, Lou Mastria, agreed at the hearing. “”We see that self-regulation has been both effective and up to the task to give consumers transparency and control.”
Sally Greenberg, Executive Director of the National Consumers League, disagreed, calling best practices “voluntarily and inconsistently applied” and claiming attempts at industry self-regulation “feels like a PR gesture.”
“There’s monumental evidence that self-regulation is not working,” Greenberg said. “The notion that there’s no real harm… really strikes at the heart of our notions of consumer protection and the idea that privacy is a bedrock American principle.”
Franken’s bill, which specifically exempts parents tracking their children or emergency responders reacting to unfolding crises, is the second iteration of a bill that the senator first introduced in 2012.
Unlike the 2012 version, the current bill does not require companies to disclose specific purchasers of geographic information, but does mandate that they specify “categories” of companies buying that data. It also places a $1 million limit on damages for negligent violations.