By: Katie Fuhs
The issue: Penetrative cyberstalking is a modern subtype of traditional stalking that uses digital tools and methods to gain access to victims’ devices and private information.
Definitions of stalking and, in particular, cyberstalking vary widely, with legislators, law enforcement personnel, and the public holding different views. Even academia is unable to provide a somewhat consistent definition, as multiple literature reviews on the subject reveal (Wilson et al. 2022; Kaur et al. 2021). Legally, most definitions of stalking include the following: i) a pattern of conduct that is ii) directed at a single person and iii) intended to cause anticipatory fear and/or actual harm (Gatewood Owens 2016, p. 2197). With cyberstalking, an additional component is included: iv) via the use of digital and/or electronic access and/or communication (Smoker and March 2017, p. 391).
This paper will focus specifically on the type of cyberstalking that encompasses criminal acts of stalking that overcome cybersecurity efforts rather than any and all criminal acts of stalking that occur via digital or electronic means or spaces. This subtype, which will be referred to as “penetrative cyberstalking,” is defined by the stalker’s penetration of the victim’s cybersecurity measures in order to gain unauthorized access to otherwise private information. Penetrative cyberstalkers may utilize phishing emails, keyloggers, spyware, stalkerware, social engineering, and a variety of other tools and methods to gain then exploit access to their victim’s private information.
The strategic impetus: Since penetrative cyberstalking is often dismissed as a low-level interpersonal cybercrime, the cybersecurity field and law enforcement agencies have been blind to its emergence, pervasiveness, and negative impacts and are unwilling or unable to address the issue.
Cybersecurity to date largely focuses on attacks at the organizational level (ie. governments, corporations, etc.) rather than on the individual level, as experts and practitioners emphasize vital infrastructure, mass personal data, and operational continuity over the online safety and security of individuals as a matter of priorities. Just like domestic violence and other interpersonal crimes, interpersonal cybercrime such as cyberstalking is overlooked and often not taken seriously (O’Shea et al. 2022, p. 9). However, the consequences of cyberstalking are significant, with victims facing negative psychological, physical, social, and/or financial affects. For example, victims of cyberstalking often suffer from suicide ideation, depression, hypervigilance, anxiety, and PTSD as a result of living in a constant state of fear (Short et al. 2014, p. 133; Begotti et al. 2022, p. 2). And in response to their situation, many victims feel they must upend their lives – changing service providers, quitting jobs, moving to new living arrangements, and abandoning social activities – to try to shake off their cyberstalker (Begotti, p. 3; Kuar, p. 10). Victims’ responses can be expensive, too, as they consult lawyers, see therapists, invest in security measures, and more (Begotti, p. 3).
Furthermore, the increased ease of penetrative cyberstalking creates urgency for law enforcement agencies and public officials to take notice, especially as the number of victims increases and the lack of justice for them continues. The relative accessibility of penetrative cyberstalking is thanks to the expanding gap in know-how between cyberstalkers and their targets as well as the lowering of barriers to entry for the use of more invasive and advanced tools and methodologies. “[A]nyone can quickly become the offender” given the pervasiveness and ease of using cyberstalking tools (Chang 2020, p. 1193). For example, stalkerware in the form of free and public apps allows individuals to monitor other people’s location, messages, and search history (Jaruseviciute).
Technology has also enabled a new type of stalking that was not possible before – stalking by complete strangers who have never met nor seen their victims (Navarro 2020, p. 117). The digital
nature of penetrative cyberstalking and the private information it gains access to increases a perpetrator’s ability to “manipulate, coerce, control, and harass the victim without the constraints of geographical proximity” (Smoker and March, p. 391). Once they have access, cyberstalkers can then leverage the information they find to blackmail, extort, or further gain access to the victim(s). In some cases, cyberstalkers forcibly release private information about their victim(s), a practice commonly known as doxing (Sheridan and Grant 2007, p. 627-8).
With this new reality, cyberstalking has become more common than physical harassment in some countries (McVeigh). However, when victims go to the police, they are often met with officers who do not recognize the “real-life threat” cyberstalkers pose and/or do not have the technology and training to properly investigate the crime (Taylor-Dunn and Erol 2022, p. 3). Thus, their cases go nowhere, allowing cyberstalkers to continue their cyberstalking campaigns and denying victims the justice they deserve.
The potential solutions: To address the problem of penetrative cyberstalking, this paper suggests a two-pronged approach: first, better prevention through individual preparation efforts and, second, more efficient investigation through behavioral evidence analysis (BEA).
A dual approach in addressing penetrative cyberstalking is necessary to both prevent the crime from happening in the first place and find justice when the crime happens anyway. The preventative solution proposed in the following section focuses on individual-level preventative measures. While societal measures are arguably more effective in preventing crime – such as changing misogynistic norms, expanding access to mental health care, etc., that type of large-scale educational, economic, or health policy is beyond the scope of most non-governmental entities. Additionally, it will take time – too much time to help victims today and in the near future – for law enforcement to catch up and develop the labor competencies and technological tools required to investigate cybercrimes in general, let alone penetrative cyberstalking in particular. Educating the public on ways to protect themselves from penetrative cyberstalking is important for ensuring their safety and security while law enforcement hopefully catches up. Therefore, the preventative solution suggested in this paper focuses on helping individuals to adopt defensive measures that raise the difficulty of penetration in the hopes of discouraging cyberstalkers. These measures could be as simple as covering computer webcams, creating stronger, unique passwords, and avoiding public wifi connections; or as advanced as encrypting sensitive information, scanning devices for stalkerware or spyware, and utilizing a VPN.
A critical limitation of individual-level preparation and defensive actions is that perpetrators will often merely move to another victim, someone who presents as a less difficult target. Therefore, a solution that readies law enforcement officers and agencies to respond more effectively to the penetrative cyberstalking cases brought to them is also important. Officers need training and tools that allow them to navigate “technology-driven changes to criminal behavior” (O’Shea, p. 12). That said, the current state of police training is sorely lacking on the subject of cyberstalking, with both the recognition and investigation of such crimes being significant challenges (Chang, p. 1188). As such, this paper provides an investigative tool that uses BEA, a deductive strategy that uses the evidence of the individual case to provide a profile of the suspect, in the evidence analysis stage of an investigation (Al Mutawa et al. 2016, p. 97). When used during cyberstalking cases, BEA has been found to focus investigations by developing a better understanding of the perpetrator via the inference of their traits from the nuances of the crime they commit (Al Mutawa, p. 96). Such insights also reduce wasted time by narrowing down the pool of potential suspects (Al Mutawa, p. 96).
The proposal: A red team/blue team-inspired experiment that examines attackers’ and victims’ offensive and defensive capabilities in regard to penetrative cyberstalking with the goal of creating a security recommendation sheet for the public and a perpetrator profile matrix for law enforcement.
Considering the strategic importance to (potential) victims and the public of addressing penetrative cyberstalking outlined above, a project that evaluates the technological knowhow of every-day attackers and defenders then produces deliverables that can inform public information campaigns and support law enforcement could prove useful in both preventing and investigating this type of cybercrime. The proposed project will test individuals’ offensive and defensive capabilities in an experiment format inspired by red team/blue team exercises. The results of this experiment will then inform the creation of a matrix on individual-level attacker sophistication as well as a list of recommendations that outlines various defender maneuvers and tools.
Individuals selected for the red team will evaluate their base competencies by selecting which of the following categories best describes themselves: a) IT/computer science normie (can use search engines, has basic knowledge of how to work a computer and/or smartphone); b) IT/computer science enthusiast (is familiar with industry jargon, follows relevant current events); c) IT/computer science educated (can code, has general understanding of how computers interact); or d) IT/computer science professional (demonstrates computer knowledge and competencies via paid work, open source contributions, blogs, and/or help sites). All four categories of the red team will be asked to share which tools and methods they would use, hypothetically, to cyberstalk another person. Based on their responses, an attacker matrix would then be developed to detail the varied avenues for penetrative cyberstalking that each category of attacker is capable of using. In turn, this matrix would inform which tools and best practices would be most useful as recommendations for preventing penetrative cyberstalking.
Once the red team activity is completed and the resulting recommendation list has been generated, the blue team part of the experiment will start. There will be three groupings: a control group, a search group, and an informed group. Individuals in the control group will be asked to secure provided digital information and devices without outside information or help in anticipation of an individual trying to gain access to the information and devices sometime within the next year. Those in the search group will be asked to complete the same task but will be allowed to use search engines to aid their efforts in defending themselves against the theoretical threat. Persons in the informed group will receive an informational one-pager of defensive recommendations (based on the results of the red team portion of the experiment) to prepare for the anticipated threat. The control group will provide a general baseline of knowledge, while the search group will illustrate where individuals look for information on how to protect themselves, and the infosheet group will validate and test the accessibility of the recommended actions and tools.
Depending on available funding and desired timeline, another round of red team/blue team testing could be run. After the three blue team groupings have done their best to secure the provided devices and information, the red team could then try to gain access, which would reveal how attackers might adapt their methods once they face tighter cybersecurity controls from their targets as well as which tools and methods successfully prevented particular categories of attackers from obtaining access. Then, a more limited blue team test could be run just with the informed group to once again check the accessibility of the recommendations on the updated one-pager.
With either 1 round or 2 for each team, the formalized results of the experiment would be a matrix that outlines penetrative cyberstalkers’ (of various sophistication levels) tools and methods and a list of accessible recommendations for individuals to actively block such attempts for themselves. The matrix could serve as a useful reference for law enforcement agencies for developing profiles and assessing suspects, thus aiding the investigation of penetrative cyberstalking cases. On the other hand, the public dissemination of the recommendation list could be useful as a prevention tool by informing the public on how to protect themselves from penetrative cyberstalkers.
The views in the present article are the author’s own, and may not represent the opinions of the SciencesPo Cybersecurity Association.
Image source: https://www.fighterlaw.com/whats-the-difference-between-stalking-and-cyberstalking/
Al Mutawa, Noora, et al. (2016). “Forensic Investigation of Cyberstalking Cases Using Behavioural Evidence Analysis.” Digital Investigation 16: 96–103. https://doi.org/10.1016/j.diin.2016.01.012.
Begotti, Tatiana, et al. (2022). “Victims of Known and Unknown Cyberstalkers: A Questionnaire Survey in an Italian Sample.” International Journal of Environmental Research and Public Health 19 (8): 1–13. https://doi.org/10.3390/ijerph19084883.
Chang, Wei-Jung (2020). “Cyberstalking and Law Enforcement.” Procedia Computer Science 176: 1188–1194. https://doi.org/10.1016/j.procs.2020.09.115.
Gatewood Owens, Jennifer (2016). “Why Definitions Matter: Stalking Victimization in the United States.” Journal of Interpersonal Violence 31 (12): 2196–2226. https://doi.org/10.1177/0886260515573577.
Jarusevičiūtė, Kristina. “Cyberstalking Likely to Increase in Post-Roe America.” Cybernews, 3 Nov. 2022. https://cybernews.com/privacy/cyberstalking-likely-to-increase-in-post-roe-america/.
Kaur, Puneet, et al. (2021). “A Systematic Literature Review on Cyberstalking. an Analysis of Past Achievements and Future Promises.” Technological Forecasting and Social Change 163. https://doi.org/10.1016/j.techfore.2020.120426.
McVeigh, Karen. “Cyberstalking ‘Now More Common’ than Face-to-Face Stalking.” The Guardian, Guardian News and Media, 8 Apr. 2011. https://www.theguardian.com/uk/2011/apr/08/cyberstalking-study-victims-men.
Navarro, Jordana (2020). “Virtual Danger: An Overview of Interpersonal Cybercrimes.” The Human Factor of Cybercrime, edited by Rutger Leukfeldt and Thomas J. Holt, Routledge, New York, NY, pp. 111–133.
O’Shea, Brianna, Nicole Asquith and Jeremy Prichard (2022). “Mapping cyber-enabled crime: Understanding police investigations and prosecutions of cyberstalking.” International Journal for Crime, Justice and Social Democracy, advance online publication: 1–15. https://doi.org/10.5204/ijcjsd.2096.
Sheridan, L. P. and T. Grant (2007). “Is cyberstalking different?” Psychology, Crime & Law 13 (6): 627-640. https://doi.org/10.1080/10683160701340528.
Short, Emma, et al. (2014). “The Impact of Cyberstalking: the Lived Experience – a Thematic Analysis.”
Studies in Health Technology and Informatics 199: 133–137. https://doi.org/10.3233/978-1-61499-401-5-133.
Smoker, Melissa, and Evita March (2017). “Predicting Perpetration of Intimate Partner Cyberstalking: Gender and the Dark Tetrad.” Computers in Human Behavior 72: 390–396. https://doi.org/10.1016/j.chb.2017.03.012.
Taylor-Dunn, Holly, and Rosie Erol (2022). “Improving the ‘Victim Journey’ When Reporting Domestic Abuse Cyberstalking to the Police – a Pilot Project Evaluation.” Criminology & Criminal Justice: 1–22. https://doi.org/10.1177/17488958221129436.
Wilson, Chanelle, et al. (2021). “What Is Cyberstalking? A Review of Measurements.” Journal of Interpersonal Violence 37 (11-12): 9763–9783. https://doi.org/10.1177/0886260520985489.