Proactive Cybersecurity for those at risk of domestic violence
Proactive Cybersecurity for those at risk of domestic violence
Got an immediate security problem?
This document aims to help you avoid getting into trouble. It is much easier to prevent cybersecurity issues than clean them up.
If you have an immediate problem that you need to fix right now, then you want this document instead:
Come back and read this later when things have calmed down
Intro
I am an IT professional and can help people secure their devices and accounts. I am not trained in welfare or domestic violence.
If you are a person experiencing domestic violence or at risk of domestic violence, you should reach out to support services, such as:
Below is cybersecurity advice for security your devices and accounts, minus all the bullshit. While this information is good advice for anyone, it aims to help people at risk of domestic violence.
This information is designed to help you reduce the risks of being harmed, not sell some useless security software or offer simplistic advice such as "set a good password". It's blunt, realistic and honest.
Before we jump in
Before I cover technical stuff, there are a few things to keep in mind when considering your personal cybersecurity.
“You're just being paranoid”
There is strong social pressure to not take cybersecurity seriously. Most people see it as a pain in the ass and think people taking it seriously are odd or paranoid.
Do your best to ignore this, and never let it be a reason for weakening your cybersecurity.
Inconvenience
Securing technology is a hassle. It makes it harder to use devices, harder to access websites or services. Everything becomes annoying. Sadly, that doesn't make any of this advice less true.
Reading this, it might feel over the top and taking things too far. If you want to secure technology and protect your personal safety, this is what it takes.
Inconvenience is the biggest obstacle to cybersecurity. The second is cost. When you hear about a corporation or government department being "hacked", inconvenience and cost is the root cause. It's not that it's technically difficult, it's that nobody thought the security was worth the hassle. Until it was.
Fortunately, cost won't be an issue in your case. The solutions required to securing personal devices and accounts are either free or cheap.
Technical details
I don't want to bury you in useless technical details in this article. If you are interested, I will explain the reasoning for some advice at the end.
The reality of what is possible
I have separated all the advice into two scenarios;
- Possible
- Not possible
The reality, is that sometimes you just can't take action/advise to secure your devices and accounts. If you are threatened with violence, then “use a long, complex password” is pointless advice. In these cases, I have tried to identify a fallback strategy. Sadly, there are limited options, and they mostly involve keeping things hidden, rather than secure. In cybersecurity, we call this “security through obscurity” and it is the weakest for of security you can have.
Personal Boundaries
Set personal boundaries and expectations about technology and security very early on, with everyone.
Friends, family, partners. From the first date to random hookups, the rules must be the same.
- If someone doesn't respect these boundaries, then you have a giant red flag waving in your face.
- If they say your security is suspicious or that it feels like you're hiding things, then that's on them. If they keep pushing, then it's the same red flag.
Don't let these boundaries drop as the relationship becomes serious/stable.
Domestic violence is far more likely to start 6 to 12 months after a relationship is established, rather than straight away. Right when you are dropping your guard, and you've given people access.
What is Domestic Violence related to technology?
Abuse of technology can often appear harmless or get brushed off as not being important. Common signs that you are a victim of abuse through your technology are:
- “They check my phone when I sleep.”
- “They installed a parental control app.”
- “They demand I share my password or use Face ID in front of them.”
- "They insist I let them read my messages to prove I 'have nothing to hide'"
- "They insist I share my location for safety reasons"
These are all acts of coercion or maliscious attempts to use your devices. If you are experiencing this, then there is a real risk your devices are being used against you and you cant trust those devices.
Devices
Physical Access
It is extremely difficult to secure a device, once someone else has physical access to it. So step one in security is:
Don't let people touch your devices.
Which is far easier said than done, but we have to start with this.
Possible
The rule is: Nobody touches/uses your devices.
- Phones and Tablets are 100% off limits. No excuses.
- Laptops should follow the same rule, but with a single exception that I will outline later.
Not possible
If you are living in a house with an abuser, limiting access to devices is extremely difficult. Abusers are likely to use coercive control, emotional/verbal abuse and physical violence to get access to the device.
Once you are in this situation, you need to give up on physical control and fall back to the next section, Device Locks.
Device Locks
Modern devices come with a range of security features, and they work very well. Unfortunately, most people don't use them because it is inconvenient.
Possible
As above, set boundaries and expectations very early on. The rule is: Nobody gets to unlock your devices but you. No excuses.
- Enable the lock screen on all your devices. Use these lock methods, in this order:
- Fingerprint
- Pattern
- Use a long, complex pattern
- Password
- Not usually an option for phones, but on Laptops, use a long password. More on passwords later.
- Code
- Short number typically used on phones/tablets
- Face recognition
- Set the lock timeout to be the shortest possible option.
- On computers, the lock screen is typically the screensaver or power saver screen.
- If you use a pattern, password or code, don't share it with anyone.
Not possible
It is not always possible to use lock screens or keep the lock screen method secret. Passwords are useless if someone is willing to harm you to get them. In this situation, you need to fall back on other security methods I will outline below.
Other people's devices
Do not access your accounts, on devices you don't own. It is trivial for someone to monitor your activity on a device they own/control. From websites, chat apps to recording every single character you type.
You should assume any device or computer you don't own is recording everything you type. Especially if that device belongs to your abuser.
This applies to any shared family devices such as a child's iPad or a family computer/laptop. These types of devices can not be trusted.
Children and shared access
Don't let your children use your devices. Ever.
Possible
- Children are easy to influence and if they can access your phone, then they can give that access to someone else.
- Children hate dealing with cybersecurity obstacles and will make your life hell until you reduce/remove the security. Don't even go down that path.
- Children put zero thought into cybersecurity and will install anything they are prompted to install. Especially if they think it will get them a game or other entertainment.
- Children will go out of their way to disable your security to get what they want.
Not possible
- If you can't avoid children using your devices, then you have to treat your devices as being untrustworthy.
- Don't log into important accounts on these devices and don't use them to communicate about sensitive topics that could put you at risk.
Faraday Bag
When you are in a hurry to leave a location, you likely won't have time to secure your devices. If you have a Faraday bag, then you can put your devices in it to protect yourself from tracking software.
These bags block radio signals such as GPS, 4/5G, Wi-Fi and Bluetooth.
They are relatively cheap, and you can get them from regular sites like Amazon. They tend to look like a laptop pouch and dont stand out.
Possible
You can get items such as this: https://amzn.asia/d/gJ8jqga"
Faraday Bag on Amazon.com.au
Not Possible
If you dont have one and need to lockout a signal, wrap your devices in aluminium foil. Make sure you cover the entire device.
It's not perfect, but it works.
Factory Reset / Erasing a device
If you have concerns about your device having unwanted apps or some maliscious change, the best option is to erase it. This is relatively easy and quick. With so many devices out there, I cant cover the details, but you should look it up so that if you need to erase the device you can.
There are however some important things to consider before doing so.
Your Photos
You should always make sure that your photos are being backed up by some kind of cloud service. With Android phones this is typically Google Photos, with iPhones it is iCloud.
- You dont want to lose your photos if a phone is damaged, lost or stolen
- If you are in a hurry to erase your phone, you dont want to be stressing about losing your photos. It can take a very long time to backup a phone, the last thing you want is to be waiting for a backup to finish before you can secure your device.
Your contacts
You want to make sure your contacts are available in an emergency. This means that your phone address book should be synced with Google contacts or Apple Contancts.
Do NOT store contacts on your phone or worse on the sim card. If you erase the phone, you end up erasing your contacts.
Device Apps
Phone apps from legitimate stores like Google Play or Apple Store are very rarely maliscious. The stores scan apps for malware and any issues tend to be identified and resolved very quickly.
There are however some apps to watch out for.
Legitimate but risky
These are legitimate apps and are approved by the stores, but can be used against you.
These are apps such as baby monitors, webcam software, find my phone apps and child monitoring apps. They are not designed to be covert tracking software, but if you dont notice them, they can be used that way.
Manually installed apps, no legitimate use
Phones can have apps manually installed by using a downloaded file. This capability is dissabled by default and there is no legitimate need for a regular person to turn that protection off. This setting is turned on by software developers when testing their apps or by people who have more advanced tech skills.
Regular users should only install apps from the apps store!
Manually installed apps can be designed to run silently, prevent you getting notifications or removing the software. They are often advertised as "anti cheating" apps or partner monitoring apps.
The easiest way to spot this is to check if manual app installs are allowed. If this is on, then you should dissable it and factory reset the phone. Check in these two places:
- Developer mode is on. Look in your phone settings for developer mode and see if it is on. If it is and you didnt do it, turn it off and factory reset the phone.
- Allow other app sources. Look in settings>apps>special apps
Online Accounts
There are three categories of online accounts you need to deal with.
- Accounts with large companies
- Accounts with smaller companies
- Accounts that provide "log in with" services.
Large companies
Companies such as Facebook, Google, Instagram provide very secure authentication services and have dedicated security teams to protect their computer systems. Their security is extremely strong.
The reality is, that nobody hacks Facebook, Gmail or Apple accounts. The media hypes it up but what actually happens is that the person had very poor personal security. Generally people get access to their accounts because of:
- Weak passwords
- Unlocked devices
- Impersonation to get an account unlocked
If you have a good password on one of these services, then most people are safe.
In this instance, though, you should take additional steps to protect your accounts.
- Enable Multi-Factor authentication.
- This is where you need to enter a number sent you via SMS / email or click confirm on your phone etc
- Make sure the email account you use for password resets is secure.
- If you set Facebook to send reset emails to your Gmail, but your gmail is available on an unlocked phone, then you are very vulnerable.
- Consider using a seperate email address for password resets. This douesnt even have to be your email account. For instance the email of a parent, sibling or trusted friend could be used.