With the presence of computers and smartphones reaching an all-time high in our society, it has never been easier to discreetly monitor a person’s activities without their knowledge. The question has evolved from “Is it possible to compromise a phone or computer with spyware?” to “Which brand of spyware do I feel like using today?”
The manufacturers of these tools are often quite heavy-handed about the descriptions of their products. Three of the most popular spy apps are MSpy, Mobispy and Spyera. Notice a trend?
Even more interesting is the following disclaimer, found at the bottom of MSpy’s website: “INTENDED FOR LEGAL USES ONLY.”
A savvy reader might be asking how this invasive level of monitoring — GPS positioning, keylogging, text-message interception, picture interception and so forth — can possibly be legal in any context. The answer, as with many of these situations involving rapidly evolving technology and privacy rights, is “it depends.”
I am not an attorney, so none of the following should be considered as legal advice or guidance. I am merely an expert witness who has worked on innumerable digital forensic cases involving computer and smartphone spyware.
The generally accepted legal uses for installing hidden spyware on a phone are twofold: monitoring minor children you have legal guardianship of and monitoring employees who are using company-owned phones.
The latter is likely the more interesting of the two to business owners, and admittedly could offer a lot of interesting data about employees.
To quote John Wooden, “The true test of a man’s character is what he does when no one is watching.” Almost all businesses occasionally face the problems of goldbrickers — employees who maintain the appearance of working but secretly spend more time slacking off than they would like to admit to their bosses, like gold bricks that look valuable from a distance but are actually just painted mud.
That most employees are chained to a desk is bad enough, but throwing the global smartphone addiction into the mix means that most employees are connected to the Internet throughout their business days. Maybe they slip away for a few minutes at a time to watch a funny cat video. Maybe they actually spend five hours a day on Facebook. Even worse, maybe they’re stealing important company files by embedding them inside funny photos and forwarding them to all their “friends.”
Each of these situations happens every day in the workplace. To the outside observer, an employee is either typing away behind a monitor or hunched over a smartphone like a caveman over a flame. Their actual actions are rarely apparent, and this can make spyware appealing to business owners.
An important legal consideration is the concept of “reasonable expectation of privacy.” Would employees have any reason to believe they are being monitored on their computers or their phones?
In almost all cases involving legal use of spyware, businesses have been required to inform their employees that they cannot expect privacy while using company devices. This should be explicitly spelled out in employment contracts: “All digital device use may be monitored at any time and privacy should not be expected.” Users also need a regular reminder that privacy should not be assumed. This could be a popup, with the same language as the contract, that appears whenever they turn on their computers.
While I neither condone nor condemn the practice, I recognize that various businesses are employing spyware. So the least I can do is offer a little advice: Always make sure you have an attorney involved before you start using spyware. Failing to do so could quickly land a business owner in prison.
Neal Custer is president of Reveal Digital Forensics & Security, a subsidiary of Custer Agency Inc., and an adjunct professor at Boise State University. firstname.lastname@example.org. Written in collaboration with Dylan Evans, Reveal’s vice president of operations.. This column appears in the Nov.18-Dec. 15, 2015, edition of the Statesman’s Business Insider magazine.