Written evidence submitted by Refuge

 

 

 

Refuge evidence to Digital, Culture, Media and Sport Committee Inquiry

Connected Tech: Smart or Sinister?

 

June 2022

 

About Refuge

1.      Refuge is the largest specialist provider of gender-based violence services in the country supporting thousands of women and children on any given day. Refuge opened the world’s first refuge in 1971 in Chiswick, and 50 years later, provides: a national network of 42 refuges, community outreach services, child support services, and acts as independent advocates for those experiencing domestic, sexual, and other gender-based violence. We also run specialist services for survivors of modern slavery, ‘honour’-based violence, tech abuse and female genital mutilation. Refuge provides the National Domestic Abuse Helpline which receives hundreds of calls and contacts a day across the Helpline and associated platforms.

 

Summary

2.      Refuge welcomes the opportunity to submit evidence to this important inquiry into connected technology. Perpetrators of domestic abuse are frequently using internet-connected devices to monitor, control and harass survivors. Technology-facilitated domestic abuse – or tech abuse – is a prevalent and insidious form of domestic abuse. More than 1 in 4 women in England and Wales aged 16-74 experience domestic abuse at some point in their lives and of the women and children Refuge supported in 2020-21, 59% experienced abuse involving technology.[1] [2] Tech abuse can take many forms across a range of platforms and devices; however, the use of ‘smart’ technology is becoming increasingly common.

 

3.      With more consumer connected products coming to market every day, it is vital the government and product designers and manufacturers take steps to ensure survivors are protected. We welcome the government’s ambition to regulate the Internet of Things (IoT) and to increase the cyber security of connected devices. We also support the government’s goal to make the UK the safest place to be online. However, Refuge believes more should be done via legislation, and other non-legislative means, to protect survivors from abuse facilitated by smart products. For instance, the misuse of IoT devices by perpetrators of domestic abuse should be more systematically considered in the Product Security and Telecommunications Infrastructure Bill. The focus of the Bill largely appears to be on introducing measures to prevent unknown parties from hacking into devices and networks. Whilst these measures are important, they often fail to sufficiently account for the ways in which these devices are used to perpetrate domestic abuse, and therefore do not address the barriers to safety which survivors face.

 

4.      Refuge asks Committee members to consider the recommendations outlined below in their examination of the impacts of smart and connected technology:

 

What has been or will be the most important impacts of increasingly prevalent smart and connected technology in our lives, including in the home, in the workplace and in our towns and cities, and are they necessarily better than current systems?

Are there any groups in society who may particularly benefit from or be vulnerable to the increasing prevalence of smart technology, such as young or elderly people, people with disabilities and people likely to be digitally excluded?

5.      Survivors of domestic abuse are particularly vulnerable to the increasing prevalence of smart technology, as perpetrators benefit from the growing availability and affordability of these devices. In response to the threat of tech abuse, Refuge pioneered a tech abuse service in 2017. The specialist team comprises expert staff trained in supporting survivors experiencing complex forms of tech abuse. Refuge is therefore uniquely placed to offer insights and expertise on tech abuse. From our experience of supporting survivors, we know that the impact of tech abuse is devastating, that it is often poorly understood by technology companies and law enforcement, and that the current response to survivors is inadequate.

 

6.      The devices most commonly reported to Refuge include smart doorbells and locks, CCTV cameras, home hubs and assistants, TVs, plugs, thermostats and fitness trackers. Abusers use these devices to monitor survivors’ movements and locations, to listen in on conversations, collect recordings and intimate images for blackmail, and to remotely frighten and control survivors, as part of a wider pattern of coercive control. Tech abuse rarely occurs in isolation, but as part of a wider pattern of coercive and controlling behaviour. Survivors report that perpetrators use devices to gaslight them and perpetrate psychological abuse. For example, perpetrators have tampered with video feeds to make survivors question their memory, as the case study below highlights, as well as remotely tampering with lighting, heating and alarm systems.

 

7.      As well as causing emotional and psychological distress to survivors, these technologies also compromise survivors’ physical safety, such as where devices allow for location tracking and monitoring. There are also ramifications for a survivor’s ability to disclose abuse to professionals visiting them in the home, if they fear that the perpetrator is listening to conversations via these devices. In addition, Refuge is aware of devices on the market that are designed and promoted for the specific purpose of stalking and harassment, masquerading as home tech or home security products.

 

8.      Features which enable remote access to devices enable perpetrators to abuse survivors at a distance and after the relationship has ended. We have seen cases of perpetrators gifting devices to children with the aim of continuing to communicate with the child/children after they and the survivor-parent have fled. Devices gifted to children are used to continue exerting control post-separation and can enable the perpetrator to access audiovisual information and to track the address of the new location the survivor has fled to.

 

9.      Survivors often report that perpetrators purchase and set up IoT devices, and that they alone have full access to the accounts or have forced survivors to divulge passwords to accounts. Market research carried out by Refuge and Avast revealed that just over half (64%) of women in the UK have admin control over the IoT devices in their own homes. One in four (27%) stated that admin access for these devices has not been shared equally or with transparency in their household. 18% of women said they have no control over the Wi-Fi settings in their home, but that their partner or family member does.[3] 

 

10.  It is important to note that some smart technology may be used by survivors to support their safety, for example to help with collating evidence of abuse. Survivors with additional needs, such as those with disabilities, communications needs or language barriers, may also rely more heavily on these devices, and perpetrators may use these devices against them more frequently.

 

11.  Survivor story - A survivor of domestic abuse supported by Refuge took steps to protect herself by setting up smart home devices, including cameras and a doorbell, to record the abuse committed by her partner. However, the perpetrator hacked the devices in order to watch her around the house and listen to conversations she had on the phone. He also deleted footage of abuse to make her question her memory. The survivor had two-factor authentication and should have received a notification when the perpetrator accessed the devices, but did not. He had also hacked her emails and had control of the home WiFi, telling her she was too stupid to understand the technology. She felt violated and afraid. With the help of Refuge, she was able to unravel the extent of the perpetrator’s tech abuse and was supported to safety plan. She reported the perpetrator the police, but despite being labelled a homicide risk, the perpetrator was just handed a caution. While the police seized his computer and hard drives, the tech abuse was not investigated. The police even advised the survivor to put the doorbell camera back on, even though the perpetrator had access to it. Even now, she feels on edge at home as if she is being listened to or tracked.

 

How can we incentivise or encourage design that is safe, secure, environmentally- and user-friendly and human rights compliant?

12.  Safety by design is vital to tackling the misuse of IoT devices by perpetrators of domestic abuse. Refuge’s tech abuse team are frequently in contact with product companies. This may be to report security design flaws, or to advocate for survivors directly with companies, for example, to allow survivors to make changes to security settings on devices, or the regain control of the admin account on devices, to ensure perpetrators do not have remote access to devices. This is done for the survivors’ safety, but this process often takes times, and some companies have refused to make changes to device accounts.

 

13.  The response from technology companies to survivors of tech abuse can often be poor, and many do not appear to consider tech abuse during design stages. Increased accountability should be placed on product designers and manufacturers to embed safety by design principles and to safety test products before they are placed on the market. From the very earliest design stages, companies should consider how their products may inadvertently be used to abuse, and work with the specialist VAWG sector to design out these flaws and features, ideally before the product reaches market. Greater focus on safety by design will lead to the development of more secure products which have been built with survivors’ safety in mind. The government should work to increase the extent to which product designers and manufacturers must consider how their products can be used to perpetrate tech abuse and design this out as far as possible.

 

14.  As mentioned previously, there are a number of products on the market that are designed and/or marketed with the specific purpose of stalking and monitoring, such as ‘spyware.’ Companies which profit from the sale of these products must be strongly challenged, and we question whether these products should be permitted to be advertised.

What are the key short- and long-term risks and threats, and how can we ensure the devices, systems and networks of individuals, businesses and organisations are digitally-literate and cyber secure?

15.  The threat and risk to survivors of domestic abuse from the misuse of IoT devices is significant. The use of these products by perpetrators of domestic abuse must be more systematically considered by government in the Product Security and Telecommunications Infrastructure Bill, to ensure regulation of product manufacturers and retailers delivers improvements in cybersecurity for survivors. Further recommendations on improving cyber security in the context of the Bill are outlined in paragraphs 2129. The technology industry should also adopt safety by design principles which centre women and girls’ safety.

 

16.  Digital literacy is a further, important tool in addressing domestic abuse facilitated by internet-connected devices and other forms of technology. However, public awareness of tech abuse is low. Refuge research has shown that nearly half (48%) of women are unable to name a home device they believed could be vulnerable to abuse – increasing to 60% for those aged over 55. Two-thirds of women surveyed (66%) did not know where to get information to help secure devices in their home if they felt that had been compromised by an abuser, rising to 79% for those aged 45 and over.[4]

 

17.  Government and device manufacturers and retailers should empower IoT users with safety information. Refuge’s approach to tech abuse is to empower survivors to use technology safely. We have created resources and step-by-step guides to support survivors in securing devices and accounts, including an interactive Internet of Things Home Safety Tool. Similarly, device manufacturers and retailers should produce and disseminate clear, easily available guidance for consumers on configuring and using devices securely, and ensure users know what to do if a device is being used to abuse them. The development of safety guidance should be done in collaboration with specialist VAWG services. Caution should always be exercised regarding the inadvertent education of perpetrators on new ways to abuse. Government and industry should improve awareness of the use of technology by perpetrators of violence against women and girls (VAWG), in collaboration with VAWG specialists, and ensure consumers have easy access to safety guidance.

 

18.  Specialist VAWG services are a critical aspect of the response to tech abuse. These services provide vital advocacy and support to survivors of online VAWG. However, demand for services and caseloads are very high, and the VAWG sector faces a precarious funding landscape.

 

19.  Refuge provides the only specialist support service for survivors of tech abuse in this country. The number of complex tech abuse cases reported to the team continues to increase. Between April 2020 and May 2021, we saw on average a 97% increase in the number of complex tech abuse cases requiring specialist tech support when compared to the first three months of 2020. However, most of this work is reliant on insecure fundraised income. In order to meet growing demand and to provide support for every survivor who needs it, the government should sustainably fund specialist VAWG services which provide support to survivors of tech abuse and other forms of online VAWG. In the context of the Product Security and Telecommunications Infrastructure Bill, this could be achieved through allocating a percentage of fines collected by the regulator to funding VAWG support services.

 

20.  The criminal justice response to tech abuse must also be improved. Too often, there are failures by the police and Crown Prosecution Service to investigate and charge tech abuse crimes. Multiple reports and reviews by independent inspectorates and by law enforcement agencies themselves have highlighted the systemic failures of the criminal justice system to protect women and girls.[5] From the year ending March 2015 to the year ending March 2020, referrals from the police to the Crown Prosecution Service for domestic abuse-related crimes fell by 40%, and convictions fell by 37% from 2016 to 2020.[6] In our experience, the criminal justice system responds to technology-facilitated domestic abuse even more poorly. Too often, the onus is placed on survivors to change their behaviour, with police officers recommending survivors come offline, rather than focusing on pursuing perpetrators. Officers frequently lack an understanding of the nature and dynamics of domestic abuse, and the dangers and multiple forms of tech abuse. Training on tech abuse should be rolled out to the police, and the police must be allocated sufficient resources and technology to promptly investigate tech abuse.

 

 

Do existing frameworks, like data protection legislation and the Public Security and Telecommunications Infrastructure Bill, adequately address concerns with smart technology, and if not, how could they be changed?

 

21.  The introduction of a cyber security regulatory framework and of basic security requirements for smart devices through the Product Security and Telecommunications Infrastructure Bill is welcome. However, the focus of the Bill and of some of the priority requirements the government intends to introduce through secondary legislation – such as the ban on default passwords – are primarily on addressing hacking from unknown parties. The security requirements do not adequately address concerns about the use of internet-connected technology by perpetrators of domestic abuse. The government should conduct a formal consultation on proposed secondary legislation and consult directly with survivors of tech abuse. This would allow for considered feedback on the security requirements, as well as on further aspects of the enforcement regime.

 

22.  For example, the ban on default passwords will have limited effect in instances of domestic abuse, as it fails to acknowledge the power imbalance between perpetrators and survivors. In Refuge’s experience, perpetrators will often set up smart devices and accounts, force the survivor to divulge their password, or gain access to the account password through broader tech abuse, such as by hacking into cloud accounts or password key chains. This is illustrated by the case study below. Research carried out by Refuge found that 41% of women in the UK said a partner or family member knows the password to their personal devices – with 28% of these women saying that they did not give this password willingly.[7] The banning of default passwords will therefore do little to prevent many perpetrators from gaining access to devices.

 

23.  Survivor story - A survivor and her child supported by Refuge were constantly monitored at home when living with the perpetrator via various forms of technology, including smart home hubs, voice assistants and a smart TV. The perpetrator insisted that he set up all devices and accounts that the survivor and her child would use, to ‘keep them safe.’ He had access to all the devices and accounts remotely. The survivor and her child felt mentally exhausted with the amount of surveillance imposed on them.

 

24.  The requirement for product companies to have in place a vulnerability disclosure policy to allow security researchers to report security flaws is a positive step forward. This could help VAWG sector specialists, such as Refuge’s tech abuse team, to bring security issues more easily to the attention of manufacturers and retailers. However, the Bill does not require product manufacturers to repair security flaws before they are publicly disclosed. This could alert abusers to vulnerable devices and potentially increase the risk of a device being used for domestic abuse. Companies should take all reasonable steps to fix security flaws before they disclose these flaws publicly. In tandem with the vulnerability disclosure scheme, more accountabilities must be placed on product designers and manufacturers to embed safety by design. The disclosure scheme currently places trust and a degree of responsibility on security researchers and the wider community to report, and responsibility must also be placed on companies.

 

25.  In some cases, measures that have been introduced to improve the security of devices against hacking from unknown parties have limited survivors’ ability to secure their devices. For example, security restrictions have been placed on devices to permit one user to have full admin access. This is abused by perpetrators, who gain control of the admin account and restrict a survivor’s ability to access the device account and make changes to settings. This is a particular issue immediately post-separation, when a survivor may have fled to a secret location for their safety, and must urgently secure their technology. This is to ensure that the perpetrator no longer has access to devices and accounts that could be used to monitor and abuse the survivor, or to track their new location. Where a survivor has fled to a refuge, the safety of other survivors and staff is also at risk. Refuge’s tech abuse team advocates with device companies to enable survivors to make changes to account settings. However, this can often be a time-consuming process before a company eventually removes the perpetrator’s access to the account. In the meantime, compromised devices are potentially being used to monitor survivors. In some cases, companies have refused to remove perpetrator admin access. These discussions with companies often take place at a time when the risk of harm is escalated, as separation is acknowledged as a high-risk factor for further assault and homicide.[8] Companies should allow survivors to make changes to device accounts when they have fled the perpetrator, including changing passwords, admin access and removing personal data.

 

26.  Refuge supports the introduction of the transparency requirement regarding the length of time a product will receive important security updates. This may help ensure survivors are informed and empowered to research options to secure their devices.

 

27.  Survivor story - A survivor supported by Refuge was being harassed by her former partner. He sent her constant text messages and hacked into her internet router. She was also concerned he was accessing her devices remotely, as she received a notification on a smart TV requesting remote access. The survivor logged her concerns with the police. The police said that the hacking attempts of the smart TV and WiFi was not criminal, that they would have no way of providing it was her former partner who had hacked the accounts, and that it could be a malfunction. She was advised to contact her WiFi provider. The survivor tried contacting the company about her security concerns, but they could not help her. With support from Refuge, the survivor was able to delete unknown devices from her router and secure her accounts.

 

28.  In addition to recommending the security requirements introduced by the Bill be strengthened, Refuge also proposes the scope of the Bill be expanded. We are concerned that second-hand products are currently exempt from the regulatory framework. The average UK household currently has nine consumer connectable products, and this figure is likely to grow as more affordable products come to market. [9] Given the large amount of IoT devices currently in use, it is likely that a sizeable second-hand marketplace will emerge. Perpetrators may purposefully seek to purchase second-hand products, in the knowledge that they may be less secure, and likely cheaper. The scope of the regulations should therefore cover second-hand products.

 

29.  Secondly, the Bill should explicitly include online marketplaces. Many of the products used by perpetrators to abuse women and children are sold and purchased on online marketplaces. There is a risk that these companies will seek to define themselves as ‘platforms’ for third-party distributors, rather than distributors themselves, to argue that they are exempt from the regulations. More than 90% of the UK has shopped via an online marketplace, such as eBay and Amazon.[10] This could mean that devices sold on these websites may not be subject to the security requirements, creating a significant gap in the regulatory framework. The scope of the regulations should therefore cover online marketplaces.

 

Conclusion

30.  Technology is providing perpetrators of domestic abuse with new and ever-growing ways to abuse. Refuge is seeing increasing reports of smart connected technology being used in the abuse of women and children. We therefore welcome the government’s ambition to increase cyber security of consumer smart products and introduce regulation of this industry. In order to tackle the threat of tech abuse perpetrated via smart technology, Refuge urges Committee members to consider the recommendations outlined in this submission.

 

 

[1] ONS (2020), ‘Domestic abuse prevalence and trends, England and Wales: year ending March 2020,’ https://www.ons.gov.uk/peoplepopulationandcommunity/crimeandjustice/articles/domesticabuseprevalenceandtrendsenglandandw ales/yearendingmarch2020

[2] Refuge Annual Report 2020-21, https://www.refuge.org.uk/wp-content/uploads/2021/11/Annual-Report-nosig-Refuge.pdf

[3] Research conducted by Censuswide in July 2021 on behalf of Refuge and Avast, with 2,000 women in the UK aged 18 and over, https://www.refuge.org.uk/refuge-and-avast-hidden-home-dangers/

[4] Ibid.

[5] For example, see: College of Policing, Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services (HMICFRS) and Independent Office for Police Conduct (20211), ‘A duty to protect: Police use of protective measures in cases involving violence against women and girls,’ and HMICFRS (2021), ‘Interim report: Inspection into how effectively the police engage with women and girls’

[6] Calculated using CPS (2020), ‘CPS data summary Quarter 4 2019-2020, https://www.cps.gov.uk/publication/cps-data-summary-quarter-4-2019-2020 and the data published alongside the CPS VAWG Report 2018-19, available for download here: https://www.cps.gov.uk/cps/news/annual-violence-against-women-and-girls-report-published-0  

[7] Ibid.

[8] See Metropolitan Police Service SPECSS+ Risk Identification, Assessment and Management Model for Domestic Violence Cases, https://www.whatdotheyknow.com/request/26758/response/70582/attach/3/MPSDVSPECSS2008.doc.pdf?cookie_passthrough=1.

[9] Department for Digital, Culture, Media & Sport, The Product Security and Telecommunications Infrastructure (PSTI) Bill – product security factsheet, https://www.gov.uk/guidance/the-product-security-and-telecommunications-infrastructure-psti-bill-product-security-factsheet

[10] Which? research in 2019 found that more than 90% of the UK population had shopped through an online marketplace in the previous month, and this has increased since the Covid-19 pandemic, https://conversation.which.co.uk/money/online-marketplace-regulation/