Computer security personnel need tools, training to assist survivors of intimate partner violence
Survivors of intimate partner violence who experience tech abuse often reach out to computer security companies for help. But the customer support personnel at these companies are not sufficiently prepared to handle such cases, research from the University of Michigan School of Information finds.
Through a multipronged approach, U-M doctoral students Yixin Zou and Allison McDonald and assistant professor Florian Schaub, along with colleagues from Cornell Tech and Norton Research Group, go right to the subjects—those customer support agents—to find out where training falls short in helping IPV survivors and what can be done to address the deficits.
Their study findings will be shared at the 30th USENIX Security Symposium Aug.11-13.
In this Q&A, Zou explains their research and the team’s recommendations to improve the response to a growing problem of tech-enabled IPV:
How big of a problem is tech enabled intimate partner violence (IPV) and what forms does it take?
IPV is a big societal problem that can cause severe and long-lasting trauma on survivors. According to data from the U.S. Centers for Disease Control and Prevention, more than 1 in 3 women and 1 in 4 men in the United States have experienced rape, physical violence and/or stalking by an intimate partner in their lifetime.
In particular, technology has been weaponized to facilitate IPV. An abuser can hack a survivor’s accounts or devices, bomb the survivor with harassing/harmful messages or publicly shame the survivor through revenge porn (sharing sexually explicit photos or videos without permission).
Prior research from the Cornell Tech research team has shown that many of these attacks are not technically sophisticated (for example, the abuser can easily cut the survivor’s physical access to different accounts and devices if they live together, rather than perform some complicated hacking). Tech-enabled IPV becomes possible when the design of many computing systems does not take into account how the system could be abused for IPV in adversarial scenarios.
What is the current approach taken by most tech companies when dealing with consumer concerns about technology abuses perpetrated by an intimate partner?
Our research examined computer security companies as a category of tech companies, and specifically how their customer support agents reacted when contacted by customers with concerns about tech-enabled IPV. We found that support agents typically focused on answering and troubleshooting technical issues, such as scanning the customer’s device for malicious apps. Agents might also share general tech safety advice depending on the circumstance, such as recommending a factory reset when getting a new phone or using a password manager.
While this kind of advice is right for many customers, some of it could be dangerous for someone with an abuser to take without careful planning. We found that none of the companies we talked to had an established and consistent protocol for handling tech-enabled IPV cases. Our conversations with IPV professionals further indicate that there are many spaces that companies can improve when interacting with IPV survivors.
You conducted focus groups with several people involved with IPV survivors. Who were they and briefly what did you learn from them?
We talked with 17 IPV professionals from five organizations that support IPV survivors by providing free civil/legal/counseling services. The job roles of these professionals range from director/manager to attorney/paralegal to counselor. Our insights about how computer security customer support should interact with IPV survivors can be summarized into three points:
- Acknowledge the limitations of security software (or the company’s product, more broadly speaking). While support agents usually work as advocates for the company’s products, in this case, the product cannot fully protect IPV survivors as they navigate many social and legal challenges.
- Provide tech safety advice with caution. This means that agents should be aware that IPV survivors face risks of escalated violence for even routine self-protective behaviors. For example, it’s important to have a “safety check-in” with the customer to ensure that they are in a safe environment to have the conversation.
- Agents should never attempt to provide advice on topics they are not systematically trained for, such as IPV-related counseling, safety planning and legal advice. Instead, agents should refer the customer out to external experts and resources. Example of places for referral include IPV hotlines and advocacy groups (National Domestic Violence Hotline, NNEDV, etc.), legal resources WomensLaw.org \ and National Suicide Prevention Lifeline/911 for critical situations that threaten the customer’s physical safety.
What recommendations did you come up with after talking with these groups?
We make three key recommendations for computer security companies to better address tech-enabled IPV through customer support and beyond.
- Train customer support agents to properly handle IPV cases. The training should introduce the prevalence/severity of IPV, the different forms of tech-enabled IPV, what agents can and cannot do, and resources for coping with the secondary trauma that agents might be experiencing.
- Tack IPV cases to inform relevant decisions. For example, it might make sense to have an in-house specialized team within the customer support department with more expertise in dealing with IPV and less pressure of finishing cases in time, but this decision also needs to be balanced with the company’s business needs, particularly whether there are enough IPV cases to justify the cost and logistics of setting up this team.
- We see numerous benefits of IPV professionals and tech companies joining forces with one another. A good example is the Coalition Against Stalkerware founded in 2019. An enduring partnership provides a learning pathway for both parties with complementary strengths. Plus, such a partnership might create more opportunities to help IPV survivors.
As an example, there have been security clinics for IPV survivors in which trained technologists analyzed a survivor’s digital assets and provided personalized advice. IPV professionals and staff from tech companies can work together to deploy these security clinics at scale, in which they provide advice on topics of their expertise (tech companies for technical issues/basic tech safety tips, IPV professionals for nontechnical issues/in-depth safety planning) and make referrals to the other party as needed.
These recommendations require several people to be trained, an effort to amass resources that come from various places with different approaches, and more. Who needs to lead this change and where does it begin?
The foundation of any change is a mentality change at the senior level of tech companies (executives, directors, managers) if it hasn’t happened already—that tech-enabled IPV is prevalent, it won’t go away and it is likely to become more problematic over time as abusers innovate their ways of exploiting technologies. The message needs to convey that IPV-focused training for frontline agents is both necessary (considering the severe ramifications if the case is not properly handled) and beneficial (many elements of the training content we recommended, such as using empathetic/trauma-informed language, also apply to a broader audience).
Additionally, a partnership between multiple stakeholders—tech companies, IPV professionals, digital rights advocacy groups, academic researchers, policymakers—is important to deploy changes and share resources at scale. We have made some early efforts to drive changes by distilling our recommendations into training materials for frontline agents; we have presented the draft materials to a few participating companies, who all provided positive feedback. Our next step is to share the refined materials with the Coalition Against Stalkerware (who can further disseminate our materials to all partner companies) and ensure our materials are publicly available to anyone.