Cybersecurity & Tech

Cyber Gaslighting: PsyOps in the Home

Irving Lachow
Wednesday, June 12, 2019, 9:00 AM

Home-based internet devices are becoming an increasingly integral part of our daily lives. By 2021, more than half of the houses in the country will be smart homes—homes equipped with electronic devices that can be controlled remotely by phone or computer. Many of us are buying internet-enabled personal assistants, thermostats, door locks, dimmers and kitchen appliances.

Samsung Smart Home Display (Source: Flickr./Kars Alfrink)

Published by The Lawfare Institute
in Cooperation With

Home-based internet devices are becoming an increasingly integral part of our daily lives. By 2021, more than half of the houses in the country will be smart homes—homes equipped with electronic devices that can be controlled remotely by phone or computer. Many of us are buying internet-enabled personal assistants, thermostats, door locks, dimmers and kitchen appliances. These devices bring us numerous benefits, most notably the ability to save time by remotely accessing our homes and controlling multiple systems through easy-to-use interfaces. These benefits are real and should not be discounted. At the same time, there is a growing awareness that, like all technologies, smart home devices also introduce risks. Most of the attention to date has focused on risks to privacy from personal assistants like Alexa, which can overhear conversations even when one is not speaking to the device. However, last year the New York Times highlighted a more serious risk that has received scant attention: the potential use of smart home devices by one person to monitor and harass another person.

The concept of psychological harassment is not new. The term “gaslighting,” which refers to the use of denial, misdirection, contradiction and lying to destabilize a victim, dates back to a stage play in the 1930s wherein a husband tries to convince his wife that she is crazy by manipulating small elements of their environment. Now imagine the following scenario: A husband has been routinely abusing his wife both verbally and physically. She finally gets a restraining order and makes him move out the house. He is angry. Sitting in his temporary apartment, he realizes that his phone has apps that allow him to control the temperature of the house, turn the lights on and off, and control the volume of the stereo. He decides to have a little fun by randomly turning on the house lights throughout the night. He also makes the stereo blast loud music when he knows his wife will be home. Finally, he plays games with the temperature: alternating between stifling heat and frigid cold. After a week of this behavior, he sends his wife an email telling her that if she doesn’t take him back, he will escalate his actions to make her pay for what she’s done.

This scenario may seem like an episode from Netflix’s Black Mirror, but similar situations are playing out today and we should not underestimate the psychological toll that such harassment can take on someone. There is clear evidence that cyberbullying has devastating effects on teenagers. Combining online intimidation with the ability to control someone’s physical environment could be harrowing to the victim of such abuse. It is particularly troubling to consider the implications of this development in light of the growing use of smart devices that enable remote viewing and tracking of people.

Solutions to the threat of cyber gaslighting will likely be thorny. Smart devices are ripe for exploitation in domestic abuse scenarios because often one person, usually a man, controls the information technology (IT) for the house. If the IT manager moves out but retains access to home-based smart devices via mobile apps or online interfaces, he or she could control the household environment. One apparently simple solution to this problem is for the person who remains in the home to physically reset the devices and regain control over the device passwords. However, the victim has to know (or learn) how to do this and, more importantly, must be willing to take this step and risk escalation. Many victims are either unwilling to take action or are advised by experts not to take these steps because the abuser is likely to detect these steps and may respond by escalating his or her attempts to assert control through violence.

One approach to cyber gaslighting that appears promising is to apply strategies from recent efforts to address cyber stalking. The risk of cyber stalking is huge; after all, an entire industry is devoted to creating software for tracking people via their smartphones. While there are legitimate uses for these tools, people who use tracking apps can cause great harm to those being tracked. For example, people who are tracked can become victims of physical abuse and stalking.

In response to cyber stalking threats, activist Eva Galperin has proposed a solution that combines technical and legal tactics. On the technical side, Galperin has asked antivirus vendors to treat “stalkerware” like malware. One company, Kaspersky, has responded by alerting users when they have stalkerware on their phones and giving users the option to quarantine or remove these apps. On the legal front, Galperin is pushing government officials to prosecute the executives of stalkerware companies for violating criminal laws such as the Wiretap Act and the Computer Fraud and Abuse Act.

Unfortunately, many of these measures cannot be applied directly to cyber gaslighting because, unlike the stalkerware situation, abusers are not adding software to home-based smart devices in order to harass their victims. Instead, they are using the devices as they were intended to be used. Antivirus vendors do not have a role to play in this situation. In cyber gaslighting, the victim may also be dealing with a dozen devices, each of which performs a different function, which may make it difficult to identify the scope of the threat and determine where to focus one’s attention.

The legal challenges are also more complex when one is dealing with home-based smart devices. The technologies in question have legitimate and positive uses, and one cannot realistically target the executives of smart device companies just because their equipment has been used to cause someone harm (if that were the case, then people could sue knife manufacturers every time someone were stabbed). If the abuser has been functioning as the household’s IT manager, with authorized access to these devices, then anti-hacking legislation like the Computer Fraud and Abuse Act won’t be much help. Laws focused on cyber crime are challenging to implement in domestic conflict situations because it is often difficult to determine whether access to a particular system was authorized or not. It can also be difficult to address the issue of consent. For example, if a victim has not changed the password of a smart device, then the abuser could claim that he or she has been granted consent to access that device.

One piece of advice that law enforcement authorities recommend when faced with cyber gaslighting is to document what is happening. In the words of one expert: “If you can build up a picture of every time the heating becomes unbearable, or the lights go into overdrive, or the alarms start buzzing, this is valuable data for law enforcement.” This helps establish an evidentiary baseline that can move the conversation away from whether the abuse occurred toward a focus on the abusive behavior itself. That, in turn, can help law enforcement officials who are trying to hold an abuser responsible for his or her actions.

Smart devices could soon become embedded into every part of our lives. Confronting the complex legal issues at stake now will help to ensure that the benefits we gain from smart homes and ubiquitous internet access are not outweighed by the risks that come with these technologies.

Dr. Irving Lachow is Deputy Director, Cyber Strategy and Execution at the MITRE Corporation and a Visiting Fellow at the Hoover Institution.

Subscribe to Lawfare