Cyberstalkers typically like to collect as much information about their target as possible. They want to know where they are at any given moment; who they’re meeting; who they’re talking to; what their texts say; who they’re emailing; what they’re browsing for online. Knowledge is power, and having this level of power over someone is intoxicating, dangerous and profoundly unethical.
“1 out of 3 women experience violence, and the majority of those cases are done by abusive partners or ex-partners. Those who stalk online are emotionally and psychologically abusive, and can become physically and sexually abusive down the road.”
Chloé Messdaghi, InfoSec Advocate & Activist
To combat the rise in cyberstalking behaviours, and to keep people safe, software developers are increasingly held to account for higher levels of privacy in their platforms and products. But the world of cyberstalking is a very grey one.
What one person regards as stalking, another may see as protecting a loved one. To this point, while Google has banned advertising for stalkerware on its app store, Google Play, countless tracking and monitoring apps get around this ban by claiming to help parents track and monitor their childrens’ online activity, location, messages and more.
From Google:
Acceptable forms of these apps can be used by parents to track their children. However, these apps cannot be used to track a person (a spouse, for example) without their knowledge or permission unless a persistent notification is displayed while the data is being transmitted.
There is, however, nothing to stop someone who wants to track an ex, a girl- or boyfriend, a spouse, from using one of these apps. Although the installation of software without the phone user’s consent or knowledge is actually against the law, it’s hardly enforceable, and if the app presents itself as a family tracker, there is no need for it to alert the user about the data it is transmitting. (A child, being, apparently, not a person.)
Which brings us to one particular tactic in a cyberstalker’s bag that enables them to monitor activity and torment their target that is entirely legal, doesn’t require access to the user’s device, and is widely offered as a web-based service or via apps on Google Play and Apple’s App Store, without explicitly contravening their stalkerware policies.
WhatsApp Online Status Trackers
According to Statista, WhatsApp is the world’s most popular messaging app, with over two billion active monthly users. In the UK it’s present on 58% of smartphones and the number of WhatsApp users in the US is expected to hit 86 million by 2023.
When someone comes online in WhatsApp (that is, they open the app or bring it to the foreground), an indicator changes, setting their status to “Online”. This indicator is public information, and can be used by anyone to build a service that watches out for this online status indicator.
Which is exactly what our CTO, Matt Boddy, discovered when he looked into WhatsApp Online Status Tracker websites and apps. You can enter any mobile phone number, and if that person uses WhatsApp, the status tracker will provide the exact date and time that person opened WhatsApp.
Please note that we have redacted the names of the apps and services in this article to avoid unwittingly promoting them. We can provide a list of those mentioned here and many others to researchers.
Tracker1‘s own marketing on their website:
If you suspect a cheating spouse, boyfriend or girlfriend, for example… [Tracker1]’s WhatsApp last seen tracker online can help you to confirm whether or not your suspicions are really true…
Tracker2‘s marketing on the Google Play store:
[Tracker2] designed for parents, [Tracker2] offers your child or wife’s online status on the phone.
Some WhatsApp status trackers take this constant monitoring of another person’s online status to another level. Enter a second phone number, and you can cross-reference the times each person opened WhatsApp to see if they may be messaging each other.
Clever wording and the fact that these apps are installed on the stalker’s phone rather than their target’s, mean that this new variety of surveillance software doesn’t fall under current definitions of stalkerware, but can be just as invasive and harmful.
“Apps that use WhatsApp’s data to help abusers know when the victims are offline or online, places the victim in terrible, horrific abusive and/or violent situations. These apps are literally allowing abusers to continue to stalk and control people. They aren’t even hiding it. It’s even in their marketing messaging. It’s promoting violence.”
Chloé Messdaghi
Google’s information for app developers around the subject of Stalkerware says that one of its conditions is that Apps must not present themselves as a spying or secret surveillance solution. Some listings appear to be contravening this policy, but many simply present themselves one way on Google Play and another way on their own websites.
The Tracker3 Online WhatsApp tracker is a web-based tracking service, that doesn’t have to abide by the app store rules around family trackers or covert surveillance. It is explicit in its promise of tracking:
Our service allows you to track the online status of a WhatsApp user, as well as with whom he is texting and at what time.
We will help you keep track of the online statuses and the last posting of your friends, family and employees on WhatsApp
Tracker4 is available as both a website service and an Android app. Unrestrained by the need to comply with Google Play’s policies, the website doesn’t hold back about it’s really for:
Track your friends, lover, wife or kids!
But, to get around the Google’s stalkerware policies, the app’s Google Play listing omits any mention of lovers or wives…
We will […] show all the WhatsApp statistics online for you and family!
… although user reviews give the game away:
Reddit user “lollygagme” detailed her own experience of cyberstalking her partner through a WhatsApp online tracking app.
“I was fascinated at how well this app worked and how much insight I was able to get into his psyche from such simple data, so I continued watching his activity over the next week.
Because I first started using this app when he was only talking to me on WhatsApp, I can now pick up the patterns where he’s actually having an in depth back and forth conversation with someone versus him checking in over and over to see if she’s replied back yet.
It’s mind blowing what you can glean on people and their mental state based on basic data. And scary! Our data is more personal than we realize!”
Last Seen vs Online
WhatsApp has other privacy-focused features in the app, so they clearly care about protecting their users at some level. In fact, one of the privacy features allows a user to hide their “Last Seen” time. Some users might understandably believe that this feature hides their presence, but it actually does very little to protect privacy.
If you set Privacy > Last Seen to Nobody, you will not broadcast your Last Seen time. From a privacy perspective, this means someone watching your status would not know the time you were last on WhatsApp, if they were not also online at that time and had seen your status change.
Your Online status is something different. If you interact with WhatsApp you will be “Online”. From a privacy perspective, the other person would have to be watching you at that moment to know if you’re online, which is why these tracking apps exist, to monitor this status on your behalf. WhatsApp acknowledges in its FAQs that you cannot turn off “Online”:
Through our privacy settings, you have the option to control who can see your last seen. Please note you can’t hide your online.
Users have been worried about this loophole for at least the past three years:
A Mumsnet user, back in 2019, said:
“Most of my friends and colleagues prefer to communicate by WhatsApp. Great for sending photos etc. I hate however that it shows you as ‘online’ – it’s weird and stalkerish (IMO). Is there any way at all to turn this off?”
We reached out to WhatsApp for comment about why the online status is publicly available data and whether they had any plans to close this privacy loophole. We had no response, but will update this article if and when we hear anything from them.
“It’s about time that responsible parties stood up against apps that practice and market abuse to keep children and partners safe.”
Chloé Messdaghi
In the meantime, more online status tracking apps are springing up, and it looks like Apple for one isn’t happy about it. We’ve seen links for trackers on Reddit that go to now-defunct App Store listings, so presumably Apple is removing them if it finds them.
As one Redditor said in response to one developer’s announcement that they had “made a WhatsApp Online Activity Logger,”
This is just voyeuristic, unhealthy, privacy-breaking nonsense. You can surely find something better to do with your skills.
What to do?
First, the bad news: There is no setting within WhatsApp that can prevent this kind of monitoring, no way to tell if somebody is using it to watch when you go online, and no software that can detect it.
“This is just sloppy work on the part of WhatsApp and a typical example of what happens when companies don’t think about abusive relationships when they’re making their design decisions. WhatsApp should have given users the power to turn off their online status from the very beginning, and they need to fix this ASAP.”
Eva Galperin, Director of Cybersecurity, EFF
Now the good news: This kind of stalking relies on the stalker knowing the victim’s phone number, and on the victim using WhatsApp. Changing one or both of those things should be an effective defence.
Changing your phone number is a drastic and highly inconvenient step that might also alert a stalker that you are aware you’re being watched. Bear in mind also that your phone number is only useful if other people know it, and a determined stalker may be able to get it from friends, acquaintances or your place of work.
As an alternative to changing your number, you could try switching from WhatsApp to Signal, a popular, privacy-focussed instant messaging app. It’s very similar to WhatsApp but built with greater concern for privacy and security. It does not have the same online or last seen statuses as WhatsApp and can’t be tracked in the same way.
Lastly, if somebody is prepared to stalk you in this way, they may well be prepared to stalk you in other ways too. You should consider your online safety in the round and may wish to take steps to combat other forms of stalking at the same time.
- To prevent abuse of online accounts like iCloud, or your email, change your password to a new, strong, unique password, and enable two-factor authentication.
- To prevent unwanted access to your phone, use a six-character pin and set a short lockout time so that your phone locks quickly if you leave it lying around.
- To detect stalkerware apps that monitor your camera, microphone and messages, or WiFi hotspots that intercept your traffic, install the Trustd app on your phone.
- If you suspect you are being cyberstalked, you can find helpful resources on the Coalition Against Stalkerware’s website. If you’re worried that your stalker might know you’re trying to get help, use a friend’s computer or phone.
- If you feel you’re in immediate danger, please contact the police.