Alisha Menezes, a 26-year-old investment banker from Mumbai, India, believes that her ex-boyfriend knows more about her than she herself does – from what gets her off, to the precise shade of black she appreciates in clothes, down to her deepest insecurities.
“Before I met him two years back, I didn’t think it was possible for a person to know someone so deeply,” Menezes told VICE. “There were times when I felt my own individuality didn’t exist and that my definition of self had merged with his.”
Menezes broke up with him in September last year after she found out he was cheating on her with one of her friends. But even after she called it off, he wouldn’t stop spamming her Instagram DMs from multiple fake accounts. “Initially, the tone of the texts was apologetic; he would even send voice notes of him crying and howling,” she said. “No matter how many accounts I’d block, he would find new ways to get to me. He even texted me on True Caller (a phone number identification app)”.
Things took a turn for the worse after he failed to catch her attention through DMs. He logged into her iCloud account in an attempt to control her life again.“I had completely forgotten that I’d logged in my credentials on his spare MacBook many months before the breakup, when I had to finish an urgent project and my laptop wasn’t working,” she explained. “His best friend is a known black hat hacker, who earns a living working for shady real estate developers. So, cloning my iCloud details on other devices was child’s play for him.”
What followed was an attack on almost every aspect of her life. He deleted some important files, sent malicious porn links to her colleagues, deactivated her Instagram account, and added “sex work” to her LinkedIn bio. “I felt like I had no control over my life. My phone had become a weapon, and I felt helpless.”
Modern technology gives perpetrators ever-increasing ways to stalk, isolate and control others using the tools of everyday life. Spying through iCloud or Google accounts is one way they do so, which is what makes it all the more frightening. Only recently, a New York Times documentary revealed how Jamie Spears – Britney Spears’ father and former guardian – had hired a security firm to spy on Britney by accessing her iCloud.
According to a former employee of this security firm, the setup was incredibly simple and frighteningly effective. Jamie and Robin Grennhill – the former business manager for the singer’s estate – had an iPad and an iPod logged in with Britney’s iCloud account. As the Times noted, Britney’ iCloud account, and everything she did on it such as FaceTime calls, iMessages, notes, browser history and photos, were all mirrored on these two devices.
According to a recent survey, Indians are more likely to check their partner’s email accounts, stalk their exes on social media and even post intimate pictures of their partner online, compared to respondents from other countries. Indian respondents also scored the highest in hacking into someone’s device and exposing content or impersonating the person, especially post-breaking up or after calling off a wedding.
“This kind of ‘social engineering’ attack is fairly straightforward,” explained Shivam Mishra, a software expert. “There are various ways to go about it. For example, you know the victim likes opera so you send them a phishing email sharing a free ticket to a famous opera concert in their city. But this is not technically a hack, even in the case of Britney. It is a breach of privacy. But that can actually be more dangerous.”
Mishra believes that people using laptops or devices provided by their offices might still be a tad safer as there might be dedicated IT teams debriefing them about the ways in which they can protect their system, the need for two-factor authentication and regularly changing passwords, among other cybersecurity hygiene practices.
“But the same safety net might not be available for individuals who are not with an organisation,” he added. “People are usually more gullible than you think, even about basic cybersecurity measures. This vulnerability gets compounded when the criminal in question is your own ex or a family member.”
More than 2,000 kilometres from the coastal city of Mumbai, in the southeastern city of Cuttack, Vandana faced a predicament similar to Menezes’ when she visited her parents. The New Delhi-based HR professional requested VICE to use only her first name for privacy reasons. In her case, it was her brother who breached her privacy to an uncomfortable degree.
“He just cannot handle the idea of me being on the phone for more than an hour,” Vandana said. “This was certainly not coming from a place of brotherly love or protection, as he hovers around me for hours. I have always felt like a prisoner whenever I visit home.”
However, things came to a head when she discovered that he took the “protectiveness” to a different level altogether. He tried logging into her iCloud by guessing her password, which was just a slight variation of their mother’s birthday. She found he had had complete access to her phone for months only when he confronted her about downloading a dating app.
“There was no way he could’ve known I was on a dating app, as I was in Delhi, away from home, when I first installed it,” she said. “He admitted in a very matter-of-fact and non-apologetic way that he had gained access to my iCloud. His rationale was that I was a small-town girl stepping into an unsafe city like Delhi for the first time and that I needed his watchful eye.”
Even though Vandana’s father admonished his son for breaching her privacy, her mother remained indifferent to it. “Despite the fact that privacy was recently upheld as a fundamental right, it’s an unfathomable concept for many Indian families,” said Vandana. “The supposed protection of women’s dignity often trumps all constitutional and ethical considerations.”
Vandana’s case was almost similar to Britney’s, with everything on her phone – including texts, calls, pictures, and app activity – being “mirrored” in real time on cloned devices.
Something similar happened to Minal Mohite, a restaurant manager in central Delhi. Mohite had fired a server working under her, who, to exact revenge, gained access to her iCloud using the restaurant’s computer, which Mohite had once used to log in to her personal account.
“I don’t even know if he bore a grudge against me because he technically didn’t harass me,” she said. “But he did weird things. He changed my Spotify playlist and deleted social media apps.”
Mohite found out that he was the source of it all after her friend suggested she check the devices connected to her iCloud account.
Shivani Singh, operations and digital security manager at the Internet Freedom Foundation, recommends undertaking a detailed threat model assessment, which involves understanding the various ways in which you could be affected, the context of the attackers, and how you must go about protecting your system accordingly.
“One needs to understand what the consequences of a privacy breach are and how far are you willing to go to protect this information,” Singh explained. “If someone is employing their time, energy and money to attack you, your threat model is higher. In that case, you might want to consider starting a new account or changing devices, but it depends on whether you have the resources for that.”
According to Mishra, iCloud hacking can be prevented by frequently checking your “Device Manager” in your Settings, which shows all the devices connected to your account, and immediately removing any unknown devices. This article details more ways for you to detect if somebody is spying on you and kick them out.
“Your phone is a sacred space, regardless of who you meet in life, and you don’t owe it to anyone to share your phone password,” Mishra said. “This is the root of all social engineering attacks. We live in an era where memory cards have become obsolete, and everything is in the cloud. And only you can protect it.”
In many countries, including India, digital spying is a punishable offence. Recently, a 48-year-old man in Sydney, Australia, was sentenced to a year in prison for illegally accessing 92 iCloud accounts over a period of two years, and sharing sexualised pictures of his victims.
Women almost always disproportionately bear the brunt of such attacks.
“Women are often forced to share their passwords by their parents or partners who want to ‘check’ their chats,” said Singh. “They are left with no privacy at all, and every bit of their agency is taken away from them.”
But with just a few simple steps, you can take back control in your hands.
Follow Arman Khan on Instagram.