For the past 13 years Britney Spears has been under conservatorship, a legal framework where her dad has had virtually full control of her life and finances. During some of that time, her father hired a security firm to spy on her, both digitally through her phone, and physically with audio recording devices in her bedroom, according to a new documentary by The New York Times. Wednesday, Jamie Spears was removed as his daughter's conservator.
The documentary features a former employee of Black Box Security, the firm hired by Spears' father Jamie.
According to the former employee, who shared details of how Spears was spied on, the setup was incredibly simple and frighteningly effective.
Jamie and Robin Grennhill, an employee of Tri Star Sports & Entertainment Group, and the former business manager for the singer’s estate, had an iPad and an iPod logged in with Spears' iCloud account. As the Times notes, Britney Spears' iCloud account, and everything she did on it such as FaceTime calls, iMessages, notes, browser history and photos, were all mirrored on these two devices.
To set up such a surveillance system, all they needed was Spears' password for her Apple ID, and consequently her iCloud account. It's unclear, however, how they got their hands on the password, and whether this surveillance was authorized by the court overseeing Spears' conservatorship, according to the Times.
In any case, using iCloud to spy on someone's iPhone is an extremely common way abusers spy on their loved ones. And as opposed to spyware, which often hacks a phone, using iCloud to spy abuses a device's expected functionality, according to Leonie Tanczer, a Lecturer at University College London who has supervised a research project on stalkerware.
"This is yet again an example of the so-called 'UI-bound adversary,'" Tanczer said, referring to an academic paper published in 2018,"meaning that the features people actually like about a device—i.e., the mirroring—is being a shortcoming for those that may not be aware of this functionality or envision that this is happening or could happen to them."
In other words, it's a feature that's both easy to use and abuse, which is part of what makes it so horrifying.
"This iCloud technique is not basic, it's fucking foolproof," Igor Ostrovskiy, a New York based private investigator with Ostro Intelligence, told Motherboard.
While Ostrovskiy doesn't know the details of how Spears' father got her password, he argued that it's possible he had permission as part of the conservatorship. If that's the case, "nobody is going to get arrested for that, nobody's going to do a day in jail for that, even if they got arrested."
Do you work or used to work at Black Box Security? Do you know anything about it? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wire/Wickr @lorenzofb, or email firstname.lastname@example.org.
The Clinic to End Tech Abuse, an advocacy group that helps survivors of abusive relationship who have been stalked and spied on, has comprehensive guides on detecting when someone is spying on you via iCloud, how to strengthen the security of an iCloud account, and what to do if you think someone has broken into the account and used it to monitor their target.
In short, if you are worried someone has been monitoring your iPhone or other Apple device with this technique, log into your iCloud account on a computer browser or check your Mac's System Preferences.
In a browser, you will have to navigate to Account Settings, and check what is listed under "My Devices." On a Mac, go to System Preferences, and then click on Apple ID, and see what devices are linked to your account on the left column. If there's anything in there that you don't recognize, it may be a device someone is using to monitor you.
To kick them out, you can remove the device both in the browser and on a Mac's settings. Importantly, this, as CETA notes, can alert your abuser that you found out about their spying.
"Some abusers may become more violent if they get locked out of your account. If this is a concern for you, we strongly recommend that you carry out safety planning with a domestic violence or other support professional before making any changes to your account," CETA writes in its guide.
The role of Black Box Security in this whole story is, as the Times put it, "a mystery." But in essence, the company is a private intelligence company, much like Black Cube, another controversial private surveillance firm that helped convicted rapist Harvey Weinstein track his victims.
Black Box Security was founded by Edan Yemini, who has a background in I.D.F Special Forces, according to the company's official website. The company did not respond to a request for comment sent via the contact form on its website.
In a statement to the Times, his lawyer said that "Mr. Yemini and Black Box have always conducted themselves within professional, ethical and legal bounds, and they are particularly proud of their work in keeping Ms. Spears safe for many years.”
Firms like these, according to Ostrovskiy, are becoming more common.
"Black Box is just another guy who was accepting a paycheck and dismissing certain morals," he said. "I think private intelligence is proliferating at an exponential pace. It's almost as fast as new iPhones are coming out."
"Private intelligence is proliferating at an exponential pace. And there's no guardrails and no tools, and no government oversight of any sort," he said. "Outside of some laws that we have, like wire fraud and mail fraud, there's really not a specific law that's that prevents a private company, especially one that's based overseas, from hacking into a private device for non government purposes for not for national security purposes."
Subscribe to our cybersecurity podcast CYBER, here.