LOVEINT: Cyber-Stalking by Spies
A term coined by NSA staff refers to the practice of using access to surveillance technology to gather information on partners or love interests. Simply put, LOVEINT is the practice of cyber-stalking. The term plays on the naming of intelligence collection techniques with the suffix ‘INT’, such as HUMINT referring to Human Intelligence.
Although it is reasonable to suspect that LOVEINT is not a new phenomenon and that spies likely throughout history have gone beyond their remit and snooped on their loved ones, it was not until 2013 that such abuses of power were officially confirmed.
In 2013, the NSA admitted that there had been several incidents of agency officers wilfully violating NSA protocols in order to spy on their love interests. Despite the NSA stating that there were only a limited number of these incidents, the practice was well-known enough to gain its own term ‘LOVEINT’ within the agency.
After these revelations, Senator Diane Feinstein, chair of the Senate intelligence committee, stated that the misconduct involving surveillance of spouses or love interests ‘in most instances’ did not intrude on the private information of Americans. However, most of these instances of misconduct were self-reported. Moreover, with an NSA audit from spring 2012 finding 2,776 cases of “unauthorized collection, storage, access to or distribution of legally protected communications” from the preceding 12 months, it is possible that LOVEINT is more widespread than the NSA would suggest.
In each of the officially reported cases of misconduct, the NSA stated that disciplinary action was taken, including termination of employment, demotion in rank, temporary reduction in salary, restricted access to NSA software and recommendations for limited security clearance. However, specific evidence for disciplinary action against NSA officers was never provided. Such information was also not provided to the head of the Senate Judiciary Committee at the time, Senator Patrick Leahy after he specifically requested it.
Privatisation of LOVEINT
The rapid growth of independent intelligence companies in recent years has led to the problem of LOVEINT also developing in the private sector. According to several sources, in 2016 an employee of the private Israeli digital surveillance company NSO Group was fired after being found to have used advanced company software to spy on a female acquaintance.
The NSO Group rose to prominence after developing a spyware program named Pegasus and providing this software to at least 10 governments and regimes as well as state security services in 40 undisclosed countries. The popularity of the program among security services and governments was due to its ability to covertly transform a mobile phone into a tool of constant surveillance. The Pegasus program grants operatives and clients of the NSO Group access to any messages sent or received through the phone on encrypted platforms, access to the camera and microphone to covertly record a target, as well as the ability to eavesdrop on calls.
The NSO Group employee caught participating in LOVEINT in 2016 was noticeably sloppy. He accessed the Pegasus program, despite the knowledge that clients of the NSO Group are alerted when their Pegasus program software is being used. As such, the NSO client in the UAE government promptly reported the unauthorised use of the program and the employee was swiftly identified and subsequently admitted to his misconduct.
After the 2016 incident, the NSO Group improved its security processes to try and prevent such misconduct from reoccurring, including the introduction of biometric checks. However, these procedures are only likely to deter operatives who have limited knowledge of the system or are amateurish in their attempt to misuse surveillance programs. Operatives with an advanced understanding of the program and the security checks, as well as individuals of a more senior rank, could still potentially evade these mechanisms.
With fewer checks and accountability in the private sector, it is the responsibility of the company to prevent and root out misconduct. Due to the nature of private intelligence companies allowing them to be independent and justifiably secretive, there may be more opportunity for LOVEINT to occur without sufficient oversight, compared with public sector agencies, if conducted by technically capable operatives or senior level staff.
Psychology of Cyber-Stalking
Although given a tongue-in-cheek name by NSA staff members, LOVEINT can be simply classified as cyber-stalking by spies.
Therefore, to understand the psychology of LOVEINT, one must only look into the psychology of cyber-stalkers. According to a study conducted by the Society for Personality and Social Psychology, “for men, cyberstalking intimate partners may be best explained as impulsive, sensation-seeking behaviour. Men may be drawn to the thrilling, taboo nature of secretly checking up on their current or former partners.”. In comparison, the study found that “For women, cyberstalking intimate partners may be explained by feelings of inadequacy and inferiority (vulnerable narcissism). Women who are highly sensitive to rejection may cyberstalk their partners in an effort to avoid rejection.”.
Spies are human as well, therefore we can expect some operatives within the national security sector to display these personality traits. However, the types of people attracted to such roles may increase the likelihood of LOVEINT cyber-stalking occurring. Despite very few psychological studies being conducted on spies and national security professionals, due to the nature of their work, we can presume the types of personalities that are attracted to such a lifestyle. As the study detailed above suggests, cyber-stalking performed by men is likely in those with “sensation-seeking behaviour”, which is a probable personality trait of men who seek work in national security due to the apparent thrill of spying on threatening actors.
Moreover, Dr Michele Galietta, Professor of Psychology at the City University of New York, noted that stalkers usually have “very narrow interests, very little leisure activity, variable other social interactions; so these tend to be their primary relationships.”. Due to the workload, commitment, and intense interest in subjects regarding national security that is required to work in the national security sector, it is likely that a sizeable amount security professionals fit this profile.
This is not to suggest that most spies are stalkers or potential stalkers. On the contrary, agencies aim to recruit individuals that are highly conscientious and use psychological testing to ensure this. Therefore, it is almost certain that most security professionals are not inclined to take part in misconduct to cyber-stalk love interests. Nevertheless, some less conscientious individuals slip through the cracks of the recruitment/screening process and abuse their power.
Democratisation of LOVEINT?
There is an alarming new trend of publicly available spyware being downloaded and used by members of the public to cyber-stalk their partners. In Britain, the use of what has been named ‘stalkerware’ apps has increased by 93% during the pandemic.
Alike to the Pegasus program, these apps allow individuals to secretly download software onto another person’s phone and gain access to their exact location, encrypted messages, private images and videos, emails, texts and permits eavesdropping on and recording of phone conversations. However, unlike the Pegasus program, this software can only be installed by someone with direct access to their target’s phone or who knows their cloud details. As a result, this software is often bought and used by individuals who wish to monitor people they are in a close relationship with.
Disturbingly, these apps are advertised as being made to monitor children, employees and loved ones.
As a result of the public availability of these apps, domestic abusers and stalkers have been given the technological means to monitor the location and private lives of their victims. Unfortunately, Jaya Baloo, a chief information security officer at Avast, stated that attempts to block access to these apps through vetting and verification processes is alike to playing “Whack-A-Mole”. This is due to the same spyware reappearing under a different app name or similar software being provided by a different company.
Although LOVEINT may be rare in national intelligence agencies, the recent growth of private surveillance companies, as well as the public availability of ‘stalkerware’ apps, has radically reduced oversight for individuals misusing intrusive software to monitor their partners and love interests. To tackle this growing problem, stronger regulation of private intelligence companies is required, as well as legislation limiting public access to ‘stalkerware’ apps.
Moreover, to ensure the proper compliance of operatives of national surveillance agencies, oversight bodies need to be empowered further. Despite LOVEINT within national agencies being a rare occurrence, such wilful misconduct and the subsequent punitive action should be readily accessible to oversight bodies. This will not only ensure that agencies effectively deal with operatives who abuse their power, but may also increase public trust in surveillance agencies. This is especially relevant considering a recent report released on January 31st, 2022, by the NSA Inspector General, stating that NSA operatives in several instances had failed to comply with official procedures or policy requirements intended to prevent the illegal or improper monitoring of American citizens.