In 2022, a NSW Department of Corrections staff member started an online chat with mSpy customer service. “Can i [sic] log into my partners [sic] device remotely or do I need to physically load into her phone,” he asked.
A minute later, a staff member cheerfully advised that they would need access to the device for just five minutes but then “all the data monitored will be available through your online possible account”, according to the company’s internal chat logs.
mSpy is a Czech-based software company that has sold phone and computer monitoring and tracking tools known as “stalkerware” since 2010. A trove of mSpy customer data for users with Australian and New Zealand government email addresses shows how Australian state and local politicians, police, high-ranking members of government agencies, and ordinary public servants have used or intended to use this software.
This leak provides unprecedented insight into how Australians are actually using or intending to use these products: to surveil targets ranging from family members (including people identified as victims of family violence) to police suspects.
The use of stalkerware is often seen in the growing number of technology-facilitated abuse cases, alongside other tools like misused standard features (like logging into someone’s email) and high-tech products including GPS tracking devices.
Recording someone without their consent is generally illegal, and selling something that facilitates it can be a crime. Despite this, there’s a lucrative industry of companies that sell this software to consumers at relatively cheap prices. These products are simple enough that any consumer could install it on someone else’s digital devices — often (but not always) without their knowledge — to track their location, monitor who they’re talking to, follow what they’re doing, and even to record what’s happening around them.
Stalkerware products are often advertised as being for monitoring children (mSpy promises to help parents “see what your kids are doing on their phones and online”) or for catching cheating partners, but they’re frequently used to carry out family violence, Monash University’s Gender and Family Violence Prevention Centre director and technology-facilitated violence researcher Bridget Harris told Crikey. Sometimes those purposes aren’t mutually exclusive.
“A lot of people will have their kids share their location, but that doesn’t mean they’re in an abusive kind of family. But sometimes it’s not about care, it’s about control, and they will use those reasons as an excuse,” she said.
mSpy is one of the most popular stalkerware providers, reportedly having 2 million users paying up to US$70 a month in 2014. And now, for at least the third time, the company has suffered a breach exposing customer information. The company did not respond to questions from Crikey.
Last month, Switzerland-based hacker maia arson crimew, who has analysed a number of stalkerware data leaks, wrote that she had been provided with a leak of mSpy’s helpdesk for 2.5 million users.
“Most stalkerware reporting focuses on private use by abusers, stalkers or parents,” maia wrote.
“But it’s always been clear, at least in theory, that this hyperavailability of relatively cheap commercial spyware also enables completely different use-cases, be it as part of fraud schemes or even by governments.”
maia gave Crikey access to customer support requests from users with Australian and New Zealand government email accounts that ended in .gov.au or gov.nz. Only a small proportion of the total users are government workers.
Crikey has chosen not to name them due to the uncertainty surrounding the circumstances of each individual case. There are legal uses for the software and it is not possible to determine how some used mSpy’s software. Nevertheless, the leak shows how Australians are brazenly engaging with a stalkerware provider through their government email accounts despite — or in some cases because of — their official roles, which come with high professional and ethical expectations.
The mSpy data does shed light on what users were trying to use its products to snoop on. An executive for Defence Housing Australia (DHA) complained in 2015 that they were seeing “calls and texts not location history” from their target. Crikey contacted DHA and the executive in question for comment, but neither responded.
A Northern Territory local government official, who has since taken on a role with another council, complained that a phone they were tracking in the Philippines was only giving daily location updates rather than every 10 minutes. Nor was the software showing the identity of the Facebook contacts being messaged on the device. “Monitoring Facebook was one [of] the main purposes of my subscription, the performance in this area has been disappointing,” they wrote. They did not respond to an email from Crikey sent to their council address.
The covert nature of mSpy’s stalkerware is core to its appeal. A public servant from Australia’s aviation regulator, the Civil Aviation Safety Authority (CASA), first contacted mSpy to ensure that there would be no sign that the software was being used (“the previous application I used installed a VPN connection which was visible up the top of the display next to the network symbol,” they wrote). After purchasing the software and complaining that the remote audio recording feature wasn’t working, the person cancelled their subscription and sought reassurance that this wouldn’t show up on the target device. CASA and the public servant did not answer Crikey’s emails.
The target of surveillance wasn’t always specified. A WA police officer contacted mSpy support saying that they had signed up but were “waiting for code”. A WA Police spokesperson said the officer’s use of the software was a “private and personal matter” and not related to the agency.
In other instances, customer service requests included information about who users were using the software on. Some users appeared to use mSpy’s products to monitor their children. A former state politician sought to cancel their subscription. “[mSpy] was easily located and disabled by my son,” they wrote.
A unit director at a Victorian court told mSpy customer service that the company was “preying on vulnerable parents” after the company charged them before a trial was over. (A theme through these internal messages is the predatory business practices of mSpy which appears to exaggerate its products’ capabilities while also misleading customers on pricing.) Neither the court nor the individual responded to Crikey’s requests for comment.
Like the NSW corrections officer, it appears other users were using the software to surveil their partners. In 2023, a Victorian police officer contacted mSpy to say that a victim of family violence had received an invoice for the company’s software and believed that her ex-partner had installed it on her phone. Victoria Police did not respond to questions about the interaction.
In one case, a person implicated in a murder case bought mSpy’s software. In 2018, a New Zealand police officer asked the company about a purchase from someone who, a court heard, had ordered a hit by two people who were subsequently convicted for the murder. The individual had purchased the application but had not used it, a NZ Police spokesperson told Crikey.
The leak shows that NZ Police contacted mSpy, but that a customer service agent struggled to find the user’s account. In an exchange with NZ Police the agent said “We are doing all we can to stop illegal use of mSpy as our goal [sic] to help parents, not abusers.”
Complicating a push for police to be more aware of and active in combating stalkerware use is the fact that police have sought out mSpy for its services in an official capacity, too. A Tasmanian police officer asked mSpy if the company worked with law enforcement and whether it could access messages sent through encrypted messaging platform Threema. A Tasmania Police spokesperson confirmed that this was an official enquiry but that the agency had not purchased the software. They declined to provide information for “security reasons” but said that the agency complies with its legal obligations.
Monash’s Harris said that while stalkerware might seem “inherently more evil”, other methods of technology-facilitated abuse — like forcing someone to share their location on Find My Friends or accessing their social media accounts — can be just as harmful, even if they are less complicated.
“We need to be thinking more critically about the context, and not just the technology, or the behaviour,” she said.
If you or someone you know is affected by sexual assault or violence, call 1800RESPECT on 1800 737 732 or visit 1800RESPECT.org.au. For information and assistance related to technology-facilitated abuse, call 1800 937 638 to contact the national peak body for specialist women’s domestic and family violence services WESNET. In an emergency, call 000.