Security
Headlines
HeadlinesLatestCVEs

Headline

The Ungodly Surveillance of Anti-Porn ‘Shameware’ Apps

Churches are using invasive phone-monitoring tech to discourage “sinful” behavior. Some software is seeing more than congregants realize.

Wired
#vulnerability#web#ios#android#apple#google#amazon#git#ssl

Gracepoint is the kind of evangelical Southern Baptist church that’s compelled to publicly enumerate all of the ways it’s not a cult. “We’ll admit that we’re a bit crazy about the Great Commission and sharing the Gospel,” reads an FAQ page titled, “Is Gracepoint a Cult?” So when Grant Hao-Wei Lin came out to a Gracepoint church leader during their weekly one-on-one session, he was surprised to learn that he wasn’t going to be kicked out. According to his church leader, Hao-Wei Lin says, God still loved him in spite of his “struggle with same-sex attraction.”

But Gracepoint did not leave the matter in God’s hands alone. At their next one-on-one the following week, Hao-Wei Lin says the church leader asked him to install an app called Covenant Eyes on his phone. The app is explicitly marketed as anti-pornography software, but according to Hao-Wei Lin, his church leader told him it would help “control all of his urges.”

Covenant Eyes is part of a multimillion-dollar ecosystem of so-called accountability apps that are marketed to both churches and parents as tools to police online activity. For a monthly fee, some of these apps monitor everything their users see and do on their devices, even taking screenshots (at least one per minute, in the case of Covenant Eyes) and eavesdropping on web traffic, WIRED found. The apps then report a feed of all of the users’ online activity directly to a chaperone—an “accountability partner,” in the apps’ parlance. When WIRED presented its findings to Google, however, the company determined that two of the top accountability apps—Covenant Eyes and Accountable2You—violate its policies.

The omnipotence of Covenant Eyes soon weighed heavily on Hao-Wei Lin, who has since left Gracepoint. Within a month of installing the app, he started receiving accusatory emails from his church leader referencing things he had viewed online. “Anything you need to tell me?” reads one email Hao-Wei Lin shared with WIRED. Attached was a report from Covenant Eyes that detailed every single piece of digital content Hao-Wei Lin had consumed the prior week. It was a trail of digital minutiae accumulated from nights spent aimlessly browsing the internet, things Hao-Wei Lin could barely remember having seen—and would have forgotten about had a member of his Church not confronted him. The church leader zeroed in on a single piece of content that Covenant Eyes had flagged as “Mature”: Hao-Wei Lin had searched “#Gay” on a website called Statigr.am, and the app had flagged it.

Gracepoint, which focuses on colleges, claims to “serve students” on more than 70 campuses across the United States. According to emails between a Covenant Eyes representative and a former Gracepoint church leader that WIRED reviewed, the company said that in 2012 as many as 450 Gracepoint Church members were signed up to be monitored through Covenant Eyes.

“I wouldn’t quite call it spyware,” says a former member of Gracepoint who was asked to use Covenant Eyes and spoke on the condition of anonymity, due to privacy concerns. “It’s more like ‘shameware,’ and it’s just another way the church controls you.”

Similar to surveillance software like Bark or NetNanny, which is used to monitor children at home and school, “shameware” apps are lesser-known tools that are used to keep track of behaviors parents or religious organizations deem unhealthy or immoral. Fortify, for instance, was developed by the founder of an anti-pornography nonprofit called Fight the New Drug and tracks how often an individual masturbates in order to help them overcome “sexual compulsivity.” The app has been downloaded over 100,000 times and has thousands of reviews on the Google Play store.

The current iteration of the Covenant Eyes app was developed by Michael Holm, a former NSA mathematician who now serves as a data scientist for the company. The system is allegedly capable of distinguishing between pornographic and non-pornographic images. The software captures everything visible on a device’s screen, analyzing the images locally before slightly blurring them and sending them to a server to be saved. “Image-based pornography detection was a huge conceptual change for Covenant Eyes,” Holm told The Christian Post, an evangelical Christian news outlet, in 2019. “While I didn’t yet know it, God had put me in that place at that time for a purpose higher than myself, just as I and others had desired and prayed for.”

Covenant Eyes spokesperson Dan Armstrong says the company is “concerned” about “people being monitored without proper consent.” He adds that “accountability relationships are better off between people who already know each other and want the best for one another, such as close personal friends and family members,” and that the company discourages using its app in relationships with a power imbalance.

Among the top accountability apps—including Accountable2You and EverAccountable—Covenant Eyes appears to be the largest player. The company organizes conferences that are attended by thousands of people and dedicated to educating attendees about the dangers of pornography while pitching the company’s product as an urgent solution to what it characterizes as a growing moral crisis. According to the app analytics firm AppFigures, in the past year more than 50,000 people have downloaded Covenant Eyes. Rocketreach estimates that the company has an annual revenue of $26 million.

Ed Kang, pastor of Gracepoint Church in Berkeley, California, and a major figure in the organization, says in an email that volunteer staff members are required to install Covenant Eyes or Accountable2You “as part of their staff agreement.” But he disputes that church leaders were instructed to monitor congregants’ phone activity. “Usually it’s whoever they [congregants] designate, and we actually discourage leaders from being the accountability partners as that seems a bit too heavy,” he writes. (All five former Gracepoint congregants who spoke to WIRED said a church leader was their accountability partner.) Kang adds that the number of Gracepoint congregants who use Covenant Eyes or Accountable2You “may be significantly higher than 450 nowadays” and that Accountable2You “has better pricing.”

What’s common across Covenant Eyes, Accountable2You, and EverAccountable is their zero-tolerance approach to pornography. All three suggest in their marketing materials that not only is watching porn a moral failure, but any amount of porn consumption is bad for your health. Their solution: Promote purity through what they call “radical accountability,” a concept wherein a community comes together to confront a person who is living in sin. At its most basic level, the idea is pretty straightforward: Why would anyone watch porn if they are going to have to talk to their parents or pastor about it?

While these apps claim to have helped many people overcome pornography addictions, experts who study sexual health are skeptical that the apps have a lasting positive effect. “I’ve never seen anyone who’s been on one of these apps feel better about themselves in the long term,” says Nicole Praus, a scientist at the University of California, Los Angeles, who studies the effects of pornography on the brain and the spread of disinformation on sexual health. “These people just end up feeling like there’s something wrong with them when the reality is that there likely isn’t.”

But Covenant Eyes and Accountable2You do much more than just police pornography. When WIRED downloaded, decompiled, and tested Covenant Eyes and Accountable2You, we found that both apps are built to collect, monitor, and report all sorts of innocent behavior. The applications exploited Android’s accessibility permissions to monitor almost everything someone does on their phone. While the accessibility functionalities are meant to help developers build out features that assist people with disabilities, these apps take advantage of such permissions to either capture screenshots of everything actively being viewed on the device or detect the name of apps as they’re being used and record every website visited in the device’s browser.

In Hao-Wei Lin’s case, that included his Amazon purchases, articles he read, and even which friends’ accounts he looked at on Instagram. The trouble is, according to Hao-Wei Lin, providing his church leader with a ledger of everything he did online meant his pastor could always find something to ask him about, and the way Covenant Eyes flagged content didn’t help. For example, in Covenant Eyes reports that Hao-Wei Lin shared with WIRED, his online psychiatry textbook was rated “Highly Mature,” the most severe category of content reserved for “anonymizers, nudity, erotica, and pornography.” The same was true of anything Hao-Wei Lin felt was “remotely gay,” like his Statigr.am searches.

After WIRED contacted Google about Covenant Eyes and Accountable2You, both apps were suspended from the Google Play store. “Google Play permits the use of the Accessibility API for a wide range of applications,” spokesperson Danielle Cohen says in an email. “However, only services that are designed to help people with disabilities access their device or otherwise overcome challenges stemming from their disabilities are eligible to declare that they are accessibility tools.”

Covenant Eyes and Accountable2You both remain available on iOS. While WIRED did not test the apps on Apple devices, neither app appears to utilize iOS’ accessibility permissions. Apple has not yet responded to a request for comment.

In our tests of Accountable2You prior to its suspension, we found that the software similarly flagged content with keywords like “gay” or “lesbian” in the URL. For instance, when we set up a test account and navigated to the US Centers for Disease Control’s website for LGBTQ youth resources, the phone we designated as our accountability partner was immediately texted and emailed a “questionable activity report” indicating that our test phone had visited a “Highly Questionable” website.

“It’s really not about pornography,” says Brit, a former user of Accountable2You who asked to only be identified by her first name, due to privacy concerns. “It’s about making you conform to what your pastor wants.” Brit says she was asked to install the app by her parents after she was caught looking at pornography and that her mother and her pastor were both her designated accountability partners. “I remember I had to sit down and have a conversation with him [her pastor] after I Wikipedia’d an article about atheism,” she says. “I was a kid, but that doesn’t mean I don’t have some kind of right to read what I want to read.”

While accountability apps are largely marketed to parents and families, some also advertise their services to churches. Accountable2You, for example, advertises group rates for churches or small groups and has set up several landing pages for specific churches where members can sign up. Covenant Eyes, meanwhile, employs a director of Church and Ministry Outreach to help onboard religious organizations.

Accountable2You did not respond to WIRED’s requests for comment.

Eva Galperin is director of cybersecurity at the Electronic Frontier Foundation, a digital rights nonprofit, and cofounder of the Coalition Against Stalkerware. Galperin says consent to such surveillance is a major concern. “One of the key elements of consent is that a person can feel comfortable saying no,” she says. “You could argue that any app installed in a church setting is done in a coercive manner.” While WIRED did not speak to anyone who was unaware that the app was on their phone, which is often the case with spyware, Hao-Wei Lin says he didn’t feel like he was in a position where he could say no to his church leader when he was asked to install Covenant Eyes. Gracepoint had secured him a $400-a-month apartment in Berkeley, where he was attending college. Without the church’s support, he might have had nowhere to live.

But this is not the experience of everyone we spoke to. James Nagy is a former Gracepoint church member who, as a one-time congregation leader, was on both sides of Covenant Eyes reports. Nagy, who is gay, was taught from a young age that homosexuality was a sin. So when Gracepoint offered him a software solution that claimed to be able to help what he then considered to be a moral dilemma, he jumped at the opportunity. He says that while he believed many people at Gracepoint were pressured to install the app, in his case, the pressure came from himself. “Gracepoint didn’t try to change me,” Nagy says. “I tried to change me.” Nagy is now an elder at the Presbyterian Church (USA) and until 2021 was a facilitator with the Reformation Project, a nonprofit whose mission is to advance LGBTQ inclusion in the church.

In the quest to curb behavior churches deem immoral, these accountability apps will collect and store extremely sensitive personal information from their users, including from those under the age of 18. Fortify, which describes itself as an addiction recovery app, asks its users to log information about when they last masturbated, where they were when it happened, and what device they used. While Fortify’s privacy policy states that the company doesn’t sell or otherwise share this data with third parties, its policy does allow it to share data with trusted third parties to perform statistical analysis, though it does not mention who these trusted third parties are. In a phone call, Clay Olsen, the CEO of Fortify parent company Impact Suite, clarified that these trusted third parties include companies like Mixpanel, an analytics service company that tracks user interactions with web and mobile applications.

While WIRED found several churches recommending Fortify to their congregations, Olsen says neither Fortify nor Impact Suite count religious institutions as customers.

When WIRED tested the Fortify software, we found that the app also utilizes other technology to track users. For instance, because it includes Facebook’s Pixel, data related to Fortify’s masturbation-tracking form is sent to Facebook. While the data does not appear to include the contents of the tracking form, it does have metadata about the form itself, including when it was filled out. Facebook appears to store that data and, when possible, associates it with a user’s account. After setting up a test account with Facebook, logging in, and then interacting with Fortify, we were able to see interactions with Fortify in a copy of the test account’s data obtained through Facebook’s privacy center.

Fortify’s inclusion of Facebook’s Pixel isn’t just a privacy issue, it’s a security problem. While testing the app, we also noticed that the password to our account was sent in plaintext to Facebook in the URL of the tracking requests. Facebook claims to have filtering mechanisms to prevent its systems from storing this type of personal information, but Fortify’s apparent oversight is still concerning to experts like Galperin. “That’s a huge vulnerability,” she says. “It’s the sort of behavior that makes me feel like they don’t have security experts reviewing the app or its policies.”

Facebook spokesperson Emil Vazquez says companies that share sensitive user data with the Meta-owned social media platform are violating its policies. “Advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies,” Vazquez says. “Our system is designed to filter out potentially sensitive data it is able to detect.” Facebook did not say whether its filters detected the plaintext passwords sent by Fortify.

After being notified of the password issue, Olsen said Fortify would stop transmitting users’ unencrypted passwords to Facebook. As we went to press, the issue had not yet been addressed.

Hao-Wei Lin has since moved on from Gracepoint but is still processing the trauma he feels the church has caused him. I met him earlier this month at his thesis exhibition at Parsons School of Design in New York City, where he is about to get his Master of Fine Arts in photography. He tells me that it was only after he went back to school that he felt he was in a safe enough space to start processing what he went through at Gracepoint.

Hao-Wei Lin’s photography was somber, but not without humor. One was of a 3D rendering of a room where he says he and other members of Gracepoint would meet after their Sunday service. A solitary figure is hunched over praying, his head resting in the seat of his plastic chair. As I look at the photo, Hao-Wei Lin tells me he wants the viewer to feel like they are a surveillance camera perched in the top corner of the room. The name of his work: “Covenant Eyes.”

Wired: Latest News

More Spyware, Fewer Rules: What Trump’s Return Means for US Cybersecurity