Spyware and coercive control: Australia's device-policy gap

For a victim-survivor trying to leave an abusive partner, the most revealing device in the home may be the one in a pocket. Smartphones, family-tracking apps and internet-connected gadgets can turn ordinary safety features into a live map of where someone is, who they speak to and when they move. That is the frame behind a new Australian Strategic Policy Institute analysis, which argues that spyware once associated with intelligence services is now appearing in cases of coercive control.

Writing in The Strategist, Fitriani says products sold for covert phone monitoring are no longer a fringe cybercrime problem. They are consumer-grade surveillance tools, marketed as if they were ordinary apps. The piece points to a 2022 AFP case involving 14,500 buyers across 128 countries, including 201 in Australia, a reminder that the commercial market already had scale before many victims ever reached a police station.

“Spyware, once primarily used by intelligence agencies and nation-states, has become a tool of intimate partner abuse.”

— Fitriani, The Strategist

The regulator’s reading is slightly different. eSafety’s own research on the Internet of Things and coercive control and ABC’s reporting on location-sharing apps suggest the harder problem is not only specialist stalkerware. Ordinary location-sharing tools, cloud accounts and connected household devices can be bent into the same pattern of abuse. eSafety says 51% of Australians surveyed had experienced some form of technology-enabled abuse, and 37% of those cases occurred in a current or former intimate-partner relationship.

The policy question shifts with that evidence. If spyware in coercive control were only a matter of rogue apps, the response would be narrower: remove the software, ban the listing, prosecute the seller. Australian evidence points to a messier reality, one that runs through app defaults, police training, court practice and the capacity of domestic and family violence services to spot technical abuse before it escalates.

The abuse pattern is broader than hidden spy apps

From the justice-system side, the Australian Institute of Criminology’s report on technology-facilitated coercive control lands in much the same place. The core problem is patterned abuse, not one suspicious download. Researchers including Asher Flynn describe women moving house, replacing devices and seeking repeated tech checks while still struggling to have the broader pattern recognised by police or courts.

The distinction matters because specialist spyware is only half the story. Some apps are built for covert monitoring. Others are not, but they still supply the same raw material: live location, message previews, shared photo streams, call records, microphone access and a quiet trail of notifications. By the time a victim-survivor realises what is happening, the abuse may look less like a discrete cyber incident and more like a continuous operating condition.

The same logic explains why the AIC lens and the frontline services lens line up so closely. TechSafety’s guidance on spyware and safety treats covert monitoring as a safety and continuity problem, not just a malware problem. A service may need a safe device, a staged password reset, a careful check of account recovery options and a plan for what happens if an abuser notices access has been cut off. Those steps are practical, but they also expose the larger policy failure: Australia still places much of the burden of proof and clean-up on the person being watched.

For years, spyware sat in Australian tech reporting as a niche cybersecurity category, closer to data breaches, mercenary vendors and state surveillance. ASPI’s warning suggests that frame is now too narrow. The consumerisation of surveillance has pushed the problem into the same space as app design, parental-control features, cloud syncing and domestic violence policy.

Ordinary location features are now part of the attack surface

The sharpest shift may be cultural as much as technical. Location sharing has been normalised as convenience, family co-ordination and personal safety. That makes it easier to miss when the same feature becomes a monitoring tool inside a controlling relationship. ABC reported this month that 13% of 2,000 Australian adults surveyed considered monitoring a partner through location-sharing apps reasonable. That is not a fringe misunderstanding. It is evidence that the line between care and control is still being blurred in mainstream tech use.

Julie Inman Grant’s warning in the ABC report rests on that distinction. The most serious risks do not always come from a dark-web product with an obviously malicious label. They can also come from settings and sharing permissions that appear legitimate until someone starts using them to remove another person’s room to move.

“It isn’t an exaggeration to say preventing tech-based coercive control… can save lives.”

— Julie Inman Grant, ABC News

Seen that way, app-store bans are not enough. The harder questions sit lower in the stack: how visible location sharing is by default, how quickly a user can see every linked device or recovery email, and whether sharing expires automatically. The next question is how clearly a platform signals unusual access without forcing the victim-survivor into a dangerous confrontation. Those are safety-by-design questions. They belong to device makers, operating-system vendors, app developers and regulators alike.

Inman Grant’s second point is the uncomfortable one. “A very determined predator can always exploit the loopholes,” she told ABC. That makes perfect prevention unlikely. It does not make design choices irrelevant. The aim is not a fantasy of total technical control. It is to reduce silent access, shorten the time to detection and make it easier for support services to intervene without asking victims to become their own forensic analysts.

Australia’s main gap is capacity, not awareness

The AIC work makes a blunt point: Australia already has enough evidence to stop treating technology-enabled abuse as a novelty. What it lacks is consistent capacity. Police need training to read digital coercion as a pattern rather than a string of minor incidents. Courts need confidence with device evidence and account access issues. Services need funding for specialist technical support, not just broader awareness campaigns.

The gap matters because the public debate keeps drifting toward the most dramatic part of the stack. Hidden spyware is dramatic. So are brand-name surveillance vendors. But the more common policy failure may be ordinary consumer technology deployed in a system that still assumes victims can simply switch features off and move on. In practice, they may share phones, share cloud accounts, depend on family-tracking apps for children, or face escalation when an abuser notices a setting has changed.

A similar warning surfaced in Britain this week, where a House of Lords committee heard that domestic abuse law was still failing to recognise the danger of location tracking and hidden stalkerware. That does not make Australia’s problem less local. It makes it harder to dismiss as an edge case created by one bad app or one bad actor.

For digital policy makers, the implication is straightforward. Australia’s online safety debate has spent years focusing on takedowns, harmful content and platform accountability at the speech layer. The spyware and coercive-control problem sits one layer lower, in permissions, defaults, device relationships and the ease with which a person can be silently watched through ordinary consumer technology. If Australia waits for abuse to arrive packaged as obvious stalkerware, it will keep missing the features already installed by default.