Stalkerware won't disappear with a notification

Google is pushing a new "stalkerware" policy to reduce the spread of spying apps. But the tolerance for parental and enterprise monitoring apps leave the door open to abuse

Key points
  • Google announced a new Stalkerware policy to be enforced on October 1st
  • The policy imposes the use of persistent notification for users to be aware that they are being monitored and consider parental and enterprise monitoring apps acceptable
  • Such apps are technically identical to stakerwares and can be use for gender-based violence
  • Google should consider OS levels solutions based on apps capabilities rather than betting on developpers goodwill
News & Analysis

On September 16, Google announced their intention to enforce a new "stalkerware" policy after a 15 day grace period ending on 1 October 2020.The policy change states that the Google Play Store will only host stalkerware apps that give "a persistent notification is displayed while the data is being transmitted."
In its announcement, Google defines stalkerware as "Code that transmits personal information off the device without adequate notice or consent and doesn't display a persistent notification that this is happening.".
Stalkerware are highly intrusive spy apps that monitor someone's activities and communications without their knowledge or consent. Once installed these apps allow the person who installed it to access an array of intimately personal information about their target. This could be for example an abusive partner with direct access to their partners phone or account installing a stalkerware app to monitor their every move and surveil their communications.
These apps have been heavily criticised because they may and are used to spy on romantic partners without their consent, often against their will. In this sense, the use of these stalkerware apps enables and perpetuates gender-based violence and abuse by partners.
Google's policy change is a welcome move that acknowledges the existence of these highly problematic apps and tries to limit their nefarious impact. However, the requirement for a notification seems an insufficient effort compared to the widely documented damages that these apps cause and leaves the door open to other forms of monitoring.

Google says Enterprise and parental spying should be acceptable by default

Indeed, Google's new policy carves out a space for acceptable spying apps:

"Acceptable forms of these apps can be used by parents to track their children. However, these apps cannot be used to track a person (a spouse, for example) without their knowledge or permission unless a persistent notification is displayed while the data is being transmitted.

Only policy compliant apps exclusively designed and marketed for parental (including family) monitoring or enterprise management may distribute on the Play Store with tracking and reporting features, provided they fully comply with the requirements described below."

While the advertising giant draws a line between these apps and stalkerware apps, there is actually no technical difference. The point of spying apps is to give extended access to the target's phone, usually including their location, images, apps usage, communications content or even search history and visted websites. Whether they are branded as a way for parents to know where their kids are and what they do online or for an employer to ensure that its employees are working, the capabilities are similar and many apps branded for parents are actually used by people to monitor their partner without knowledge or consent.

A search for mySpy, a popular hidden tracking app, in the Play Store shows parental monitoring apps as result

In this context, many apps brand themselves as parental monitoring tools without actively preventing use on non-consenting adults. This situation makes it difficult to distinguish harmful actors and leaves the possibility for these apps to be used in an unintended way. Google's latest policy change does nothing to address these two problematic points.
This current policy change follows closely after another policy change by Google in July this year, that banned the advertisement of spyware on Google platforms. Some providers of spyware have managed to get around that policy and continue to advertise their products and services.
For example, Techcrunch recently found seven companies known to provide stalkerware and market their products to parents and employers were still advertising in Google search results after the policy took effect on 11 August, including FlexiSpy, mSpy, WebWatcher and KidsGuard.
There is a similar possibility that manufacturers and vendors of stalkerware will find ways to get around Google's latest policy changes.
Security risks is another important argument against the use of these spying apps. Considering the intimate and sensitive quality of the data monitored and shared, having it transit through third party servers and stored by a company represent a nonn negligeable risk. This has already been illustrated with some of the companies offering such apps having their database breached and users' personal information leaked.

The argument against legitimising Stalkerware of any kind

The argument that enterprise and parental monitoring apps are acceptable is a dangerous one that normalises the usage of surveillance technologies, sometimes from a very young age, without clear indication of consent nor sufficient control given to the targets of these apps. It also means that parents and employers are fueling an industry closely connected with gender-based and domestic violence.
These apps are the very definition of privacy invasion, letting someone peer into your messages, view your photos or check where you are. Being constantly monitored prevents people from building the intimacy they need to fully grow and express themselves and it sets a dangerous precedent to make some apps with these capabilities acceptable. It must also be noted that while enterprise providing monitoring software to their employees can be held accountable there no equivalent for parents.
We understand the deep primal instinct to protect your child, but using this software is dangerous. Parents are putting their trust in companies that do not have a great track record of keeping children’s information secure.

Are notifications really the way forward?

In tackling the transparency issue and to better inform users about the existence of monitoring apps, Google now requires monitoring apps to "...present users with a persistent notification and unique icon that clearly identifies the app."
While an honorable idea, this notification comes with a main perk that Google needs to clarify: notifications as part of the Android system can be bypassed and hidden permanently in different ways (usually through OS level settings). This renders the utility of the persistent notification almost null as installing a stalkerware app almost always requires a physical access to the phone, giving the installer the possibility to manually hide the notification.
In instances of domestic violence, having a notification tell you that stalkwerware is installed on your phone doesn't necessarily mean you can do anything about it. Deleting the app or even changing behaviour and interactions with a phone could result in consequences. In our view, it is better to work towards preventing the app from being installed in the first place.
If Google wants its new policy to have a meaninful impact about allowing apps with such intrusive features on its store it should clearly categorise them as such to warn users before installation and while the app is running. A system level indicator that can't be dismissed or regular reminders that an app with intrusive capabilities is installed should be considered as part of this new notification system to ensure the user is aware such an app is currently running on its phone. Such system level solution based on apps capabilities rather than what developpers declare and do would also affect sideloaded apps (apps installed without using the Play Store), a common way for the most intrusive apps to be installed which cicumvent Play Store policies.
If Google prefer to tighten its definition around the use cases and limit this apps to parental and enterprise monitoring, it could force the use of system level features such as work profile and family link to ensure that these apps are effectively only used in work context or by parents on their children's device. Google could, of course, choose to ban any kind of spyware app completely. The Coalition against Stalkerware is taking this stance by working with antivirus companies to flag stalkerware apps as malware.
If child monitoring apps are acceptable to Google, it should find a way to ensure installation is only made by parents on smartphones belonging to their kids. It's own family link product would be an easy way to make sure apps are installed in legitimate use cases.
In the current state of play, Google's efforts are insufficiant the tackle the stalkerware problem. A new Play Store policy is particularly inadequate given Google's track record of poor enforcement of its own politicies, whether it's too control stalkerware advertising or to prevent the spread of malwares. Privacy invasive technologies such as this one deserve more attention than a technical band aid and should be considered as the fundamental rights threat they represent.

What you can do
If you believe a stalkerware might be installed on your phone, check https://chayn.co/ or https://stopstalkerware.org/get-help/

Learn more
Target Profile