California's Child Privacy Protections Could Be Thorn in Stalkerware's Side

A new effort in California to better protect children’s privacy could also represent the latest bulwark against an entirely separate cyber-threat: stalkerware.

Found at least 55,000 times last year on people’s devices, stalkerware-type apps can provide unfettered access to your photos, videos, text messages, emails and web browsing history. Though some of the worst examples of these apps directly advertise themselves as “solutions” for spying on romantic partners, many others disguise their products as tools for “family tracking” – an attempt to launder their equally troubling capabilities to pry into a person’s digital life without their consent.

With the California Age-Appropriate Design Code Act, introduced this year by Assembly Members Buffy Wicks and Jordon Cunningham, this masquerade of advertising could start to fall apart.

The California Age-Appropriate Design Code Act would, among other new controls, require that any “good, service, or product feature” that allows for a parent or guardian to track a child’s online activity or their location include an “obvious signal to the child when they are being monitored or tracked.”

This provision goes far beyond related interpretations written by the US Federal Trade Commission several years ago.

In 2019, the FTC prohibited the developers of three stalkerware-type apps from ever selling another app that could monitor a person’s activity unless the developers agreed to a series of new controls. One of those controls required that, should the charged developers wish to sell another monitoring app, they would have to obtain “an express written attestation from the purchaser that it will use the Monitoring Product or Service for legitimate and lawful purposes by authorized users.”

Here, the FTC shed light on what it believed were “legitimate” uses of these types of apps, including, as the very first example, a “parent monitoring a minor child.”

"This provision goes far beyond related interpretations written by the US Federal Trade Commission several years ago"

The FTC also placed a new control on the stalkerware-type app developers that, should they wish to sell another monitoring app, they would have to ensure that the product’s application could be interacted with on a mobile device. This is a common stealth technique in many stalkerware-type apps that can be installed on a person’s device: They simply disguise themselves as a banal app, like a calendar or calculator, or, more nefariously, they hide entirely, unable to be found by a user in their list of apps. The FTC settlement required that this type of app feature could no longer be allowed.

As the FTC wrote, a “consumer must be able to click on the application icon to a page on which Respondents present a Clear and Conspicuous notice stating” the name and functions of the app, the fact that the app is running on the consumer’s device and where and how the consumer can contact the maker of the app.

This positive protection, however, was offered a baffling exception: So long as a parent was purchasing the app for the purposes of monitoring a child, then the icon functionality could be disabled for that child.

At the time, Electronic Frontier Foundation criticized the FTC settlement, arguing that the FTC’s focus on “legitimate purposes” for stalking apps ignored a bigger reality: “There are simply no legitimate purposes for secret stalking apps.”

My company has tracked stalkerware-type apps for years, and I have personally offered device security training for domestic abuse survivors and support workers interested in protection from stalkerware-type apps. I ran a controlled experiment two years ago in which I installed a “family tracking” app on a test device for two weeks. The installation took fewer than 10 minutes, and once completed, the application allowed me to shut off the test device’s WiFi remotely, take control of its camera, record video and audio without notice, and record all phone calls automatically.

Any legislative effort that could force these companies to change their advertising tactics is a welcome change.

Realistically, this bill alone will not solve the problem of stalkerware. Companies that currently promote their invasive monitoring tools as family trackers could simply redesign their websites, remove some old language, and hit the refresh button in a matter of days, perhaps advertising themselves now as employee tracking tools. But this bill still removes another dark corner where these types of apps currently hide.

Increasingly closed in on every side, perhaps one day, these types of apps will have to reveal themselves for what they really are: tools for invasion. 

What’s Hot on Infosecurity Magazine?