On Friday, July 10, Google announced it would no longer allow advertising for spyware and similar surveillance technology—often referred to as “stalkerware”—on its platform.
The change is a welcome step by one of the largest, most powerful companies in online advertising, but a close read of the policy reveals a potential loophole that could allow stalkerware-type app makers to still advertise their products on Google. Simply put, these companies could skirt the rules by changing the face of what they’re selling, without changing the core technology within.
We hope this exception will soon be addressed.
For over a year, Malwarebytes has charged ahead on a renewed commitment to protecting users and domestic abuse survivors from the threats posed by stalkerware. These apps can give individuals the opportunity to pry into text messages, emails, and call logs, rifle through web browsing and GPS location history, and reveal sensitive photos, videos, and social media activity, all without consent.
In our advocacy to protect users from these threats, we have spoken directly to domestic abuse survivors. We have provided device security trainings to local domestic abuse support organizations and family justice centers. We have met with devoted law enforcement officials. We helped launch the Coalition Against Stalkerware as a founding partner. We have contributed to research studies and we have increased our own detections for our two, internal categories of applications that provide capabilities to spy on user activity without consent: “monitor” apps and “spyware” apps.
Through our continued work, we’ve learned that one of the ways that stalkerware-type apps avoid scrutiny is through potentially deceptive marketing campaigns that brand themselves as safe tools for parental monitoring. It is unfortunate that these same tactics could prove effective for bypassing Google’s new policy.
The change, the exception, and the problem
According to Google, the company’s updated advertising policy will “prohibit the promotion of products or services that are marketed or targeted with the express purpose of tracking or monitoring another person or their activities without their authorization.” The updated policy will take effect August 11, 2020.
In responding to a question as to why Google decided to now announce this updated, a spokesperson said: “We constantly evaluate and update our ad policies to ensure we are protecting users. We routinely update our language with examples to help clarify what we consider policy violating. Spyware technology for partner surveillance was always in scope of our policies against dishonest behavior.”
The updated policy applies to “spyware and technology used for intimate partner surveillance including but not limited to spyware/malware that can be used to monitor texts, phone calls, or browsing history; GPS trackers specifically marketed to spy or track someone without their consent;” and “promotion of surveillance equipment (cameras, audio recorders, dash cams, nanny cams) marketed with the express purpose of spying.”
The non-exhaustive list captures some of the current types of invasive tools available today. But further down in its policy update, Google explained that there are exceptions to the new rule. The policy will not apply to “private investigation services” or “products or services designed for parents to track or monitor their underage children.”
The problem, as we reported nearly one year ago on Malwarebytes Labs, is that the line between stalkerware-type applications and parental monitoring applications can be blurred.
As we wrote before:
“Emory Roane, policy counsel at Privacy Rights Clearinghouse, said that, not only are the technical capabilities of stalkerware apps and parental monitoring apps highly similar, the capabilities themselves can be found within the type of hacking tools used by nation states.
‘If you look at the capabilities: What results can be gathered from devices implanted with stalkerware versus devices hacked by nation states? It’s the same,’ Roane said. ‘Turning on and off the device remotely, key loggers, tracking via GPS, all of this stuff.’”
What’s more is that sometimes, apps that previously marketed themselves as tools for potentially spying on romantic partners and spouses can then quickly turn around and masquerade as parental monitoring apps.
Erica Olsen, director of the Safety Net project for the National Network to End Domestic Violence, said she personally saw these “rebranding” tactics herself when then-Senator Al Franken introduced legislation to prohibit the use of apps which could reveal a person’s GPS location without their knowledge or consent.
“After the public legislative hearings Al Franken held on location-based apps and stalking products, a ton of them changed their marketing almost overnight,” said Olsen, who also shared that Google’s updated policy is a move in the right direction. “We held up large, blown-up images of their problematic marketing and they removed it. But they didn’t change the basic functionality of the apps that allowed them to be used for these behaviors. That spoke volumes.”
Last year, Twitter allowed sponsored tweets that advertised an app that can track call logs, text messages, GPS location, web browsing history, and social media activity, and reveal sensitive photos and videos. The advertisement portrayed a man lying down in bed, checking his phone. Written across the advertisement were the words: “What is she hiding from you?”
Twitter took the advertisement down after users grew incensed. According to VICE, Twitter explained its takedown by saying: “The app violates our Malware and Software Download Policy and will no longer be allowed to advertise on the platform.”
This was a swift move by Twitter, but today, that same app markets itself on its own website as a tool for parental monitoring.
On Friday, computer security writer Graham Cluley raised the same issues we are raising here—that some stalkerware-type apps may still be able to advertise on Google, simply by changing their advertising strategy.
“Sadly, I doubt Google’s ad ban will stop stalkerware apps from promoting themselves,” Cluley wrote, “it’s just they may no longer be able to be quite so explicit in their online adverts about how they are most likely to be used.”
Next steps against stalkerware
As a founding partner in the Coalition Against Stalkerware, Malwarebytes understands that the threats of stalkerware are multifaceted, and responding to these threats requires cross-disciplinary support. That includes the commitment of online advertiser platforms to remove spaces for companies that deliberately advertise the potential of privacy as a product feature.
Despite the carve-outs to Google’s updated advertising policy, the company’s overall intention here is good.
Our commitment to protecting users from these the threats of stalkerware-type apps continues. We welcome others to join.
The post Stalkerware advertising ban by Google a welcome, if incomplete, step appeared first on Malwarebytes Labs.