Google’s updated policy on “stalkerware” apps on its Play store, which effectively prohibits developers from publishing apps that spy on people without their knowledge, comes into effect on October 1, 2020. The new policy mandates developers to give “adequate” and “persistent” notifications to users that such apps have been installed. However, it still allows parents to use apps and tools to monitor their children. The change in policy was first reported by CNET.

What is stalkerware?

Like the name suggests, such apps are used by people to track the activities of other users remotely. The Coalition Against Stalkerware defines it as software that can be used by individuals that “enables a remote user to monitor the activities on another user’s device without that user’s consent and without explicit, persistent notification to that user in a manner that may facilitate intimate partner surveillance, harassment, abuse, stalking, and/or violence”.

Stalkerware apps can be used by people to track the movements and internet activity, track the movement of spouses, partners, friends or virtually any other person. In a typical scenario, an app would be installed on two phones — one used by the person being stalked, and the one doing the stalking. Once configured, the master device would virtually have unfettered access to the other device’s messages, calls, location data and more. Unsurprisingly, stalkerware has been linked to domestic violence.

Relevant in India as well: Stalkerware apps have gained significance in India during the pandemic. Internet security firm Avast reported in July that the use of such apps had increased by 20% during the lockdown. The firm reportedly found three stalkerware apps named after the Indian government’s contact tracing application Aarogya Setu, using similar-looking icons. These particular apps would need from users permissions to make phone calls, read contacts, read and send text messages, device location and more.

What does Google’s new policy do?

Google allows apps to be used by parents to track their children. These would not be considered as stalkerware. However, developers of stalkerware can potentially circumvent the restriction by simply marketing them as apps meant for parents, not as spying tools that can target other adults. Google’s updated policy has put in stricter restrictions to prevent this:

  • Persistent notifications: Apps that would be required to present the users being tracked with persistent notifications that the app has been installed on the phone. The app would also have to have a “unique” icon that will help the user identify it clearly.
  • Can’t be marketed as ‘spying’ tools: The apps cannot present themselves on the app store as spying of “secret surveillance” solutions.
  • Can’t hide tracking behaviour: The apps cannot hide or cloak the fact that they have tracking features. Google has given itself a wide berth by saying these apps cannot “mislead users about such functionality”.
  • No diverting users to non-compliant version of app: Developers cannot skirt the policy by using a compliant version of their app on the Play store to an external version that can serve as stalkerware.

Policy change required because of a typo

The Verge pointed out after the announcement of the changed policy that Google had been forced to update it because of a rather blatant typo, which basically had an effect opposite to what Google had intended. The original policy from August 2020 had erroneously noted that location-tracking apps could not be used to track children, but could be used to track other adults, such as spouses. This has now been changed to the other way round.