Google bans stalkerware marketing in ad policy adjustment, but leaves big loophole

Starting next month, Google says it will no longer allow advertisements or marketing in its network that promotes spyware and surveillance technology used for intimate partner surveillance.

More commonly known as stalkerware, these applications can facilitate and exacerbate domestic violence by monitoring a target’s texts, phone calls, browsing history, geolocation, social media history, and more without alerting targets they are being tracked. The policy update intends to bar advertisements or marketing in Google’s ad network that perpetuates this kind of surveillance without targets’ consent.

The change, announced this month, could be an important move for stalkerware victims because while Google has taken steps to ban stalkerware applications in the Google Play Store, developers can always place advertisements that direct users to third-party sources where the applications can be acquired.

Despite the changes, there are still several gaps that could allow stalkerware advertising in Google’s network.

Although Google says its new policy will block advertisements for stalkerware and products that are used to surveil targets without their consent, the company still plans to allow advertisements for products or services designed to help parents monitor their children. That’s an important distinction that could render the policy update toothless, since many stalkerware applications market themselves as parental monitoring tools, security experts tracking stalkerware tell CyberScoop.

And although some of these stealthy applications urge their customers to obtain consent before using it, that’s no guarantee users will abide by the recommendation.

Google’s policy update does not go into detail about how it will address advertisements about products designed for parental monitoring. It likewise does not address advertisements and marketing related to employee monitoring software, which can also be used as stalkerware.

Kristin Del Rosso, a senior security intelligence engineer at mobile security firm Lookout, told CyberScoop that Google’s update is a step in the right direction, but more could be done to crack down on stalkerware-like products that advertise themselves for other purposes, such as parental monitoring tools.

“I think Google did the right thing to expressly clarify the restrictions on advertising spyware and surveillance technology. While the old statement mentioned hacking products or services, which spouseware technically falls under, the developers of spouseware still found ways to advertise their products,” Del Rosso told CyberScoop. “As for allowing ads for parental monitoring software, we believe that any tracking software must be clearly identifiable as such, and it must be clear to the user if it is running. Even surveillanceware marketed as a parental supervision app has the potential to be abused, because aside from the marketing and packaging, it is not fundamentally different from other surveillanceware.”

According to Google, a series of signals within its ad network can help address these kinds of discrepancies. Google declined to detail its enforcement systems out of a fear that bad actors would use the details to skirt accountability.

“We constantly evaluate and update our ad policies to ensure we are protecting users. We routinely updated our language with examples to help clarify what we consider policy violating,” a Google spokesperson told CyberScoop. “Spyware technology for partner surveillance was always in scope of our policies against dishonest behavior.”

Seeing ads that suggest surveillance products for spying on a partner can make people think that kind of behavior is acceptable, so the policy change to ban these kinds of ads is a move in the right direction, says Erica Olsen, the safety net director for National Network to End Domestic Violence (NNEDV).

“It’s important companies be held accountable to not market their product for abusive purposes. Ads impact public perception of what behavior is ok and this move recognizes the power of that,” Olsen told CyberScoop, adding that at the end of the day, rooting out the applications themselves may be more impactful, as stalkerware developers often change their advertising to avoid scrutiny. “Unfortunately, while this will reduce targeted marketing for these products to be used for abusive behaviors, it will not get to the root of the issue as the basic functionality of the products may still allow for them to be misused.”

App store owners have been working for years to rid their marketplaces of stalkerware applications, but some still make it through the review process. Just last month, after CyberScoop asked Apple about stalkerware-like applications that appeared in its app store, Apple removed one from its store.

Industry-wide efforts to root out stalkerware are underway as well. Last year, a group of antivirus companies formed the Coalition Against Stalkerware in an attempt to improve antivirus products’ detection of stalkerware. There is some evidence that antivirus firms are getting better at detecting stalkerware, according to independent antivirus testing lab AV-Comparatives. However, the full scope of global stalkerware use is fragmented, as each company uses different methods to keep track of these applications.

Independent cybersecurity journalist Graham Cluey was the first to report on Google’s policy change.