Parental monitoring apps: How do they differ from stalkerware?

Parental monitoring apps: How do they differ from stalkerware?

In late June, Malwarebytes revived its long-running campaign against a vicious type of malware in use today. This malware peers into text messages. It pinpoints victims’ movements across locations. It reveals browsing and search history. Often hidden from users, it removes their expectation of, right to, and real-world privacy.

But after we recommitted our staunch opposition to this type of malware—called stalkerware—we received questions about something else: Parental monitoring apps.

The capabilities between the two often overlap.

TeenSafe, which retooled its product to focus on safe driving, previously let parents read their children’s text messages. Qustodio, recommended by the Wirecutter for parents who want to limit their children’s device usage, lets parents track their kids’ locations. Kidguard, clearly named and advertised as a child safety app, lets parents view their children’s browsing and search history.

Quickly, the line becomes blurred. What are the differences between stalkerware apps and parental monitoring apps? What is an “acceptable” or “safe” parental monitoring app? And how can a parent know whether they’re downloading a “legitimate” parental monitoring app instead of a stalkerware app merely disguised as a tool for parents?

Malwarebytes Labs is not here to tell people how to parent their children. We are here to investigate, report, and inform.

Knowing what we do about parental monitoring apps—their capabilities, their cybersecurity vulnerabilities, and their privacy implications—our safest recommendation is to avoid these apps.

However, we understand the digital challenges facing parents today. Cyber bullying remains a constant concern, violent images and videos profligate online, and extremist content lingers across multiple platforms.

Diana Freed, a PhD student at the Intimate Partner Violence tech research lab led by Cornell Tech faculty, said she understands the appeal of these tools for parents. They advertise safety, she said.

“I believe that when parents are putting these apps on someone’s phone, they’re trying to do it to make their child safer,” Freed said. “They’re not saying ‘I don’t want my child to not have privacy.’ They think they’re doing the best they can to make this a safer place for their child.”

However, Freed explained, there is a lot to these apps that parents should know.

“Let’s assume that everyone is a good actor and wants to do the right thing,” Freed said. “But it is a matter of, is it clear to that parent what these apps are doing?”

What’s the difference?

Multiple privacy advocates and cybersecurity researchers said that, when comparing the technical capabilities of parental monitoring apps to those of stalkerware apps, the light that shines between the two is dim, if not entirely absent.

“Is there a line between legitimate monitoring apps and stalkerware apps?” said Cynthia Khoo, author of the CitizenLab report on stalkerware “Predator in Your Pocket.”

She answered her own question:

“On a technological level, no. There is no differentiation.”

Khoo explained that, when working with her co-authors on the Predator in Your Pocket paper, the team initially struggled with how to address monitoring applications that advertise themselves in benign, non-predatory ways, yet provide users with reams of sensitive information. It is the famous “dual-use” problem with stalkerware: some apps, though not advertised or designed for invasive monitoring, still provide the same capabilities.

That struggle disappeared though, Khoo said, when the team realized that apps could be evaluated by their capabilities, and whether those capabilities could violate the laws of Canada, where CitizenLab is located.

“We realized that if an app is not just providing location monitoring, if it’s collecting information from social media accounts, the private contents of someone’s phone—in Canadian law, that could be seen as unlawful interception of someone’s phone, unauthorized access to someone’s computer,” Khoo said. “Regardless of branding or marketing, that’s a criminal offense.”

Emory Roane, policy counsel at Privacy Rights Clearinghouse, said that, not only are the technical capabilities of stalkerware apps and parental monitoring apps highly similar, the capabilities themselves can be found within the type of hacking tools used by nation states.

“If you look at the capabilities: What results can be gathered from devices implanted with stalkerware versus devices hacked by nation states? It’s the same,” Roane said. “Turning on and off the device remotely, key loggers, tracking via GPS, all of this stuff.”

Roane continued: “We have to be very careful about the use of these by parents.”

Both Roane and Khoo also warned about the lack of consent allowed by many of these apps. Some stalkerware apps, like mSpy, FlexiSPY, and Hoverwatch, can operate entirely hidden from view, absent from a device’s app drawer.

Some parental monitoring apps offer the exact same feature.

Particularly concerning, we found that the app Kidguard actually reviewed the stalkerware app mSpy on its own website. In the list of pros and cons for mSpy, Kidguard listed the following as a positive:

“Operates 100% invisibly, cannot be detected.”

This invisible capability is a clear warning sign about any monitoring app, Khoo said.

“There is no legitimate reason or need to hide surveillance if it is truly for a genuine, good faith, legal, legitimate purpose,” Khoo said. “If you have the person’s consent, you don’t need to hide. If you don’t have consent, this shouldn’t be used in the first place.”

We agree.

Any monitoring app designed to hide itself from the end-user is designed against consent.

The cybersecurity risks

The cybersecurity reputations of several parental monitoring apps are questionable, as the companies behind them have left data—including photos and videos of children—vulnerable to threat actors and hackers.

In 2017, Cisco researchers disclosed multiple vulnerabilities for the network device “Circle with Disney,” a tool meant to monitor a child’s Internet usage. The researchers found that Circle with Disney had vulnerabilities that could have let a hacker “gain various levels of access and privilege, including the ability to alter network traffic, execute arbitrary remote code, inject commands, install unsigned firmware, accept a different certificate than intended, bypass authentication, escalate privileges, reboot the device, install a persistent backdoor, overwrite files, or even completely brick the device.”

In 2018, a UK-based cybersecurity researcher found two unsecured cloud servers operated by TeenSafe. Located on the servers were tens of thousands of accounts details—including parents’ email addresses and children’s Apple ID email addresses, along with their device names, unique identifiers, and plaintext passwords.

ZDNet, which covered the vulnerability, wrote:

“Because the app requires that two-factor authentication is turned off, a malicious actor viewing this data only needs to use the credentials to break into the child’s account to access their personal content data.”

Also in 2018, the parental monitoring company Family Orbit—which offers an app on iOS and Android—left open cloud storage servers that contained an eye-popping 281 gigabytes of sensitive data. The vulnerable servers, identified by an online hacker, contained photographs and videos of children.

These are just the cybersecurity flaws. This is nothing to mention the labyrinthine network of related third parties that could work with parental monitoring apps, receiving collected data and storing it across other, potentially unsecure servers littered across the web.

Steadily, the American public has begun to understand and push back on the many ways in which their data is shared with numerous third parties, often without their express, individualized consent. If it isn’t okay for adults, is it okay for children?

The privacy risks

Parental monitoring apps can give parents a near-omniscient, unfiltered view into their children’s lives, granting them access to text messages, shared photos, web browsing activity, locations visited, and call logs. Without getting consent from a child, these surveillance capabilities represent serious invasions of privacy.

Privacy Rights Clearinghouse’s Roane compared the clandestine use of these apps to a more familiar analogue:

“Would you support breaking into your child’s diary if this was the ’80s?” Roane said. “This is extremely sensitive information.”

Multiple studies have suggested that the relationship between parents and children can be significantly altered depending on the types of surveillance pushed onto them, with the age of a child playing a significant role. As a child grows older—and as their need for privacy ties closely into their autonomy—digital monitoring can potentially hinder their trust in their parents, their self-expression, and their mental health.

A few years ago, UNICEF published a discussion paper that warned of this very problem:

“The tension between parental controls and children’s right to privacy can best be viewed through the lens of children’s evolving capacities. While parental controls may be appropriate for young children who are less able to direct and moderate their behaviour online, such controls are more difficult to justify for adolescents wishing to explore issues like sexuality, politics, and religion.”

The paper also warned that strict parental controls could impair a child’s ability to “seek outside help or advice with problems at home.”

According to the science magazine Nautilus, a one-year study of junior high students in the Netherlands showed that students who were snooped on by their parents reported “more secretive behaviors, and their parents reported knowing less about the child’s activities, friends, and whereabouts, compared to other parents.”

Laurence Steinberg, a professor of psychology at Temple University, told Nautilus that when parents invade their children’s privacy, those children could be more at risk to suffer from depression, anxiety, and withdrawal. She told the outlet:

“There’s a lot of research indicating that kids who grow up with overly intrusive parents are more susceptible to those mental health problems, partly because they undermine the child’s confidence in their abilities to function independently.”

Further, in the 2012 report, “Surveillance Technologies and Children,” the Office of the Privacy Commissioner of Canada suggested that parents who rely on surveillance to keep their children safe risk stunting the maturity of those children.

Tonya Rooney, a researcher in child development and relationships at the Australian Catholic University, said in the report:  

“We need to question whether the technologies may be depriving children of the opportunity to develop confidence and competence in skills that would in turn leave them in a stronger position to assess and manage risks across a broad range of life experiences.” 

Unfortunately, this field of study is relatively new. As the children subject to parental monitoring apps reach adulthood, more can be measured, including whether those children will accept other forms of surveillance—like from domestic partners and governments.

If you’re looking for a pithy takeaway, maybe read Gizmodo’s article about a University of Central Florida study of teen monitoring apps: “Teen Monitoring Apps Don’t Work and Just Make Teens Hate Their Parents, Study Finds.”

Tough, necessary conversations

We understand that telling readers about the never-ending downsides of parental monitoring apps fails to address the likely reality that many parents have engaged in some type of digital monitoring in a safe, healthy, and openly-communicated way.

For those who have found safe passage, well done. For those who have not, the researchers we spoke to all agreed on one priority: If you absolutely insist on using one of these apps, you should discuss it with your children.

“You can openly say [to a child] ‘I am going to start looking at your location because we’re concerned and this is how we’re going to do it,’” said Freed of the IPV tech lab at Cornell. “In terms of the child’s privacy, have a conversation on the concerns and why you’re doing it, what the app you’re putting on their phone will do, what information you’ll know.”

Freed continued:

“Work through it together.”

Freed also suggested that parents could introduce only one type of digital monitoring at a time. For each additional capability—location tracking, social media monitoring, browser activity monitoring—Freed said parents should have a new conversation.

Parents that are curious about a parental monitoring app’s capabilities—including whether that app could violate privacy—should read the description available online through the App Store or the Google Play Store, said Sam Havron, another researcher and PhD student at the IPV tech lab.

“The best thing, or the closest thing, is to look at the developers’ descriptions on the marketplaces, look at the permission levels,” Havron said. He said parents could also download the app and try it out on a separate device before utilizing it on a child’s device.

Ellen Zavian, the parent of a 13-year-old boy and a member of the Tech and Safety Subcommittee for the Montgomery County Council of Parent-Teacher Associations in Maryland, suggested that parents look at the issue differently: Don’t focus so much on device software, focus on the device.

Instead of installing a screen-time-limiting app on a child’s device, or limiting what they see, or what apps they can use, remove the device entirely from the child’s room and don’t let them use it at night when they go to bed, Zavian said. Or maybe don’t let them own a device at all, which Zavian is pledging to do until her son starts eighth grade—a popular movement with parents called Wait Until 8th.

She also suggested only giving a child a Wi-Fi enabled device with no data plan, and then unplugging the home router to stop any Internet activity. Or parents could even prevent a child’s device from connecting to the home Internet, a setup that can be configured on most modern routers.

Zavian pressed on her point, making a comparison to another stressful moment in parenting—letting teenagers drive. She said there’s a difference between monitoring a teenager’s driving through apps and monitoring the teenager’s access to the car itself.

“When my friends were monitoring their kids with where they were driving to, my kids just wouldn’t have keys to the car,” Zavian said. “Why do you want to engage in that fight—you’ve got enough fights when they’re teenagers—where you say ‘I saw you went here,’ or ‘I saw you were speeding here.’”

Zavian suggested that parents remember there are always alternatives to using a parental monitoring app. In fact, those alternatives have existed for far longer, and she learned about them herself when learning to drive.

“Just like we did—you get into a car accident, you’re off the insurance,” Zavian said.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.