Parental control apps are marketed as digital guardians — tools offering parents peace of mind by shielding kids from online dangers. But under the hood, many of these tools function more like spyware: harvesting extremely sensitive information and quietly feeding it into the machinery of the surveillance economy. This isn't a 1980s scare story. It's how many of these apps are actually built to work. Many user agreements openly admit to sharing your personal information with third parties. Others insist they don't — until investigations reveal they've been doing it all along.
01 What They Actually Track
Most parental monitoring apps go far beyond basic screen time limits. Here's a representative sample of what many of them quietly collect:
- Real-time GPS location, updated as frequently as every few seconds
- Complete SMS and in-app message logs, including deleted messages
- Call history and full contact lists
- Web browsing history and search queries
- Photos and videos stored on the device
- Social media activity, including screenshots of Instagram, Snapchat, TikTok, and other apps
- Microphone and camera access in some cases, marketed as "emergency tools"
This is the kind of invasive data extraction that would be considered unacceptable in almost any other context. Because it operates under the label of "parental control," it gets a free pass.
Kids' apps aren't just "cute games." They're often miniature data pipelines — and the parental control apps watching the pipeline are often part of it.
Academic research confirms the scale. A study analyzing over 20,000 children's apps on Google Play found that 81% of "Family" category apps embedded trackers not permitted under children's app guidelines, with nearly 5% still requesting location permissions in violation of platform rules — exactly the signals that enable behavioral profiling. Maier, Tanczer & Klausner, arXiv 2025 ↗
02 Where the Data Goes
Here's where it gets darker. Many of these apps don't just collect data and keep it between parent and child. They store it on corporate servers — and that data becomes a monetizable asset. Most parents, tech-savvy or not, forget or don't fully register that the information pulled from their child's device isn't sitting on their own phone. It's first transmitted to a server — maybe in Minneapolis, maybe in Belarus. The security and privacy of your child's most sensitive information is directly proportional to the competence and integrity of whoever is running that infrastructure.
In December 2021, The Markup reported that Life360 — one of the most downloaded family tracking apps in the world, with 33 million users at the time — was selling precise location data to approximately a dozen data brokers. Those brokers then resold it to advertisers, insurance companies, and other buyers. A former engineer at one of those brokers described Life360's data feed as among the most valuable they received, due to its volume and precision. Life360 later scaled back most of its data broker deals following the investigation and subsequent regulatory attention, but continued selling data in aggregated and other forms. The Markup, December 2021 ↗
Bark, a widely praised app known for its AI-based alerts about bullying and self-harm, openly acknowledges in its privacy policy that it may share personal information with "third-party service providers and business partners." Bark's approach is more transparent than most — but the disclosure is still there.
Then there's mSpy, a monitoring app frequently installed without the child's knowledge. In September 2018, security researcher Nitish Shah discovered that mSpy had left an unauthenticated database publicly accessible on the web, exposing millions of records — including passwords, call logs, text messages, contacts, location data, iCloud usernames, and authentication tokens collected from monitored devices. This was mSpy's second major security incident; the first came in 2015, when the company was hacked and customer data was posted to the dark web. mSpy initially denied both incidents before acknowledging them. Krebs on Security, September 2018 ↗
03 The Data Is Forever
Parents often assume they're the only ones who will ever see this information. But the minute data hits a third-party server, it is at risk of:
- Being sold to data brokers or advertisers
- Exposure in a data breach
- Access by employees, contractors, or foreign governments operating the servers
- Use in building behavioral profiles for future advertising or insurance risk scoring
- Exploitation by stalkers or domestic abusers — researchers have specifically flagged parental control apps as tools of intimate partner surveillance
"Hitting delete is like shaking your phone to get your steps in for the day. It may make you feel better, but you really didn't do anything."OccuNX — The Dispatch
The app and the company may retain your child's data for months or years after deletion. Your child's browsing history, location trail, messages, and photos become just another data point in the global trade of behavioral profiling — before they've applied for their first job, cast their first vote, or made their first significant mistake.
04 The Terrifying Irony
Parents install these apps to protect their children from strangers online. The app itself behaves like a stranger watching from the shadows. The home becomes a testing ground for normalized surveillance — and the normalization runs deep, because we're not just accepting it. We're paying for it, enabling it, and calling it good parenting.
Research on sideloaded versus app-store parental control apps found that sideloaded tools — the ones marketed as "undetectable" and available only through unofficial channels — consistently showed worse privacy behavior: missing privacy policies, unencrypted data transmission, call interception, remote screenshot capture, and hidden icon functionality. Researchers explicitly categorize these tools as stalkerware and warn they are actively being used in domestic abuse scenarios. Maier, Tanczer & Klausner, arXiv 2025 ↗
05 So What Do You Actually Do?
The answer isn't "find a slightly nicer spy." It's to rethink the whole setup. The goal isn't finding the perfect app. It's:
- Less spying
- More guardrails
- More honest conversations
If an app has to be sideloaded from a random website instead of an official app store, hides itself from your child, offers call recording or remote screenshots, or advertises itself as "undetectable" — that is not parental control software. That is stalkerware. Researchers are explicit about this categorization.
Delete it. Then tell your kid you deleted it. The repair starts there.
Before handing your family's data to a random startup, squeeze what's already on the device:
- Apple Screen Time(iOS/iPadOS) — downtime schedules, app limits, content ratings, communication limits
- Google Family Link(Android/Chromebook) — supervised accounts, app install approval, bedtime settings, basic browsing limits
- Console controls(Xbox, PlayStation, Nintendo Switch) — built-in family profiles, content filters, purchase approval
You're still feeding data to Apple or Google. Go into settings and disable anything labeled "personalized ads," "product improvements," or "share diagnostics." But you're at least dealing with large, regulated companies that have compliance obligations — not an unknown startup with a server somewhere you'll never see.
If your real concern is exposure to porn, gambling, or dangerous sites — not reading your kid's DMs — you don't need a surveillance app at all. Change your router's DNS settings once, and every device on your home network gets the same baseline filtering:
- CleanBrowsing DNS Family Filter — free, blocks adult content, enforces SafeSearch on major platforms. Privacy-focused.
- OpenDNS FamilyShield — free, Cisco-backed, blocks adult sites and malicious domains network-wide
No per-child profile. No "let us read every message" tradeoff. One router setting.
Sometimes the situation genuinely warrants more monitoring — self-harm risk, exploitation concerns, court-ordered oversight. If you end up using a third-party app, treat it as a temporary medical device, not the new normal. These are non-negotiables:
- Official app stores only. Sideloaded apps consistently fail basic privacy tests.
- No stealth or hidden-icon mode, ever. If it hides from your kid, it's stalkerware by definition.
- A clear, readable privacy policy that answers: what do they collect, who do they share it with, and can you delete it on request? If you can't answer all three, walk away. Mozilla's Privacy Not Included guide shows you exactly how to read these.
- No revenue model built on your data. If the service is free and doesn't charge parents, the data is the product.
- Minimal features: time limits, app blocking, basic web filtering. Hard pass on keylogging, message interception, microphone access, or full screenshot capture.
If you end up with a mainstream name like Bark or Qustodio, treat it as "least bad with guardrails" — not safe by default — and lock down every privacy setting you can reach.
The one tool that doesn't show up in app stores: sit down and write a Family Tech Agreement together. Cover when and where phones are used, what apps are allowed, what happens if something goes wrong — bullying, unwanted contact, explicit content — and when a parent might look at their device and how that conversation will happen.
Common Sense Media has age-based templates. That doesn't make predators or algorithms disappear. But it does something no app can: it tells your kid that you're on their side, not secretly listening at the digital keyhole.
06 Red Flag Checklist: Delete It If…
- Has no privacy policy, or one that is clearly copied from a generic template
- Is only available by sideloading from a non-official source
- Offers hidden or stealth mode as a headline feature
- Intercepts calls, records audio, or captures all messages
- Cannot clearly explain how to permanently delete your child's data
- Has a documented history of data breaches with no verifiable remediation
At that point, it's not protecting your child. It's making them a product.
07 The Bottom Line
- Remove any covert or sideloaded monitoring apps from your child's device
- Start with built-in tools: Apple Screen Time, Google Family Link, console controls
- Use network-level DNS filtering for content blocking — no surveillance required
- If extra monitoring is genuinely necessary, apply the non-negotiables above and treat it as temporary
- Replace silent tracking with direct conversations — that's the actual safety upgrade
- Maier, Eva-Maria, Leonie Maria Tanczer, and Lukas Daniel Klausner. "Surveillance Disguised as Protection: A Comparative Analysis of Sideloaded and In-Store Parental Control Apps." arXiv, April 2025. arxiv.org/abs/2504.16087
- Keegan, Jon, and Alfred Ng. "The Popular Family Safety App Life360 Is Selling Precise Location Data on Its Tens of Millions of Users." The Markup, December 6, 2021. themarkup.org ↗
- Krebs, Brian. "For 2nd Time in 3 Years, Mobile Spyware Maker mSpy Leaks Millions of Sensitive Records." Krebs on Security, September 2018. krebsonsecurity.com ↗