One of the world’s biggest antivirus companies has exposed a potentially common, industry-wide ability to harvest your private data.
A privacy advocate told The New Daily this was a “very alarming” development.
“It’s actually closer to the operation of malware,” Australian Privacy Foundation vice chair David Vaile said.
“It’s actually very alarming that AVG, which is supposedly a provider of security and privacy protection tools, [could be] in that business.
“What you’ve got is a potential ambiguity or confusion between the traditional idea that security or antivirus software is on your side.”
But without the company’s voluntarily simplified policy, computers users might still be ignorant as to how other antivirus software can glean and make money from their private data.
A potentially widespread problem
AVG claimed it was helping its clients by making its policy clearer.
“At AVG, we value our customers and believe they should know exactly how their information is being used by us,” AVG Technologies chief legal officer Harvey Anderson said in a statement.
Another AVG spokesperson told Wired UK that “many” other companies collect data in the same way “every day and do not tell their users”.
Free antivirus software, available for both Windows and Mac operating systems, are intended to block harmful programs that might harm a computer or steal the user’s information. Because they are free, providers of antivirus software need a way to monetise their product. Data harvesting could be one way of doing it.
An academic told The New Daily such “unethical” privacy intrusions were probably widespread across free-of-charge antivirus products.
“From the feelings I get from people in industry, including ex-students, this is probably not that rare, especially when you get something for free,” RMIT security and encryption researcher Associate Professor Serdar Boztas said.
“Of course, it’s unethical practices, but I don’t think it’s rare at all.”
Anonymising is little protection
AVG does not currently sell the browser history data gleaned from users, but has confirmed it might in future.
A company spokesperson claimed it would anonymise the data — a process designed to strip away any identifying information that be used to expose the name of the user — before selling it to advertisers.
“While AVG has not utilised data models to date, we may, in the future, provided that it is anonymous, non-personal data,” the spokesperson told Wired UK.
A privacy advocate warned this might not be sufficient protection.
“As you get the proliferation of big data tools with massive tracking and also other data sets, publicly or surreptitiously available, identifiability goes up and up and up,” Australian Privacy Foundation’s David Vaile said.
“What’s sufficiently de-identified today in six months time may easily be cracked.
“So the presumption should be that almost any form of technical data, if you provide it at a unit level rather than statistical aggregates, is going to be identifiable at some stage pretty quickly.”
A losing battle
While such privacy intrusions, if they occur, may be “unethical”, worrying about them may be fruitless, an academic told The New Daily.
“With Google around, I’m not sure how much we can keep private,” RMIT’s Associate Professor Serdar Boztas said.
“A lot of the battle for this kind of stuff has been lost.
“I guess the only way these days to be 100 per cent private is, don’t use the internet, don’t use a mobile phone. Go off the grid, as they say, which I don’t know how many people are willing to do.”