One week until AVG flogs your web browsing and search history...

AVGIf you're one of the many users of AVG's free anti-virus product you're hopefully aware that, from 15 October 2015, the company will be able to sell your web browsing and search history to third-party advertising companies.

At the time of writing that's just over a week away. Consider yourself warned.

AVG's new privacy policy says that it collects "non-personal data" from users of its free products:

We collect non-personal data to make money from our free offerings so we can keep them free, including:

  • Advertising ID associated with your device;
  • Browsing and search history, including meta data;
  • Internet service provider or mobile network you use to connect to our products; and
  • Information regarding other applications you may have on your device and how they are used.

Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you.

But let's not kid ourselves. Advertisers aren't interested in data which can't help them target you. If they really didn't feel it could help them identify potential customers then the data wouldn't have any value, and they wouldn't be interested in paying AVG to access it.

Furthermore, it's surprising just how much you can learn about someone from their browsing and searching history, even if attempts have been made to anonymise it.

As Kurt Opsahl of the EFF (Electronic Freedom Foundation) presented in January 2014, it's staggering just how much can be inferred from metadata.

Metadata

AVG says that you will be able to turn off the information-sharing if you don't approve. But, of course, they're relying on users not doing that. It's the same method many other technology companies have made over the years to get their users to accept changes - if they're unlikely to opt in to something, require them to opt out.

I'm not against the idea of AVG earning some revenue from its hard work and the cost of delivering a free anti-virus to millions of people around the world. I just dislike the idea of users unwittingly accepting a change to their privacy, without making an informed decision.

Wouldn't it be better if AVG made *new* users of their free product consent to sharing of their internet activity to advertising companies, and gave existing users the *option* of joining in with the data-sharing if they liked the idea?

If you dislike security companies selling your data up the river like this (maybe others are doing something similar, and it's not just AVG) then your best bet may be to buy your anti-virus rather than use a freebie.

After all, at least then they have a reason to treat you with respect, because if they lose your favour you can hurt them in the wallet.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

20 Responses

  1. Tom

    October 7, 2015 at 7:03 pm #

    You prompted me to check the terms of Avira. Seems like they're already storing user search data and much more:

    "When you log in and access your Account or our products, we may automatically collect and store certain information such as the details of how you use our products, what kind of search queries you conduct, where your computer is routing from, your browser type and version, and Cookies that may identify your browser and/or account. By reviewing and accepting this privacy policy, you understand and agree that we may combine non-PII or pseudonymized data obtained via our proprietary soft authentication systems with PII obtained when you sign up for an Avira account. We do not share this combined data with third parties."

    Premium anti-virus software doesn't necessarily mean improved privacy, however. McAfee collects:

    "Details about Internet or network usage (including URLs or domain names of
    websites you visit, information about
    applications that attempt to access your
    network, or traffic data)….We may share personal information with…Third parties with your consent. For example, co-marketing with a business partner or sharing limited information as necessary with researchers and analysts."

    Norton collects: "Information about your computer or device, including browser type and settings, IP address and traffic data relating to your Internet connection…..we may, in compliance with applicable consent requirements, use Your Information to provide you with advertisements, promotions and information about products and services tailored to you and your needs. This may include using demographic data or trend data provided by third parties, where permitted."

    With all this cross-referencing of 'trend data' and supposedly anonymous statistics, the most private solution must be to, as you say, diligently opt out and re-check privacy terms regularly.

    • HacKan in reply to Tom.

      October 8, 2015 at 1:01 pm #

      You, Sir, require a medal!
      Many AV vendors are doing this… Perhaps Graham could enlighten us by reviewing the T&C of *all* the vendors, that would be so duck*ng awesome :D

  2. Techno

    October 8, 2015 at 7:11 am #

    I stopped using all of those commercial anti-virus products years ago, changed to Microsoft Security Essentials. I don't know what data it gathers (especially in light of recent revelations about Windows 10) but it's completely free and Microsoft, as a major operating system vendor with a reputation to protect, has much more of an incentive to keep the nasties off my hard drive than these little security companies.

    • Chris in reply to Techno.

      October 8, 2015 at 10:51 am #

      I also use MSE a lot but I don't think it's all that good as an AV. I think its value really comes from when it is used in conjunction with safe browsing habits, local admin disabled, discrete passwords between sites that are tough to guess, OS and plugins updated regularly and all those other good security practices.

      That said I think 'little security companies' is a bit condescending towards a multi-billion dollar industry. There are some very good AV products out there which complement good security practices and are especially valuable for people who need more help i.e. less technically-savvy users or those who need some assurances from the vendor (and are willing to pay for it).

      I'm willing to bet those companies whose entire model is built around keeping endpoints clean care a lot more about the performance of their single product line than M$ does about a 'free' AV plugin that is intangible when it comes to their profit margins…

      • Techno in reply to Chris.

        October 8, 2015 at 5:58 pm #

        I am only condescending towards the small companies because of poor experiences over the years. Gave up on McAfee and changed to AVG, then had to give up on AVG years ago because it caused my computer to freeze up, that is why I was forced to look for another vendor and somebody recommended MSE.

        They had their chance as far as I'm concerned.

  3. Kevin

    October 8, 2015 at 10:21 am #

    Thanks once again Graham, I have just uninstalled AVG from my android phone….

  4. Dobbins

    October 8, 2015 at 12:57 pm #

    AVG removed weeks ago now rely on Bitdefender

  5. Dave

    October 8, 2015 at 1:43 pm #

    Thanks for the heads up, Graham.

    You mention that it is possible to opt out. I've had a look at the application on my machine (AVG version 2015.0.6140) and the only setting that look like they might allow this are in the "Privacy Preferences" screen (Options/Advanced Settings/Privacy Preferences) where there are options for participation in the "product improvement program", "in-cloud verification of threats" and "AVG Personalization".

    Are these the options to which you are referring, or is the opt-out switch elsewhere?

    • Graham Cluley in reply to Dave.

      October 8, 2015 at 2:31 pm #

      Hi Dave

      An AVG spokesperson is quoted in this Wired report saying that customers will be able to turn off the data collection if they wish. http://www.wired.co.uk/news/archive/2015-09/17/avg-privacy-policy-browser-search-data

      But no details are given as to how that would be done. I can't imagine that it would be hidden under options such as "Product improvement program", "in-cloud verification of threats" or "AVG Personalization".

      I guess the best people to ask are AVG's support team… after all, that's what you pay them for, right?

      Oh… ummm.. well, maybe you don't pay them – seeing as we're talking about AVG's free product.

      Anyroad, the new privacy policy doesn't roll in for another week and the Wired article also quotes the spokesperson as saying that AVG doesn't collect your data in this way presently. Presumably, when the data-slurping "functionality" comes along users will have an option of disabling it (although most won't be aware of the option or won't bother)

      If anyone is concerned about the possibility of having their web browser and search history data harvested then the ultimate opt-out is, of course, to dump the free version of AVG and switch to another product. That may mean paying AVG or choosing a different vendor entirely. Of course, make sure to to determine what they might be planning to do (if anything) with data you may prefer to remain private.

      As other commenters have suggested, other vendors may be up to similar shenanigans – so users please be sure to read the small print!

  6. Norbert (Bob) Gostischa

    October 8, 2015 at 1:51 pm #

    If you're on the internet, your data has been gathered, stored, shared, sold and occasionally looked at by the NSA and/or some other Government agencies.
    Now, because AVG made their terms clearer, everyone seems to think that their activity will become common knowledge. Get real, all this information is already available. Google, Microsoft, Apple, your ISP, etc have been doing this for a very long time.
    This isn't new, This isn't groundbreaking. This is a fact of life. If you don't want it known, don't do it on the internet or any place else where it can be recorded and subsequently shared.
    Does any one really think that a free Antivirus or Anti anything company survives and grows on charity? They aren't a not for profit business. It's nice to altruistic but if you expect to pay your bills, you need to be realistic. There is also the option to opt out and not share any of this anonymous information.

    • coyote in reply to Norbert (Bob) Gostischa.

      October 8, 2015 at 9:52 pm #

      Ironically you say it is all available and then you end by:
      "There is also the option to opt out and not share any of this anonymous information."

      But you're missing the entire point. Whether your information is out there or not is irrelevant to the discussion; what is relevant is that now AVG will be doing something with it *too*. Security involves awareness and while you can't make someone aware they are unaware (unless you actually know them personally and tell them so), some will want to be aware but aren't.

      Lastly, your suggestion that don't [do whatever] on the Internet or any place else where it can be recorded and shared is utterly absurd and ignorant of how things work in this world. Besides the fact not everything can be done off the Internet, surveillance on the Internet is only one of a long series of different ways your information can be gathered/abused. Espionage is as old as mankind (even before: do you think animals don't watch others before they strike? Of course they do) and there is a reason that Julius Caesar used a rudimentary form of encryption. Sorry but there is no way to evade spying save for perhaps living on in a very remote place completely isolated from society (if not in an unknown location). That or a Shangri-law of some kind.

      Oh, and by the way: https://www.grahamcluley.com/nsa-unbreakable-codes/

      • Norbert (Bob) Gostischa in reply to coyote.

        October 9, 2015 at 1:16 pm #

        You seem to miss the point. There is no privacy on the internet. There hasn't been for a very long time. No company can survive without revenue. Nothing in life is truly free. The opt out is an option AVG makes available. You need to take the initiative.

  7. Spryte

    October 8, 2015 at 2:58 pm #

    Snip>>>
    all this information is already available
    <<<Snip

    Let's not forget browsers, office products, texting apps, chats, absolutely ***anything*** on your smartphone, etc.

    In this age where it is so easy to log anything, everything is logged for possible future use.

  8. Rachel

    October 8, 2015 at 3:15 pm #

    Thanks for this. I guess users shouldn't complain much since it's free, but too bad most users won't know how to turn this function off or even know it's happening.

  9. Pete

    October 8, 2015 at 9:30 pm #

    Nothing is free. That's a requirement of the laws of thermodynamics, which supersede phony political laws. No one is exempt, least of all companies or organizations, all of which require some kind of revenue stream in order to continue to exist.

    That's even true of so-called "non-profit" entities, wherein "non-profit" is code for those who quibble about semantics while taking money from whomever will give it to them…often without providing anything except feel-good points in return.

    That speaks directly to Graham's point about paying for your AV software. If the provider depends on your voluntary payment, they know that you can always take your business elsewhere (…although, you still have to read the user agreement, as noted in some posts above).

    The only questions about allegedly "free" deals (and that includes Google, Facebag, …etc.) are:
    1. Do you know that it costs you something?
    2. Do you know what that cost is?
    3. Do you actually care?

    As far as I can tell, for the vast majority of web users (especially people whose lives revolve around social networking), the answer to all three questions is "No."

    My take is that educating the public to act responsibly and intelligently in matters of privacy and security is no different from educating the public on any other subject. You can't tell them unless they're already asking. They learn by custom and social pressure, not rationality.

    Only people who already want to learn are educable. If you're reading this, you're probably one of them. But you're in the minority.

  10. coyote

    October 8, 2015 at 10:02 pm #

    To those who suggest nothing is free, I invite you to think more thoroughly (really think!): What do they mean by free? More specifically, what is it free from/of? The fact of the matter is, when you download free software (or let's say FOSS – free open source software) the free refers to cost (as in currency). That doesn't mean you don't have to deal with the way the software works (bugs causing you to spend extra time for instance), and it doesn't mean you don't have to update it or enable some options and disable other options. It means you don't have to pay the developer money for the software.

    So yes there most certainly are things that are free. Free of cost. It doesn't mean they don't make money from some other method but they do not however charge you for using the software. They might make money from advertisement (for example) but you did not personally take money from your bank account in order to pay for the software. Therefore, it is free. That's what they mean. Context changes everything – this is a simple matter of understanding language (and communication more generally). This is why quoting people out of context is so problematic. It changes the meaning and it makes manipulating the words so much easier (the media and politicians abuse this a lot and this is why I bring up thinking more thoroughly: if you don’t understand this you’re easier to manipulate).

  11. daniel

    October 9, 2015 at 4:22 pm #

    I am a software developer and I am building a product that I am going to give away free when it is done that will make it nearly impossible for any advertising company to collect meaningful web browsing data from personal PCs. (the idea doesn't work as well on phones, but it does work on phones a little.)
    My issue is that since this is a multi-billion dollar business I might make a few people upset that they are no longer able to trade in the privacy of others, so I am wondering how to release it.

  12. Chris Pugson

    October 11, 2015 at 3:10 pm #

    AVG is right now rolling out its 2016 software. Having read this heads-up by Graham, I am resolved to remain with AVG 2015 free AV.

  13. Nik Rowland

    February 2, 2016 at 2:08 pm #

    What would be really good is being shown how to opt out of this data collection.
    They (AVG) appear to say that it is possible.

  14. Nik Rowland

    February 2, 2016 at 2:16 pm #

    Me again.

    http://www.avg.com/gb-en/privacy-preferences

    "How do I choose not to participate?
    AVG does NOT currently share any non-personal data collected from any of our apps.
    If we begin to share non-personal data collected from our FREE apps, you will be able
    to choose whether you participate in the app itself by setting your own sharing preferences.
    If there is no option available, then you can be sure that we are not sharing any
    non-personal data with third parties.

    We will update this page and provide you with clear instructions on how to set your
    privacy preferences before any sharing begins."

Leave a Reply