More like this

Security

AVG defends plans to flog user data as privacy row continues

Industry weighs in, reckons freemium's cool – but consumers won't be happy

Security software firm AVG has defended changes in its privacy policy, due to come into effect on Thursday (15 October), allowing it to collect and resell users’ anonymised web browsing and search history.

AVG argues that it has no immediate plans to monetise users’ browsing habits. However, independent security experts remain critical, arguing that the firm is putting user privacy and even trust in security firm more generally at risk.

AVG let users know beforehand that it may sell “non-personal” customer data to third-party advertisers in order to bankroll its freemium security software products. This non-personal data, including browsing and search history, advertising IDs, applications on a device and ISP used, are previously reported. The revised privacy policy is due to come into effect on 15 October.

AVG's senior security evangelist, Tony Anscombe, told El Reg that the revised privacy policy simply streamlines existing policies.

“We’ve published a simpler policy that even someone’s Mum can understand,” Anscombe explained. “There’s no change in the underlying policy.”

AVG is not selling data to advertisers – yet – but if and when it does so it will “cleanse” the data so users can’t be individually targeted, according to Anscombe.

The security software firm says it will not sell personal information such as names, emails, addresses, or payment card details, and will try to "anonymize the data we collect and store it in a manner that does not identify you."

However, effectively anonymising user data is a difficult task – especially in the era of big data, correlation and user behaviour. For example, researchers from Harvard University recently achieved a 100 per cent success rate in de-anonymising patients from their supposedly anonymised healthcare data in South Korea.

Furthermore, even if AVG can fully anonymise the data being sold to advertisers and affiliated brands, the issue remains that it’s uncomfortable (at best) for a security company to collect data on users before selling it off to third parties.

Industry reacts

Veteran security industry expert Graham Cluley warns AVG’s plans to “anonymise data” before selling it advertisers are fraught with difficulties.

“Let's not kid ourselves, advertisers aren't interested in data which can't help them target you,” Cluley writes. “If they really didn't feel it could help them identify potential customers then the data wouldn't have any value, and they wouldn't be interested in paying AVG to access it.”

“Furthermore, it's surprising just how much you can learn about someone from their browsing and searching history, even if attempts have been made to anonymise it,” he added.

Examples abound in other fields of IT of security researchers being able to extract private information or at least clues on the identity of people covered by supposedly anonymised data sets.

Anscombe told El Reg that AVG was aware of this research and had factored it into its plans. “We’re keeping a close watch” on this area of research, Anscombe added.

AVG said users will be able to turn off the information-sharing if you don't approve. Anscombe said users would be offered a choice, adding that this would be through an opt-out process.

Trust

AVG has 200 million users, split among desktop and mobile versions of its security software.

Roy Katmor, chief exec of enSilo, a data-exfiltration prevention platform, said his biggest concern is that AVG’s plan risk undermining trust between users and vendors in general.

“The security industry has worked hard to build the necessary trust to best protect data,” Katmor explained. “While privacy does not equate security, they do tend to go hand-in-hand, and are sometimes even used interchangeably by those less educated in security. Now that the consumers may no longer trust that security vendors will keep their information private, I’m afraid that it will also lead to a breach in the overall trust towards security vendors that can keep networks secure.”

Selling data to third parties creates all manner of security concerns, according to Katmor.

“According to AVG, the company will not collect more data beyond what was collected for security purposes,” Katmor said. “However, as guardians of systems, AVG is certainly privy to user-sensitive data – from applications running on the computer to Web browser cookies and browsing history.”

“While it is assumed that AVG takes strong measures to secure the data it collects… that says nothing regarding the security measures placed by the third party buying AVG customers’ data,” he added.

Avast – another anti-virus big-hitter – recently announced plans to make use of anonymised user data to develop marketing analytics through a spin-off called Jumpshot. This is not quite the same thing as what AVG is doing – not least because it doesn’t involve third-party ad brokers – but it might still be seen as moving in the same direction of travel of monetising users’ data as as way of offsetting flat or declining anti-malware software sales.

If there's no backlash with AVG’s plan, other freebie anti-virus scanner firms might be tempted to follow.

“Let’s not kid ourselves – AVG rivals can do the same,” Katmor said. “I’m not aware, though, of any doing such activities. Given the public outcry, however, I think they’re now sitting on the side, waiting to see how AVG’s plans develop.”

Katmor concluded that AVG’s strategy – which he described as moving towards a security-advertising hybrid – is ultimately destined to fail.

“I believe they’ll run into marketing issues. [Any] security-advertising hybrids would have trouble marketing the same product to two separate, and many times clashing audiences. Making a security-advertising hybrid product goes the opposite direction of any logical marketing plan,” he concluded.

A bit of background

AVG was a pioneer of the freemium security software model, having begun offering anti-virus to consumers and non-profits at no charge as a taster around 15 years ago, hoping a good number of consumers would pay extra for additional features. Significant players in the market these days include Avira and Malwarebytes as well as AVG and Avast. In addition, Microsoft offers baseline security protection for various versions of Windows, a factor that may have eaten into the desktop market of specialist rivals.

However, Malwarebytes, at least, remains committed to the freemium model and reluctant to get into data brokering in any form, at least for now.

Marcin Klecznski, chief exec of Malwarebytes, told El Reg: “The freemium model, where consumers can trust that their data is safe, is far more sustainable in the long term than the business of data collection and selling. We believe freemium is a very sustainable long term business model, especially at a time when data privacy is under the spotlight."

“At a time when consumers are more aware of the data they're sharing with companies, ensuring the safety of this information is extremely important. This is not just from a business perspective – yes, the knowledge their data is safe will keep customers loyal, but the most important thing about data protection is the care an organisation takes for those using its services,” he added. ®

Sponsored: Global DDoS threat landscape report