AVG: we collect and sell browsing history of free antivirus users
Posted 16 September 2015 19:29 CEST by Jan Willem Aldershoff
The new privacy policy of antivirus vendor AVG caused uproar because it states the free version of the antivirus software will collect the browsing history of users and sell it to third parties. The privacy policy is only one page long and should be, according to AVG, an example to other software companies.
"We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used.
"Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you.
"For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable."
The antivirus vendor calls for other companies to write similar short privacy policies but Reddit users question the contents of the new policy in which AVG states it collects non-personal user data to be able to continue to offer their software for free.
AVG writes, “While we cannot list out each and every type of non-personal data that we collect, we’ve tried below to give you a general understanding of what types of non-personal data we collect and examples to help you see what we mean.”
"Anti-virus software runs on our devices with elevated privileges so it can detect and block malware and other threats," he says. "It is wholly unacceptable for an anti-virus software vendor to abuse those privileges to build detailed browsing, location and search profiles. It places AVG squarely into the category of spyware - which is what they are supposed to stop not what they are supposed to be."
The company then provides a list in two parts on how it collects data about malware and threats and where and how the AVG software is used. In the second part the company also states it collects data on the user’s browsing and search history and information on applications on the device including how they are used.
AVG stresses that if it finds personal identifiable data, it will anonymise it. Users are concerned about that, as the data first reaches the AVG servers and is only anonymized if the AVG algorithms are good enough.
"AVG's definition of identifiable data does not match the official opinion of the Article 29 Working Party, which states that any data that can be used to single out an individual (such as a user ID, IP address or device fingerprint) is classed as identifiable information," he told Computing.
"Secondly, under Article 5(3) of the ePrivacy Directive, any company that collects data about individuals by accessing files on their device must obtain the informed consent of that individual. It is unlikely that a change to a privacy policy to which many users may never be exposed if they are already using the product would meet the necessary notice and consent requirements of many jurisdictions in the EU, and it would certainly seem to be incompatible with the upcoming GDPR [General Data Protection Regulation] soon to be finalised in Europe."
The antivirus vendor states in the privacy policy that users can opt out of the use or collection of certain data but the page where that should be possible only offers the option to unsubscribe from AVG newsletters.
