Your antivirus knows a heck of a lot about you. It knows what programs you run, because it has to make sure they're legit. It knows the websites you visit, and steers you away from frauds and dangers. In addition, the antivirus company may learn a lot about you as you interact with sales, support, and so on. But that's fine, right? Well, a recent attempt by free antivirus giant AVG to clarify its privacy policy caused quite a fuss.
Wired reported on the new policy using the headline "AVG can sell your browsing and search history to advertisers." As it turns out, that inflammatory headline wasn't accurate. A little digging convinced me that AVG's policy isn't much different from that of its competitors—it's just spelled out more clearly. I checked the policy for several other free antivirus tools, and also for Wired's website.
Can You Understand Me?
For starters, I looked at the word count and readability of the policies. A policy that's too long to read or too confusing to understand doesn't help anyone.
AVG's was shortest, about 2,100 words. The privacy policy for Lavasoft, publisher of Ad-Aware Free Antivirus+ came in at about 2,500 words; Wired's was about the same. To understand the privacy policy for users of Avira Antivirus, you'll have to wade through over 4,000 words. The big winner here (if winner is the correct word) is the policy for Avast Free Antivirus, with around 9,200 words.
Length isn't the only factor, so I put each policy through a collection of readability tests. The Flesch-Kincaid Reading Ease metric assigns each document a rating from 0 to 100, with higher numbers indicating easier reading. Avast, AVG, and Avira all scored in the 40s, while Ad-Aware and Wired both scored 29. By comparison, my latest review is about 3,500 words long and scored 60 on this same scale.
Other tests rate documents on the education level required to comprehend them. Avast, AVG, and Avira all scored at or a bit above 12, meaning a high-school graduate should be able to comprehend them. In order to comprehend the policies offered by Ad-Aware and Wired, you'd need a college degree. Oh, and that review of mine? It should be fine for high-school freshmen and up. I strive for clarity!
Different Policies
All of the policies spend a great deal of verbiage on distinguishing personally identifiable information (PII) from anonymous data. All of the policies state that the company can share anonymous data with third parties. And all of the policies explain that PII may be shared within the company, as necessary, but that strict safeguards are in place to prevent misuse. All warn that if you click a link leading to another site, you're subject to that site's policy.
Avast is free, like the rest, but you must register in order to use it for more than 30 days. If you choose to register using Facebook, you may get a little surprise. Unless you opt out, Avast can post statements like, "I just installed Avast Antivirus for free. I really like it. If you want the best protection, download Avast like I did" on your Facebook wall. This policy does state very clearly that "We will not use this information for direct marketing purposes unless you 'opt in' to receive such communications."
I found a little surprise in the description of Avast's popular free Android app. This app includes an SDK that's used by third-party advertisers, and these advertisers do receive minor PII data including your age, gender, and other apps installed on your device. Hmm.
Avira's privacy policy clearly states that the company will gather PII including your name, address, phone number, and more. It further states the company won't share that data with third parties "in a manner inconsistent with this privacy policy or privacy laws (which may require you to provide express consent)." Later it does say that Avira "will not share any PII or non-pseudynomized data we collected with any third parties."
The Avira policy says, "We believe more relevant advertising provides a better Internet experience. This is also how we support our business while still providing certain products or services to you free of charge." AVG's policy says, "We collect non-personal data to make money from our free offerings so we can keep them free." Same statement, but clearer.
Lavasoft's policy for Ad-Aware makes a couple of points I hadn't seen elsewhere. If you post something publicly in a forum, that's public, not private, and the company has no obligation to protect that data. Also, your data passes through Lavasoft's service providers, which "have no rights whatsoever to use any such Personal Information in any way other than for the purpose for which it was received by Lavasoft." Like the rest, Lavasoft reserves the right to share non-personal aggregate data with third parties.
AVG and Wired
So, where did the author of the Wired article get the idea that "AVG can sell your browsing and search history to advertisers"? As far as I can tell, AVG may have been too cautious. The AVG policy says, "If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information." That's something that could happen to any of the vendors. The others just don't mention the possibility of personal data showing up in the anonymized browsing history. But by mentioning it, AVG got flak. One statement from the AVG policy that's plenty clear is this: "We do not sell or rent your personal data to third parties."
Given that the Wired article stirred up this privacy brouhaha, I thought it only fair to take a look at the privacy policy on wired.com. The authors of this policy seem to love the phrase, "including without limitation." Paragraph after paragraph details data gathered by the site and its servers. And how about this: "we may sell or share information about you…including without limitation your Registration Information and other personally identifiable information, with our parent, subsidiaries, and affiliates and with carefully selected companies who we think may offer services…of interest to you." Without limitation, indeed!
Of all the policies I looked at, Wired's claimed the most rights to gather your information and do whatever they want with it. And don't try to limit the site's activity using your browser's Do Not Track settings. As the policy says, "we do not currently support any browser based Do Not Track (DNT) settings or participate in any DNT frameworks." Oh, and in the event of a data breach, "we are not responsible for any loss of such information or the consequences thereof." Take a look at Wired's privacy policy yourself, and see if it makes you nervous.
Free Isn't Free
No security company in the world could survive solely by giving away free antivirus protection. There has to be some income, or the company will dry up and blow away. Yes, some vendors use the free version as a teaser and profit from upgrades, but those aren't the giants. AVG needs to monetize the anonymous data and telemetry received from the more than 200 million users; the same is true of Avast, Avira, and other major publishers of free security products.
It would be suicide for a security company to actually misuse private data. I can't see it happening. But if you're at all worried, dig in and read your own antivirus's privacy policy. Just make sure you have a college graduate handy to interpret the complex language.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
