AVG’s potential ability to collect and sell browser and search history data placed the company “squarely into the category of spyware”, according to Alexander Hanff security expert and chief executive of Think Privacy.
“Antivirus software runs on our devices with elevated privileges so it can detect and block malware, adware, spyware and other threats,” he told WIRED. “It is utterly unethical to [the] highest degree and a complete and total abuse of the trust we give our security software.” Hanff urged people using AVG’s free antivirus to “immediately uninstall the product and find an alternative”.
An AVG spokesperson told WIRED that in order to continue offering free security software the company may in the future “employ a variety of means, including subscription, ads and data models.”
“Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide,” the spokesperson added. “While AVG has not utilised data models to date, we may, in the future, provided that it is anonymous, non-personal data, and we are confident that our users have sufficient information and control to make an informed choice.”
According to Nigel Hawthorn, European spokesperson for cloud security firm Skyhigh Networks, AVG had stayed “just on the non-creepy side of creepy”. “If something is free you’ve got to assume that you’re the product,” he said. “The difficulty with this is whether anyone notices, reads it, checks it and understands the implications”.
“It appears that AVG is adopting a generous interpretation of the data protection rules in order to justify its data use policy,” Lynskey argued. “Although some of the data they classify as ‘non-personal’ might not identify individuals directly, they may be indirectly identifiable based on that data.”
An AVG spokesperson explained that any non-personal data it collected and potentially sold to advertisers would be cleaned and anonymised, making it impossible to link it back to individual users. “Many companies do this type of collection every day and do not tell their users,” the spokesperson said.