Data Protection or Virus Protection?

As with any other software, the installation routine of a security application is preceded by the confirmation of general terms and conditions and a privacy policy. Only then can the software be installed and used. From that point on, the security pledge of the selected manufacturer goes into effect. According to a study published in 2014 by the Verbraucherzentrale Bundesverband (vzbv), the Federation of German Consumer Organizations, 53% of those surveyed agreed to general terms and conditions of a software program without even having read them. For software touting features that include the protection of personal data, the number of users clicking on the "accept" button without thinking twice really ought to be much higher. After all, users expect manufacturers to abide by their advertising claims, i.e. to protect their personal data.

26 security programs evaluated

In an elaborate analysis, the AV-TEST Institute evaluated the English-language privacy policies of 26 antivirus programs, thus providing a comprehensive market overview. In reality, only 24 privacy policies were evaluated, as two of the security packages did not include any policy whatsoever, neither on the manufacturers' websites nor during installation of the programs.

The study focused on the question as to what rights the suppliers of protection software presume vis-à-vis their customers in their privacy policy. In particular, the evaluation was made as to

 • the type of data to which manufacturers assert a blanket legal claim,

 • which rights they proclaim for the use of data,

 • which rights they extend to their users, for example, in preventing, restricting or being informing about the collection of data.

In sifting through the many pages of legal statements, the privacy experts distinguished between the types of data collected. Providers demand access to data on the users themselves, for example, the usage behavior on the device being protected, as well as on the device itself. This angle explicitly examines the rights presumed by manufacturers for storing and using data. Determining whether this data is actually collected was not a substantive aim of this examination. These and other questions now require clarification in the following discussions with manufacturers.

Far more data collected than necessary

In almost every privacy policy examined, the manufacturers presume a vast number of access rights to data that should not be necessary for using a security software application. Instead, according to manufacturers' statements, they serve the purpose of product optimization, the marketing of products of the manufacturers or partner companies. Because each of the providers examined reserves the right per privacy policy to disclose recorded data to third parties. 

In most cases, the nature of the data collected on users themselves includes the name, email address and buying or payment details, for example. Also of interest for manufacturers are additional contact details, including telephone numbers. These details are surely of interest in order to introduce additional products to the user, but they are hardly necessary for using the programs. Among other things, this proves it is not a given that this data is collected by all manufacturers. 

Sexual preferences and fingerprints collected

Many providers, however, overshoot the mark by far: In examinations conducted by AV-TEST, manufacturers even allowed themselves access to biometric data stored on the user computer. Upon evaluating the programs, testers were at a loss to see why an antivirus program requires digital fingerprints. How information on the user's gender, occupation, as well as race and sexual orientation are intended to help in hunting down malware is probably difficult to explain, even for the resourceful marketing experts of manufacturers seeking access to this information.

Users under observation

Also in terms of recording user behavior, manufacturers tend to generously help themselves to data: 15 out of 24 manufacturers require access to the browser history of their users. Six want access to their search queries. Five providers reserve the right to sift through emails. No less than two reserve the right to full access to the personal address book. Furthermore, antivirus manufacturers are interested in social media data of their customers, including account data, as well as postings. One manufacturer even claimed the right to publish entries on behalf of users. Some also want to be involved in chat sessions, or even have access to the chat history.

Full device control

The easiest explanation for the massive data collection by manufacturers surely involves the information on the device to be protected and the applications running on that device. After all, this is precisely the area in which malware programs, disguised as normal applications, should be prevented from wreaking their havoc. That is why the collection of basic data such as IP address, device ID, operating system and installed software appear plausible, even if by far not all manufacturers demand access to such device facts in their privacy policies. The detection of GPS coordinates (5 out of 24 manufacturers) as well as WLAN positioning (4 out of 24 manufacturers) can be explained by functions for locating lost or stolen devices. However, users should also be aware that they pay extra for this device protection with the traceability of their own movement patterns. 

In 10 out of 24 privacy policies, manufacturers reserve the right to compile "user statistics". It is not clearly defined, however, which data is collected here, i.e. whether it involves the use of the security program itself, use of the device or the collection of entirely different data. In this area, as well as in many other points, the specifications of privacy policies of all manufacturers are extremely vague.

Data protection requires clear understanding and transparency

The fact that hardly anyone reads general terms and conditions and privacy policies is not surprising. On the one hand, users are overwhelmed by the sheer volume of pages. In the course of this examination, an average privacy policy was 12 pages long. What's more, there is the appearance that manufacturers often do not want to be understood. 

An additional readability test performed on the texts using proper analysis programs showed that many privacy policies were too complex. In other words: The policies were barely comprehensible for normal users. Long sentences and lots of technical terms make it even more difficult to understand what are already very long texts.

In addition, most manufacturers remain ambiguous in terms of important questions concerning the nature and duration of data storage. Where and how long is data stored? Is it encrypted, and if so, how? What data is disclosed to third parties, and what kind of partners of the manufacturers does this involve? Many manufacturers of security products failed to provide a satisfactory answer to all these questions in their privacy policies.

Less is more

In general, a word of advice to manufacturers can only be to author privacy policies that are shorter and more understandable. This is something the US-based International Association of Privacy Professionals, or IAPP for short has been demanding for some time now. In Germany as well, the Federal Ministry of Justice and Consumer Protection weighed in on this issue last year during the scope of the National IT Summit. Since its presentation in November, the Ministry has offered an appropriate sample template for such a compact and easy-to-comprehend privacy policy on its website.

Moreover, manufacturers of security programs that promise to protect the privacy of their users in cases where customer data is queried and stored can promote themselves through their own economy of data. On the one hand, the basic concept of data avoidance obviously goes hand in hand with the basic principle of the right to data protection. On the other hand, manufacturers could even promote the fact that they collect as few personal details as possible.