Data Protection or Virus Protection?
Comprehensive protection requires comprehensive access
All manufacturers of security packages essentially promote their products among prospective consumers with slogans such as "protect your data and privacy" or "protect your identity". Given the current online threat scenario, Internet Security suites have evolved from pure virus protection with firewalls to complete protection solutions. It's no longer simply about defending computers and data against malware attacks and hacker threats. In the crosshairs of a wide range of attackers are also online accounts and social media profiles administered via PCs, tablets and smartphones, which need to be safeguarded against phishing attempts. What's more, advertising firms are pursuing Internet users ever more aggressively via tracking software, which secretly spies on surfing and user behavior as well as device configuration and other sensitive data (PUA).
That's why a good security application these days has to not only defend against threats but also prevent the unwanted outflow of sensitive data. In order to fulfill all these functions, security software requires comprehensive access to the system being protected – and thus to the personal data of its users. In light of the palpable threat, users likewise have no other option than to allow far-reaching insights into systems and stored data, putting their faith in the pledge of software companies to protect them. However, this should only occur under the assumption that these access rights will be used solely to detect and thwart possible threats.
More than 50 percent do not care about general terms and conditions
26 security programs evaluated
In an elaborate analysis, the AV-TEST Institute evaluated the English-language privacy policies of 26 antivirus programs, thus providing a comprehensive market overview. In reality, only 24 privacy policies were evaluated, as two of the security packages did not include any policy whatsoever, neither on the manufacturers' websites nor during installation of the programs.
• the type of data to which manufacturers assert a blanket legal claim,
• which rights they proclaim for the use of data,
• which rights they extend to their users, for example, in preventing, restricting or being informing about the collection of data.
In sifting through the many pages of legal statements, the privacy experts distinguished between the types of data collected. Providers demand access to data on the users themselves, for example, the usage behavior on the device being protected, as well as on the device itself. This angle explicitly examines the rights presumed by manufacturers for storing and using data. Determining whether this data is actually collected was not a substantive aim of this examination. These and other questions now require clarification in the following discussions with manufacturers.
Far more data collected than necessary
In most cases, the nature of the data collected on users themselves includes the name, email address and buying or payment details, for example. Also of interest for manufacturers are additional contact details, including telephone numbers. These details are surely of interest in order to introduce additional products to the user, but they are hardly necessary for using the programs. Among other things, this proves it is not a given that this data is collected by all manufacturers.
Sexual preferences and fingerprints collected
Many providers, however, overshoot the mark by far: In examinations conducted by AV-TEST, manufacturers even allowed themselves access to biometric data stored on the user computer. Upon evaluating the programs, testers were at a loss to see why an antivirus program requires digital fingerprints. How information on the user's gender, occupation, as well as race and sexual orientation are intended to help in hunting down malware is probably difficult to explain, even for the resourceful marketing experts of manufacturers seeking access to this information.
Users under observation
Also in terms of recording user behavior, manufacturers tend to generously help themselves to data: 15 out of 24 manufacturers require access to the browser history of their users. Six want access to their search queries. Five providers reserve the right to sift through emails. No less than two reserve the right to full access to the personal address book. Furthermore, antivirus manufacturers are interested in social media data of their customers, including account data, as well as postings. One manufacturer even claimed the right to publish entries on behalf of users. Some also want to be involved in chat sessions, or even have access to the chat history.
Full device control
The easiest explanation for the massive data collection by manufacturers surely involves the information on the device to be protected and the applications running on that device. After all, this is precisely the area in which malware programs, disguised as normal applications, should be prevented from wreaking their havoc. That is why the collection of basic data such as IP address, device ID, operating system and installed software appear plausible, even if by far not all manufacturers demand access to such device facts in their privacy policies. The detection of GPS coordinates (5 out of 24 manufacturers) as well as WLAN positioning (4 out of 24 manufacturers) can be explained by functions for locating lost or stolen devices. However, users should also be aware that they pay extra for this device protection with the traceability of their own movement patterns.
In 10 out of 24 privacy policies, manufacturers reserve the right to compile "user statistics". It is not clearly defined, however, which data is collected here, i.e. whether it involves the use of the security program itself, use of the device or the collection of entirely different data. In this area, as well as in many other points, the specifications of privacy policies of all manufacturers are extremely vague.
Data protection requires clear understanding and transparency
An additional readability test performed on the texts using proper analysis programs showed that many privacy policies were too complex. In other words: The policies were barely comprehensible for normal users. Long sentences and lots of technical terms make it even more difficult to understand what are already very long texts.
In addition, most manufacturers remain ambiguous in terms of important questions concerning the nature and duration of data storage. Where and how long is data stored? Is it encrypted, and if so, how? What data is disclosed to third parties, and what kind of partners of the manufacturers does this involve? Many manufacturers of security products failed to provide a satisfactory answer to all these questions in their privacy policies.
Less is more
Moreover, manufacturers of security programs that promise to protect the privacy of their users in cases where customer data is queried and stored can promote themselves through their own economy of data. On the one hand, the basic concept of data avoidance obviously goes hand in hand with the basic principle of the right to data protection. On the other hand, manufacturers could even promote the fact that they collect as few personal details as possible.
Less data, more protection
Most providers of security programs enjoy the trust of their customers and have substantial access to their systems and data. Anett Hoppe, IT Security Expert at AV-TEST, thinks they should honor this leap of faith through clear privacy policies:
Many users assume that antivirus software not only defends the security of the user, but also protects privacy. Is that true?
There have been no studies on this topic up to now. And we at AV-TEST do indeed receive regular inquiries by users who are confused concerning potentially suspicious emails or dubious functions of programs. By contrast, we receive inquiries into the handling of user data by the manufacturers of protection software and services mostly from companies and public agencies. Yet increasingly, some critical private users also ask who is attempting to do what with their data. In this light, the manufacturers of protection programs for consumers continue to benefit from their customers' vast leap of faith – which in some cases is unjustified, as our study indicates.
What data is recorded, and what happens to it?