Czech Republic-based security software vendor AVG, producer of one of the world’s most popular anti-virus software suites, has come under fire over it’s privacy policy, which appears to allow it to sell users’ data to advertisers.
The policy, which AVG’s website says will come into effect in October 2015, has apparently been changed to explicitly allow the collection and sale of personal information relating to browsing history, searches, location and meta-data. Previous policies indicated that the firm only collected browsing data when a person used their their web site as well as information about any malware on the user’s machine.

The site does not offer a list of changes made to the policy other than to provide a link to PDFs of previous versions.
Under the heading “What do you collect that cannot identify me” AVG’s new policy states:
“We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used.
“Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you.
“For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable.”
The company says it will share “certain personal data” with affiliated partners, search providers and resellers. If, as the latest privacy policy seems to indicate, AVG has altered its terms to allow its anti-virus or other software to harvest user data from the machine on which it is installed, this has serious implications, says privacy campaigner Alexander Hanff.
“Anti-virus software runs on our devices with elevated privileges so it can detect and block malware and other threats,” he says. “It is wholly unacceptable for an anti-virus software vendor to abuse those privileges to build detailed browsing, location and search profiles. It places AVG squarely into the category of spyware – which is what they are supposed to stop not what they are supposed to be.”
Hanff goes on to say that the terms of the policy may also put AVG in contravention of forthcoming EU data-protection legislation.
“AVG’s definition of identifiable data does not match the official opinion of the Article 29 Working Party, which states that any data that can be used to single out an individual (such as a user ID, IP address or device fingerprint) is classed as identifiable information,” he told Computing.
“Secondly, under Article 5(3) of the ePrivacy Directive, any company that collects data about individuals by accessing files on their device must obtain the informed consent of that individual.
It is unlikely that a change to a privacy policy to which many users may never be exposed if they are already using the product would meet the necessary notice and consent requirements of many jurisdictions in the EU, and it would certainly seem to be incompatible with the upcoming GDPR [General Data Protection Regulation] soon to be finalised in Europe.”
Hanff goes on to mention possible antitrust issues, given that AVG actively blocks other companies who collect data to profile users’ behaviour for the purpose of selling it to advertisers. This could potentially be used to give the company a competitive advantage, he argues, urging users to uninstall the product.
Computing has asked AVG to clarify its new privacy policy and the changes it represents. We will publish its response when we receive it.

Leave a Reply