Computer security firm AVG is coming under fire for its recently updated privacy policy. The new policy explicitly allows the retention of browser history and the ability to sell that information on to third parties. While the new policy doesn’t come into effect until the 15th of October, it has already caught the eye of privacy advocates.
Under the heading "What do you collect that cannot identify me?" the policy reads:
We collect non-personal data to make money from our free offerings so we can keep them free, including:
- Advertising ID associated with your device;
- Browsing and search history, including meta data;
- Internet service provider or mobile network you use to connect to our products; and
- Information regarding other applications you may have on your device and how they are used.
Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information.
While have seen in the past how powerful metadata can be in identifying and tracking people, AVG treats your browsing and search history along with meta data as non-personal data. Given this classification, AVG the ability to share it with third parties:
Do you share my data?
Yes, though when and how we share it depends on whether it is personal data or non-personal data. AVG may share non-personal data with third parties and may publicly display aggregate or anonymous information.
The good news is that the company does appear to have a way for users to opt out once the privacy policy is active:
You have the right to opt out of the use or collection of certain data, including personal data and non-personal data, by following the instructions here*.
*Our NEW Privacy Policy goes live on 15 October as will these instructions.
You can read the new policy in full at the AVG Privacy Policy page.
Wired UK has spoken with AVG and their spokesperson stated that the ability to collect search history had been in previous iterations of the policy, but with alternative wording. Previous versions of the policy stated that AVG could collect data on “the words you search”, but didn’t make it clear that data could be collected and sold on to third parties.
Alexander Hanff, Chief Executive of Think Privacy had the following to say:
It is utterly unethical to the highest degree and a complete and total abuse of the trust we give our security software
How much of an impact this has on AVG, the world"s third largest antivirus vendor, remains to be seen. With users being accustomed to clicking ‘Agree’ on license agreements and privacy policies without so much as glancing at the document; it is unlikely many will have knowledge of their acceptance of this practice.
Source: Wired UK