AVG is a hugely popular anti-virus (AV) solution. According to the company website it is used in protecting "over 200,000,000 active users". A lot of those users may rely on the free version of the software, which has garnered many favourable reviews over recent years. But it must be tricky to make money providing a popular AV solution, with good performance, in some ways its cannibalising your own market.
In an updated privacy policy document we get a glimpse of a new way that the AVG developers intend to monetise customers of its security software. According to Computing's interpretation, the new policy allows "the collection and sale of personal information relating to browsing history, searches, location and meta-data". Previous AVG privacy policies only went as far as saying that it collected browsing data from the AVG website/apps and data of malware found on user machines.
In the controversial new policy segment entitled 'What do you collect that cannot identify me?' AVG says that it collects "many types of data, called non-personal data that does not personally identify you." Beyond the data about you using AVG products and services, the following (non-exhaustive) examples of what might be recorded are given:
"We collect non-personal data to make money from our free offerings so we can keep them free, including:
- Advertising ID associated with your device;
- Browsing and search history, including meta data;
- Internet service provider or mobile network you use to connect to our products; and
- Information regarding other applications you may have on your device and how they are used."
AVG will seek to anonymize information in your browsing history that might identify you. Unfortunately, as well as the above, AVG says it will share "certain personal data" with affiliated partners, search providers and resellers.
Jaunty privacy policy video from AVG
Privacy campaigner Alexander Hanff is quoted by Computing as saying that AVG's new policy is "wholly unacceptable," as it "runs on our devices with elevated privileges so it can detect and block malware and other threats," and appears to be abusing those privileges. AVG's new privacy policy certainly seems incompatible with forthcoming EU data-protection legislation such as the GDPR (General Data Protection Regulation), adds Hanff.
AVG published a blog post yesterday, trying to smooth things over. The firm says it released the privacy policy a month before it comes into effect so it could gain feedback from users. It is asserted that customers will "have the ability to choose whether or not to participate in our anonymized data collection program." Apparently this option will be added to "some of" AVG's free products too. Note, AVG says some, not all free products will allow you to opt out. AVG signs off by saying that it does not "and will not, sell personally identifiable data to anyone, including advertisers".