Every security suite sends data back to its home base to check for malware and keep you safe. But youâd be surprised how much other information they collect and share. Hereâs what you need to know.
The whole point of installing and maintaining an antivirus or security suite is to protect your privacy, your identity, and your devices. Wouldnât it be ironic if that antivirus proved to be a security risk? According to testing data from AV-Comparatives, your antivirus needs to know a lot about your computer to protect youâeverything from your PCâs name to the websites you visit. Are you safe giving that information away? The answer is complicated.
What Data Does My Antivirus Collect?
While we do our own in-depth testing of all the antivirus and security software we review, we also monitor and interpret antivirus lab tests to inform our reviews. In the AV-Comparatives tests mentioned above, it identified 20 popular antivirus applications for examination. The list of names will surely be familiar to you: Avast, Avira, Bitdefender, eScan, ESET, F-Secure, G Data, K7, Kaspersky, Malwarebytes, McAfee, Microsoft, Norton, Panda, Sophos, TotalAV, Total Defense, Trend Micro, VIPRE, and Webroot. PCMag reviews antivirus and security suite apps from all of these companies except Kaspersky. Given that the US government has banned new sales of Kaspersky security products, we no longer evaluate or recommend them.
For a little perspective, the list includes every PCMag Editorsâ Choice in the antivirus and security suite realm except for AVG AntiVirus Free. Avast acquired AVG in 2016, and theyâve used the same antivirus engine for many years. I can understand skipping a separate evaluation of AVG.
The researchers scored each security application on five criteria: Data Collection, Data Sharing, Accessibility, Control of Software & Processes, and Openness. The first two of these lend themselves to empirical testing, especially Data Sharing.
To prepare for the evaluation, they installed each subject app on a test machine equipped for network monitoring. They then put the antivirus through its paces and analyzed what information it transmitted back to its publisher. They also pored over each End User License Agreement (EULA) to determine whether it clearly identified data that would be sent and what data was involved.
In addition to the empirical evidence gathered by examining network traffic and perusing EULAs, they sent each security company a detailed questionnaire to gather more details. If the companyâs stated policies didnât match what the network analysis revealed, that could earn a lower score.
Companies cited security reasons for not answering some of the questions. âWe understand that too much transparency might be useful for criminals,â noted the report. âWe thus accept that vendors cannot provide us with any information that could compromise security.â
The study noted that thereâs no easy way to avoid collecting data such as credit card details for payment and licensing. But generally, the less data collected, the better the Data Collection score.
Companies received a separate Data Sharing score based on how they handled the gathered data. Using the data for targeted ads or selling it to third parties would naturally knock down this score, but sharing samples of potential malware could benefit the entire community.
Does My Antivirus Share Data With Others?
Thereâs quite a lot of variation in the amount and type of information shared by the various antiviruses with their respective companies. They all necessarily share the product version to stay up to date, and thatâs perfectly reasonable. Almost all of them assign each installation a unique identifier so they can aggregate information from a specific machine without necessarily identifying the user.
However, it turns out that the system information shared by many apps might personally identify the user, which some might find objectionable. In some cases, licensing details include the userâs full name. Even when thatâs not the case, most share the Windows username, which may be the userâs full name. Many security apps transmit the computer name to help manage licensing. Hmm, maybe I shouldnât have named mine âNeilRubenkingPC.â
An antivirus whose features include a vulnerability checker will necessarily send the version numbers of installed third-party programs. Phishing protection and parental control components may transmit every URL you visit. Any antivirus that includes a cloud-based detection component will have to send file hashes or, in some cases, whole files that they suspect might be malware. Yes, this could include personal documents.
Does My Antivirus Protect My Personal Data?
Clearly, itâs important to know what data a security company collects and how it uses that data. The testing team also rated companies on how well they control their collected data and how easy it is for consumers to learn about their practices.
A company that uses clear language in the EULA and privacy policy gains credit for Accessibility. Offering an FAQ that clearly explains what data is collected and why itâs needed also boosts this score. The companies that responded to the questionnaire (almost three-quarters of them) gained points for Transparencyâthe more answers, the more points. Making third-party audits available also raises this score.
Finally, thereâs the criterion called Control of Software & Processes. It doesnât matter how clear, careful, and open a company is about handling personal data if bad practices by a third-party partner expose that data. The researchers also looked at the security of the companiesâ third-party cloud storage services. Companies that maintain bug bounty programs to reward users for pointing out security holes got a boost in this score.
Governments Can Interfere With Your Privacy
Itâs completely possible that a security company could face demands from government agencies to turn over the data theyâve collected on a particular user. Different jurisdictions have different laws in this area, so knowing where the data is stored can be quite important. In particular, the stringent privacy protections of the General Data Protection Regulation (GDPR) not only apply to data stored within the EU, they also apply to data about residents of the EU wherever it may be stored.
Nine of the participating companies chose not to discuss the location of their server farms. Of those that answered, three stay strictly in the EU, five have storage in the EU and US, and two keep data in the US and India. That leaves Kaspersky, which reported it stores data in the EU, Canada, the US, and Russia.
A government agency could even order the security company to deliver a âspecialâ gimmicked update to specific user IDs, perhaps to spy on terror suspects. Asked if they ever do this, India-based eScan responded that they do, as did McAfee and Microsoft. Another 11 stated they never send this kind of targeted update. The rest declined to answer, which is a bit unnerving.
Which Antiviruses Protect My Privacy Best?
After determining all the individual scores, the testing team derived a final rating from one to five stars. No company reached a perfect five stars, but Bitdefender, ESET, F-Secure, G Data, and Kaspersky scored the best, rating 4.5 stars.
K7 and Vipre did well, reaching four stars. The rest of the participating companies received three stars, suggesting they have some work to do in protecting their usersâ data. This group comprises Avast, Avira, eScan, McAfee, Norton, Panda, and Webroot.
Sharp-eyed readers may notice that Iâve only listed 14 companies above, not the 20 that were evaluated. The remaining six companies chose not to participate. With no questionnaire answers, the researchers couldnât complete their evaluation. All six of these (Malwarebytes, Microsoft, Sophos, Total Defense, TotalAV, and Trend Micro) received four points for restraint in Data Sharing, but most of their other individual scores ranged from zero to three. Overall, they each earned one star.
Should I Worry About My Antivirus?
Thereâs no question that your antivirus or security suite needs to send some information back to its home base, but some go beyond whatâs necessary. Read the full report for details about each companyâs data collection practices. Then open the settings for your antivirus and opt out of any data collection that isnât required for security. Sit down and read the EULA and privacy policy for the app as well. Consider your chosen security companyâs score. Switch to another antivirus if you feel the need.
Then relax. Misbehavior by security companies is a much smaller concern than invasive programs that actively harvest your data for their own gain, mega-corporations that know everything about you, or AI language models that incorporate your personal information. At least the security companies say they aim to protect your privacy, and they measurably succeed in protecting against malicious software.
Source: pcmag.com
