Is AVG planning to sell user data to advertisers following privacy policy change?

New privacy policy appears to allow AVG to sell user data to advertisers - but the company denies the accusation by privacy campaigner

Czech Republic-based security software vendor AVG, producer of one of the world's most popular anti-virus software suites, has come under fire over it's privacy policy, which appears to allow it to sell users' data to advertisers.

The company, though, in a blog posting and an email to Computing, denies that it is planning to sell "personally identifiable data" to anyone.

The new policy, which AVG's website says will come into effect in October 2015, has apparently been changed to explicitly allow the collection and sale of personal information relating to browsing history, searches, location and meta-data. Previous policies indicated that the firm only collected browsing data when a person used their their web site as well as information about any malware on the user's machine.

The site does not offer a list of changes made to the policy other than to provide a link to PDFs of previous versions.

Under the heading "What do you collect that cannot identify me" AVG's new policy states:

"We collect non-personal data to make money from our free offerings so we can keep them free, including: Advertising ID associated with your devices Browsing and search history, including meta data; Internet service provider or mobile network you use to connect to our products; and Information regarding other applications you may have on your device and how they are used.

"Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information. We may also aggregate and/or anonymize personal data we collect about you.

"For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable."

The company says it will share "certain personal data" with affiliated partners, search providers and resellers. If, as the latest privacy policy seems to indicate, AVG has altered its terms to allow its anti-virus or other software to harvest user data from the machine on which it is installed, this has serious implications, says privacy campaigner Alexander Hanff.

"Anti-virus software runs on our devices with elevated privileges so it can detect and block malware and other threats," he says. "It is wholly unacceptable for an anti-virus software vendor to abuse those privileges to build detailed browsing, location and search profiles. It places AVG squarely into the category of spyware - which is what they are supposed to stop not what they are supposed to be."

Hanff goes on to say that the terms of the policy may also put AVG in contravention of forthcoming EU data-protection legislation.

"AVG's definition of identifiable data does not match the official opinion of the Article 29 Working Party, which states that any data that can be used to single out an individual (such as a user ID, IP address or device fingerprint) is classed as identifiable information," he told Computing.

"Secondly, under Article 5(3) of the ePrivacy Directive, any company that collects data about individuals by accessing files on their device must obtain the informed consent of that individual.

It is unlikely that a change to a privacy policy to which many users may never be exposed if they are already using the product would meet the necessary notice and consent requirements of many jurisdictions in the EU, and it would certainly seem to be incompatible with the upcoming GDPR [General Data Protection Regulation] soon to be finalised in Europe."

Hanff goes on to mention possible antitrust issues, given that AVG actively blocks other companies who collect data to profile users' behaviour for the purpose of selling it to advertisers. This could potentially be used to give the company a competitive advantage, he argues, urging users to uninstall the product.

Computing has asked AVG to clarify its new privacy policy and the changes it represents. We will publish its response when we receive it.

Update: 18 September

In response to our request AVG sent a link to a new blog post which seeks to clarify the company's intentions. It says:

"We do not, and will not, sell personally identifiable data to anyone, including advertisers. AVG has continually challenged the industry to simplify its privacy policies and provide an informative, one-page view. We are proud of our new privacy policy and intend to continue our drive for more transparency and greater user choice."

Stating that its intention has been to clarify its privacy policy to make it easier to understand, AVG says:

"When creating our new policy format, we decided that our customers should have the ability to choose whether or not to participate in our anonymized data collection program. We are currently adding this option to some of our FREE consumer products, and we can confirm that no sharing of data will happen until our customers are able to make this choice."

Computing has asked for further clarification as to which products (free or paid for) are affected and what constitutes personally identifiable data in the light of Hanff's comments above.

Further Update 18 September

AVG sent the following comment:

1) We have been very clear that we do not, and will not, sell personally identifiable data to anyone. We welcome the attention our privacy policy is receiving as it highlights the industry need for simpler privacy policies. We are delivering on our promises of simplifying our privacy policy and in continuing to give our customers clear choice.

2) Our customers have already seen great benefit from reports we've generated, such as the AVG App Report, which identifies the top battery, data and storage consuming apps. This data has been well received by our customers and well publicized by the media, who find such information extremely valuable for managing their mobile devices.