'Let's be really clear - we're not selling your personal data' says AVG

Tony Anscombe, senior security evangelist at the anti-malware firm, puts the record straight on AVG's privacy policy

Czech Republic-based security software vendor AVG, producer of one of the world's most popular anti-virus software suites, has strongly denied that its new privacy policy has been designed to enable it to sell users' personal data, as was widely reported last month.

"Let's be really clear. We're not sharing anything or selling anything today. What we're saying is that in the future we might, but if we do you will be able to choose whether you participate in this or not. It will be a conscious decision that you make as the end user," said Tony Anscombe, senior security evangelist at the firm, who said that a lot of work had gone into translating its previous policy from deadening "legalese" into plain language.

"Our goal was to put our privacy policy into a language that anyone can understand. We believe we've given you full disclosure in plain text and we've given you choices."

Concerns were initially raised when the company's new privacy policy, which was designed to be easily read on mobile devices, was published in September before it came into force on 15 October. Some observers believed the wording left the door open for sale of personal data to advertisers and other parties, but Anscome reiterated that there are no plans to do this, insisting that other anti-malware vendors - and indeed publishers - have very similar privacy policies that are frequently much longer and harder to understand.

"Look at the privacy policies of publications that are often funded by advertising," he said. "We provide a free anti-malware service to 200 million users and we don't make any money from advertising. We make our money in subscriptions, services and secure search. We also work with carriers in the US. As a public company anyone can go and look at our accounts."

While some personal data is collected automatically when users visit the AVG website this data is anonymised and stored in a way that does not identify the individual, he said. This data is used in aggregate to analyse the performance of devices and produce reports. For example, the latest in the global AVG Android App Report, AVG identifies the top 10 apps for battery usage, storage and data consumption. (Snapchat does not come out well and neither does another company that got into hot water when it changed its privacy policy, Spotify.)

Creating a short form policy that is easy to read and understand is surely a positive step for transparency, and the firm gave users a month to review it before it was implemented. Perhaps AVG was the victim of making its privacy policy too clear. Had it remained in obscure legalese it is doubtful that so many would have read it and questioned its terms. Anscombe insists that the only substantial change to the policy was to make it shorter and simpler.

Given the current concern around online privacy other companies doing the same might be advised to make sure they flag up their new policies, particularly any major changes, clearly on their home page and to publicise them as widely as possible to avoid misunderstandings.

Join us in London for our Enterprise Security & Risk Management Summit on 26 November. Registration is free for most delegates.