Establishing expectations for AV vendors
Posted by Maxim Weinstein
At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.
It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?
Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?
Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search. This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)
This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.
So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?
Please let us know your thoughts in the comments!
I would think it to be appropriate for an AV/security company to clearly mention that they are going to use data for analysis purposes. An option should be provided to the client to not allow the transfer of (non-critical/anonymized) data. Too many companies, beginning with toolbar vendors to small and mid-tier AV companies do not make this clear enough during the installation process.
Privacy and security are bound to clash. The fundamental security conundrum is that "on the internet nobody knows you're a . . ." . In other words, the internet is built without authentication - this is the door that allows spam to be sent, malware to be posted, attacks to be launched . . . . If you want to be secure, you will have to give up some privacy. I agree that full disclose of the trade-off is better, but let's not pretend that in an age when, as Google reports, 3% of web search results contain malware and when most av companies complain of the burden of detecting over 30,000+ new, unique pieces of malware daily, you will be able to stay safe by running a local av scanner and practicing safe computing. That is simply not enough. The more thoughtful security vendors are all building systems that will, if not now, then soon, attach your PC to a security information grid that both collects site, file and email tracking data and that will provide security services in near real time. The real question is, will the data be traceable back to individual users, will the data be maintained safely and will it be used for marketing purposes. Perhaps we need vendors to be held to a standard for data security - and perhaps pledges to maintain that standard should be in the EULA as well. In full disclosure, I work for Symantec - but the opinions I expressed are my own.
I don't know what's expressed in our EULA during installation but our UI includes the option of turning off network queries and includes this: "Privacy statement Submitting information to the Real-time Protection Network does not compromise your privacy. Even though the submitted information may be considered personal under some jurisdictions, your privacy is protected during the process. We transfer the information securely, remove any unnecessary personal information, and process the information anonymously in an aggregate format. In this way, the information cannot be connected to you in any way. No user account information, no IP address information, or no license information is included in the information submitted through the Real-time Protection Network. We protect your privacy further by using encryption when transferring the information. The submitted information is used for improving the protection capabilities of our services and products." Good enough explain in your view?
@Sean: While I haven't seen the interface, based on your description, this sounds like excellent disclosure. It would be great to see more AV companies embrace this approach. The general consensus amongst folks we've talked to since posting this is that best practice requires the kind of disclosure you describe, yet a failure to conspicuously disclose the network queries is not, by itself, a badware behavior. Of course, if that data were being exploited in an undesirable way, or if more private data were being collected, or if it were combined with other bad behaviors, that would be a different story.