Beware of privacy policies that give security software developers user rights and access to Personally Identifiable Information (PII).
Pundits and users alike understand the importance of reading privacy policies before installing software. However, not many read the policy before clicking the "accept" button, and that is understandable.
SEE: Information Security Policy (Tech Pro Research)
To safeguard sensitive user data, security software typically requires extensive access to the data being protected. And that can be a double-edged sword according to Olaf Pursche, head of communications at AV-TEST, an independent IT security test house, who writes in this white paper:
"Users likewise have no other option than to allow far-reaching insights into systems and stored data, putting their faith in the pledge of software companies to protect them. However, this should only occur under the assumption that these access rights will be used solely to detect and thwart possible threats."
People at AV-TEST have come across examples they feel are abusing users' faith. Anett Hoppe, an IT security expert at AV-TEST, put 26 security platforms through their paces while focusing on what access control the security software assumes. In particular:
- What user rights are assumed by the security software
- What data is collected by the software, and are the users being informed of that fact
Hoppe and her fellow researchers at AV-TEST came up with the following conclusions. Pursche notes that, "Only 24 privacy policies were evaluated, as two of the security packages did not include any policy whatsoever—neither on the manufacturers' websites nor during installation of the programs."
Collected more data than required: The AV-TEST white paper suggests the privacy policies studied give security software developers permission to collect personal data including name, email address, and payment details. However, the same manufacturers collect additional PII—including telephone numbers—that Pursche feels are not necessary for the security packages to operate efficiently, but useful for introducing additional products to the user.
User biometric data collected: For reasons unknown to Pursche and others at AV-TEST, security software firms collect digital fingerprints and other physical attributes. Pursche adds, "How information on the user's gender, occupation, as well as race and sexual orientation are intended to help in hunting down malware is probably difficult to explain."
User activity tracked: Hoppe, in her research, found that some of the installed security packages wanted access to the following applications and software to track user activity:
- Fifteen programs require access to browser history
- Six programs ask to access search queries
- Five programs examine emails
- Two programs want full access to the user's address book
User statistics compiled: 10 out of the 24 privacy policies give the security program's developers the right to gather "user statistics." The question then becomes what data does the term user statistics reference? "It is not clearly defined, however, which data is collected here, i.e. whether it involves the use of the security program itself, use of the device, or the collection of entirely different data," writes Pursche. "In this area, as well as in many other points, the specifications of privacy policies of all manufacturers are extremely vague."
Recommendations for users
- The shocking truth behind privacy policies in the enterprise (TechRepublic)
- Are you checking privacy policies frequently? (TechRepublic)
- Privacy concerns about data collection may lead to dumbing down smart devices (TechRepublic)
- Take control of your privacy in Windows 10 (ZDNet)
- For privacy and security, change these Android settings right now (ZDNet)