Pundits and users alike understand the importance of reading privacy policies before installing software. However, not many read the policy before clicking the “accept” button, and that is understandable.

Back in 2012, two privacy experts, Dr. Aleecia M. McDonald and Dr. Lorrie Faith Cranor (as reported in this TechRepublic article) tried to determine what the cost would be if every online privacy policy was read. It amounted to more than $780 billion per year. What’s more, those brave enough to attempt reading a privacy policy quickly learn understanding the legalese is an act of futility unless they happen to be lawyers.

Besides feeling angst and the monetary loss of reading privacy policies, agreeing to a privacy policy–in particular the policies associated with security software designed to prevent the exfiltration of proprietary information–without understanding the policy’s contents may give the security software’s developers permission to exfiltrate the Personally Identifiable Information (PII) it is supposed to protect.

SEE: Information Security Policy (Tech Pro Research)

To safeguard sensitive user data, security software typically requires extensive access to the data being protected. And that can be a double-edged sword according to Olaf Pursche, head of communications at AV-TEST, an independent IT security test house, who writes in this white paper:

“Users likewise have no other option than to allow far-reaching insights into systems and stored data, putting their faith in the pledge of software companies to protect them. However, this should only occur under the assumption that these access rights will be used solely to detect and thwart possible threats.”

People at AV-TEST have come across examples they feel are abusing users’ faith. Anett Hoppe, an IT security expert at AV-TEST, put 26 security platforms through their paces while focusing on what access control the security software assumes. In particular:

  • What user rights are assumed by the security software
  • What data is collected by the software, and are the users being informed of that fact

Hoppe and her fellow researchers at AV-TEST came up with the following conclusions. Pursche notes that, “Only 24 privacy policies were evaluated, as two of the security packages did not include any policy whatsoever–neither on the manufacturers’ websites nor during installation of the programs.”

Assumed more access than needed: “In almost every privacy policy examined, the manufacturer presumes a vast number of access rights to data that should not be necessary for using a security software application,” writes Pursche. To be fair, Pursche adds that according to manufacturers’ statements, they (additional access rights) serve the purpose of product optimization.

Collected more data than required: The AV-TEST white paper suggests the privacy policies studied give security software developers permission to collect personal data including name, email address, and payment details. However, the same manufacturers collect additional PII–including telephone numbers–that Pursche feels are not necessary for the security packages to operate efficiently, but useful for introducing additional products to the user.

User biometric data collected: For reasons unknown to Pursche and others at AV-TEST, security software firms collect digital fingerprints and other physical attributes. Pursche adds, “How information on the user’s gender, occupation, as well as race and sexual orientation are intended to help in hunting down malware is probably difficult to explain.”

User activity tracked: Hoppe, in her research, found that some of the installed security packages wanted access to the following applications and software to track user activity:

  • Fifteen programs require access to browser history
  • Six programs ask to access search queries
  • Five programs examine emails
  • Two programs want full access to the user’s address book

User statistics compiled: 10 out of the 24 privacy policies give the security program’s developers the right to gather “user statistics.” The question then becomes what data does the term user statistics reference? “It is not clearly defined, however, which data is collected here, i.e. whether it involves the use of the security program itself, use of the device, or the collection of entirely different data,” writes Pursche. “In this area, as well as in many other points, the specifications of privacy policies of all manufacturers are extremely vague.”

SEE: It’s 2016 and we don’t know who has our personal data (ZDNet)

Recommendations for users

In lieu of security program providers creating straightforward privacy policies, Hoppe recommends that users bear data protection issues in mind when registering and configuring the product. “This begins with the user’s personal details during installation–often enough, not all the fields on the registration form are required and are only completed out of habit,” continues Hoppe. “Moreover, users should at least quickly peruse the privacy policy. Only by knowing these terms can the user determine whether an address book or private photos really should be uploaded onto a manufacturer’s server.”