You installed that security suite to protect your computer, and your privacy, but just what is it reporting to its maker? Could your suite itself be a security risk? A pair of German computer magazines commissioned AV-Comparatives to find out. Their results are now publicly available, and the report makes interesting reading.

Data Sources

To start, the researchers loaded 21 popular security suites onto test PCs and analyzed their network traffic, looking at just what data was sent. The report notes that "in some cases" the data was encrypted, so they couldn't read it. That's as it should be, but it implies that in other cases the data was not encrypted. Alas, the report doesn't identify which those were.

They also perused the End User License Agreement (EULA) and privacy policy supplied with each product. These documents should spell out exactly what data the program may send back to its maker.

As a final step, they sent a detailed questionnaire to each vendor, though they gave the other two data sources more weight than the results of the questionnaire. The report notes that in some cases the vendors didn't answer particular questions, for various reasons. "We understand that too much transparency might be useful for criminals," noted the report. "We thus accept that vendors cannot provide us with any information that could compromise security."

What Do They Share

There's quite a lot of variation in the amount and type of information shared by the various vendors. They all necessarily share the product version, in order to stay up to date, and that's perfectly reasonable. Almost all of them assign each installation a unique identifier, so they can aggregate information from a specific machine without necessarily identifying the user.

And yet, the system information shared by many of the products might well identify the user. Almost half of the products share the Windows username, which in many cases is the user's full name. Well over half transmit the computer name. Hmm, maybe I shouldn't have named mine "Neil's Computer".

Many security functions must send additional information about your computer usage. A product whose features include a vulnerability checker will necessarily send the version numbers of installed third-party programs, for example. Phishing protection and parental control components may transmit every URL you visit. And any antivirus that includes a cloud-based detection component will have to send file hashes, or in some cases, whole files that are suspect.

Burning Questions

It's conceivable that a security vendor could be required by government agencies to turn over the data they've collected on a particular user. Different jurisdictions have different laws in this area, so knowing where the data is stored can be quite important. Nine of the tested vendors store their data in the European Union, seven in the United States. The EU has stricter privacy laws, so this is significant. There was also one in Russia (Kaspersky) and one in South Korea (AhnLab). Three vendors declined to state where their data is stored.

Here's something I hadn't thought of. It's conceivable that, under a court order, a vendor could be forced to deliver a "special" update to specific user IDs, perhaps to monitor terror suspects. 13 of the vendors said no, they never do this. The rest declined to answer, which is slightly unnerving.

In truth, your security suite absolutely needs to send quite a bit of information back to its home base in order to do its job. The report offers full details about each vendor's data collection. My biggest takeaway is that you should actually read the EULA and privacy policy for your security suite, and opt out of any data collection that isn't required for security. To make checking EULAs simple, the report concludes with EULA links for the vendors who make those available online.

Image courtesy of Flickr user Franco.

Further Reading

Business Reviews