Other issues in this category (8)
No one is even surprised anymore
The digital economy is a data economy, and data is its raw material.
Data is used to extract and produce information. Intermediate goods out of raw material.
The information is then used to generate knowledge. Goods and services.
Apart from money, what is a company that deals in digital technologies’ most valuable asset? The most precious non-material (or virtual, if you will) resource for such companies is Her Majesty Information.
This AVT issue was inspired by an email to Doctor Web from another company specialising in… Well, let's just quote the original source:
We are interested in exploring the opportunity of buying anonymized Clickstream data from your company.
We are a market intelligence company and partner with a number of developers where we help them generate significant revenue by licensing us anonymized data which is collected by their products.
[COMPANY NAME] collect data about the online world from many sources around the world.
We aggregate all the data sources, normalize them and process them in order to create estimations about different engagement metrics of websites and apps.
Our partnership model is normally very meaningful for our partners. We have partners who we pay in the high $100,000s or even more than $1MM to when the partnership is large enough to work well for both sides.
It’s important to emphasize that we do not collect or interested in any private information about users.
In brief: we will buy your customers' data (without compromising user anonymity) for a sum of $100,000 or more.
"No big deal!", you'll probably say. Everyone tries to convert the data they have into money. But there is a small problem: these snoopers have no qualms about probing an anti-virus company for information despite the fact that the latter is supposed to protect its clients, who have entrusted their data to it.
Perhaps, the message’s authors don't understand that? No, they absolutely know what they’re doing. The problem is that selling customers' data has ALREADY become the NORM even for information security companies. You hadn’t noticed that yet?
We’ve got valuable data. Someone wants to buy it. Why not make some extra money?
Need proof? Here you go:
4b. Forwarding of infiltrations and information to the Provider. The Software contains a function which collects samples of new viruses and other similar malicious programs and suspicious or problematic files (hereinafter referred to as “Infiltrations”) and then sends them to the Provider, along with information about the computer and/or the platform on which the Software is installed (hereinafter referred to as “Information”). This function is disabled under the Software's standard settings. The Information may contain data (including randomly or accidentally obtained personal data) about the End User and/or other users of the computer on which the Software is installed, information about the computer, the operating system and programs installed, files from the computer on which the Software is installed and files affected by an Infiltration and details about such files. The Provider shall only use Information and Infiltrations received for research into Infiltrations and shall take appropriate precautions to ensure that Information received remains confidential. By activating this function of the Software You are agreeing to Infiltrations and Information being sent to the Provider and You are also granting the Provider the necessary approval, as specified under the relevant legal regulations, for processing Information obtained. You can deactivate this function at any time.
So the Provider is entitled to grab anything on a PC that its anti-virus regards as ""affected by an Infiltration", INCLUDING personal data!
- Data of our free mobile users remain anonymous to us and to the third party ad agencies. However, the ad agencies’ SDK code will collect data to build profiles to tailor ads to you. The SDK may collect information such as the third-party apps you installed on your device, your Android advertising identifier, your IP Address, your device's operating system details and MAC address, and other statistical and technical information. If you do not want to view third party ads, you may uninstall the free mobile product and/or choose an available paid version of mobile products, which do not serve third party ads.
- We use this Clickstream Data to provide you malware detection and protection. We also use the Clickstream Data for security research into threats. We pseudonymize and anonymize the Clickstream Data and re-use it for cross-product direct marketing, cross-product development and third party trend analytics.
So the anti-virus is available free of charge, but it facilitates the collection and sale of user data.
And companies count as users of the anti-virus too. So they willingly hand over not only supposedly anonymous data but also (as in the case of Eset) their files.
Also note that although a system administrator may tick the box and accept the EULA terms, it is the company’s management who will ultimately be responsible for any data leaks.
We wonder how many companies follow this procedure:
- Before an administrator ticks the corresponding box, the company's lawyer must examine the license agreement to determine whether the company should accept its terms or not. On the other hand, while the terms are being examined, the corporate infrastructure will remain unprotected since the anti-virus won't work unless the terms are accepted;
- Administrators must notify their superiors that the products they install use a cloud feature, and they must obtain permission to enable it.
Funny enough, some companies submit anti-virus software tenders where a cloud feature is listed as a requirement. And their management actually signs the tender papers. What do you even need this cloud for?
- Read the license agreement text not only before you install an application but also whenever its terms are updated. The clauses concerning what data the developer gets off your computer may contain numerous surprising provisions. Goodness only knows how the data pulled off your PC may be used against you, your company, or your country!
Are we ready to protect our data? Well, we’re working on it.
Upcoming amendments in the Russian legislation will make providers responsible for the actions of other parties who process personal data on the providers' behalf.
And that's only the beginning…
Apparently, we will be discussing this topic in our Anti-virus Times issues again… and again.