Other issues in this category (16)
About the sale of user data to third parties
Wednesday, January 27, 2021
One year ago (to be more precise, in December 2019), news that Avast had been selling the user data collected by its products to third companies since at least 2013 was widely shared. In particular, data on users’ web-browsing habits. The company itself did not deny this fact—with the proviso that nothing terrible was happening and no violations of privacy were taking place, because they were selling anonymised data.
As claimed by the company's representatives, they were collecting the following data: search results, GPS coordinates, and information about YouTube viewing histories and visited sites, including LinkedIn — and selling it to other companies, including Google, Microsoft, and Pepsi.
Was Avast entitled to do so? Yes. According to the license agreement, Avast "may share your Data with Vendor Partners such as Vendor’s ecommerce platform providers and payment processors, suppliers providing support, services and Solutions to you on Vendor’s behalf, and suppliers providing Vendor or a member of the Vendor Group with purchase analytics and crash analytics in respect of Solutions". After you accept the Avast license agreement, "You also acknowledge that Vendor or a member of the Vendor Group may share Data that is anonymized and aggregated with third parties for trend analytics".
The scandal subsided quietly; a year passed, but the content of the license agreement hasn't been changed. Users are still agreeing to have their data made available for anonymised distribution. And, if you think about it, it is hardly surprising that if you aren’t paying for a product, its owner has other ways to generate income. For example, by selling user data.
What threat is there to a user when their data is collected and transferred?
Let's start with data collection. Unlike Doctor Web, which never collects users' files under any circumstances, some other anti-virus companies directly declare that they do this in their license agreements. They say it is justified because they need to obtain information about new threats. And that may not sound like a big deal, but the problem is that the data that anti-viruses transmit to their developers' servers may include your personal photos, documents, browsing history, personal data, and excerpts from your online correspondence. Even simply collecting information about visited webpages is not so desirable for users. Far from everyone is agreeable to having their interests made a public asset. No one can ever guarantee that a development company’s employee will never at some point become interested (out of curiosity or sheer boredom) in any user-related facts.
Not everything goes smoothly when data is transferred to third parties. It is declared that the transferred data is anonymised—this means that it cannot be used to identify a user. But everything depends on the capabilities of those who are interested in a person.
ADINT technologies (advertising intelligence) allow third parties to access the data collected by the advertising ecosystem, to identify unique users and in future to track their movements throughout the world.
Here is an example of data selling: United States Special Operations Command (USSOCOM) buys the location data of mobile device users. Of course, it is anonymised. But, as it is claimed, the available capabilities allow them to completely deanonymisе a particular user. Take, for example, X-Mode — a company that tracks at least 40 million devices worldwide. It turned out that SDK from X-Mode is included in a series of xxxx Social dating applications, among which is Russia Social with more than 100,000 installations.
The Anti-virus Times recommends
Read a product’s license agreement text not only before you install an application but also whenever its terms are updated. The clauses concerning what data the developer gets off your computer may contain numerous surprising provisions. There’s no telling how the data pulled off your PC may be used against you, your employer, or even your country!
Remember: Dr.Web doesn't grab user files and personal information in the systems it protects and never relays technical system information to other parties. You can learn more about the information we do collect and why here.
Sometimes companies approach Doctor Web with offers to buy user data from us. We mentioned such an offer as an example in the issue "No one is even surprised anymore":
We are interested in exploring the opportunity of buying anonymized Clickstream data from your company.
We are a market intelligence company and partner with a number of developers where we help them generate significant revenue by licensing us anonymized data which is collected by their products.
[COMPANY NAME] collect data about the online world from many sources around the world.
We aggregate all the data sources, normalize them and process them in order to create estimations about different engagement metrics of websites and apps.
Our partnership model is normally very meaningful for our partners. We have partners who we pay in the high $100,000s or even more than $1MM to when the partnership is large enough to work well for both sides.
It’s important to emphasize that we do not collect or interested in any private information about users.
To all such offers we firmly reply—"No!"