User privacy and the role of providers holding user information has become a daily discussion. It seems as if this debate has currently reached an all-time high with AVG’s latest announcement on changing their Privacy Policy. To recall, AVG is a free anti-virus software, boasting to protect more than 200M users worldwide. Now, AVG has announced that it will be collecting what the company terms as “non-personal data” and potentially selling it to third parties (advertisers).

To be fair, AVG is saying that the information disclosed is anonymous. But what does “anonymous” really mean? In today’s world of big data, correlation and user-behavior – how difficult is it really to de-anonymize, or at least to make educated guesses around an individual or group of individuals (say, at a company)? The government, following the Snowden leaks, have already proved that “anonymous” is just a nebulous term, subject to the limitation of directly providing full-row details. Even Google, in its recent transparent laudatory move, has showed that they track user’s activities – also when the user is not signed into their account.

Back to the data collection, it’s precisely the clashing of propositions – security and privacy – that has customer bubbling in anger. AVG has established itself as the protector for users. It has a list of virus signatures and quarantines malicious files or disables rogue code that match these signatures. As a protector, it takes security very seriously. We’ve seen this first hand when enSilo responsibly brought a severe vulnerability to AVG’s attention in March 2015

As part of its protector role, users have enabled AVG access to their most secret and confidential thoughts (in the forms of browsing history, cookies, etc.).

Herein lies the issue. It’s this protector that is taking all this data it was granted with and selling it onwards to an unknown 3rd party.

Let us not kid ourselves. All companies nowadays collect user information. We would also argue that many security vendors are privy to the most secret of all information due to the nature of their product. Just like we expect our financial institutions, healthcare providers and photo-sharing apps in the Cloud to safeguard our information and use it for the purpose it was originally collected for, the security industry, should practice as we preach. Let us all not step that fine line between what we were entrusted with and how to abuse that trust. To quote the greatest: “With great powers come great responsibility”.