To be fair, AVG is saying that the information disclosed is anonymous. But what does “anonymous” really mean? In today’s world of big data, correlation and user-behavior – how difficult is it really to de-anonymize, or at least to make educated guesses around an individual or group of individuals (say, at a company)? The government, following the Snowden leaks, have already proved that “anonymous” is just a nebulous term, subject to the limitation of directly providing full-row details. Even Google, in its recent transparent laudatory move, has showed that they track user’s activities – also when the user is not signed into their account.
Back to the data collection, it’s precisely the clashing of propositions – security and privacy – that has customer bubbling in anger. AVG has established itself as the protector for users. It has a list of virus signatures and quarantines malicious files or disables rogue code that match these signatures. As a protector, it takes security very seriously. We’ve seen this first hand when enSilo responsibly brought a severe vulnerability to AVG’s attention in March 2015
As part of its protector role, users have enabled AVG access to their most secret and confidential thoughts (in the forms of browsing history, cookies, etc.).
Herein lies the issue. It’s this protector that is taking all this data it was granted with and selling it onwards to an unknown 3rd party.
Let us not kid ourselves. All companies nowadays collect user information. We would also argue that many security vendors are privy to the most secret of all information due to the nature of their product. Just like we expect our financial institutions, healthcare providers and photo-sharing apps in the Cloud to safeguard our information and use it for the purpose it was originally collected for, the security industry, should practice as we preach. Let us all not step that fine line between what we were entrusted with and how to abuse that trust. To quote the greatest: “With great powers come great responsibility”.