Testing lab publicly rebukes security products’ privacy policies

Many software security products like anti-malware programs come with privacy policies that would make a peeping Tom blush, according to an analysis by an independent third-party testing laboratory.

Many software security products, like anti-malware programs, come with privacy policies that are anything but private, according to an analysis by an independent third-party testing laboratory.

“In almost every privacy policy examined, the manufacturers presume a vast number of access rights to data that should not be necessary for using a security software application,” concludes the analysis published last week by the AV-Test Institute.

The AV-Test Institute, a Magdeburg, Germany-based company that evaluates computer security products, analyzed the English-language privacy policies for 26 security products from major manufacturers including Avast, AVG, ESET, F-Secure, Fortinet, Kaspersky, McAfee/Intel Security, Symantec and Trend Micro.

Most of the policies said the manufacturer would collect user data including name, email address, phone numbers and bank or payment card details. The analysis states that while this information might be useful for marketing purposes “they are hardly necessary for using the [security] programs.”


Some products’ policies, however, went a great deal further than that — asserting rights over biometric data, as well as the user’s gender, occupation, race and sexual orientation.

Andreas Marx, the institute’s CEO, told Cyberscoop he didn’t want to share “individual details” of which policy asserted which rights over user data because “this was only the first part of our research.”

“Some manufacturers are working on improving their data protection/privacy policies at the moment, based on our feedback,” he wrote in an email. “Besides this, we expect some technical changes in certain products, too,” again as a result of their feedback to manufacturers.

Two of the products lacked a privacy policy of any kind and most were written with impenetrable jargon, the institute’s analysis found.

“The policies were barely comprehensible for normal users,” notes the analysis, adding their average length was 12 pages. “Long sentences and lots of technical terms make it even more difficult to understand what are already very long texts.”


Fifteen manufacturers required access to users’ browser history and six to users’ search queries. Five asserted the right to sift email content and two to full accessibility of the users’ personal address books. “One manufacturer even claimed the right to publish [social media] entries on behalf of users,” while others want to be involved in chat sessions, or access chat history.

The institute’s testers made no effort to discover what information the programs actually collected, states the analysis. “Determining whether this data is actually collected was not a substantive aim of this examination,” it says, adding that it will address these issues in follow up research and communication with manufacturers.

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts