AVG admits it can sell user data; Symantec sacks staff over fakes; Skype goes down

AVG is facing an online backlash after it reportedly revealed a new privacy policy that allows it to sell its users’ data to third parties in order to raise revenue.

According to a WIRED report, AVG’s new privacy policy — which comes into effect on 15 October — states that the antivirus company is allowed to collect “non-personal data” which could then be sold to third parties.

ZDnet quoted AVG as saying, “We collect non-personal data to make money from our free offerings so we can keep them free.” This data, according to ZDnet, includes browsing and search history the ISP or mobile network a user uses to connect to AVG products information regarding other applications that may be on a user’s device.

AVG reportedly said that if any data is collected that could identify a user, that information would be considered personal and would be scrubbed.

“We may also aggregate and/or anonymise personal data we collect about you. For instance, although we would consider your precise location to be personal data if stored separately, if we combined the locations of our users into a data set that could only tell us how many users were located in a particular country, we would not consider this aggregated information to be personally identifiable,” ZDnet quoted AVG as saying.

An AVG spokesperson told WIRED: “Those users who do not want us to use non-personal data in this way will be able to turn it off, without any decrease in the functionality our apps will provide.”

The new privacy policy has provoked a variety of reactions from users and industry figures. WIRED quoted Alexander Hanff, CEO of privacy consortium Think Privacy, as saying that AVG’s ability to collect and sell user data puts AVG “squarely into the category of spyware”.

“Antivirus software runs on our devices with elevated privileges so it can detect and block malware, adware, spyware and other threats,” WIRED quoted Hanff as saying. “It is utterly unethical to [the] highest degree and a complete and total abuse of the trust we give our security software.”

Some reactions have been more measured. One PCWorld reporter wrote: “AVG’s new policy illustrates exactly why companies tend to drown their data collection practices in legalese. There’s no penalty for doing so, and being transparent only invites more outrage. In that sense, AVG at least deserves credit for helping users make informed decisions. Still, the idea of an anti-virus program tracking and monetizing your browsing history is unnerving, and if anything AVG ought to clarify that point further as it finalizes its new privacy policy.”

Skype restored after outage

Skype connectivity has reportedly been restored, after an error earlier this week prevented users around the globe from making calls for about 15 hours.

According to the BBC, reports of Skype being unavailable began to surface at about 9 am British Summer Time (BST) on Monday (6 pm Monday evening, Sydney time).

Skype reportedly said services had been fully restored just after Tuesday midnight BST (9 am on Tuesday morning, Sydney time).

Skype was quoted as saying that the issue did not affect Skype for Business users.

The BBC reported that an error locked some users’ status on the Skype service to ‘offline’, meaning they could not make calls even though they were connected.

Microsoft reportedly said that the contacts of affected users would also appear to be offline, meaning affected users could not initiate calls to those contacts.

Symantec staff sacked over fake Google certificates

Symantec has fired several employees for issuing unauthorised digital certificates for Google, according to ZDnet.

The certificates would reportedly allow malicious individuals to impersonate Google pages that are protected by HTTPS.

ITnews said the fake certificates were for internal testing.

According to ZDnet, Google said that Symantec issued an extended validation (EV) pre-certificate for the domains google.com and www.google.com — a pre-certificate that Google hadn’t requested or authorised.

The issue was reportedly discovered by Google employees who were monitoring Certificate Transparency.

The Register quoted Kevin Bocek, VP of security strategy and threat intelligence at Venafi, as saying: “In this case, these were extended validation certificates that are supposed to be of the highest security […] In fact, if these weren’t extended validation certificates, and required to be in a Certificate Transparency log because of Google Chrome, then we might not know about this issue. It’s one of the reasons why Certificate Reputation that goes beyond just Certificate Transparency to include hunting for possible malicious certificates on the internet is so important.”