If you are running antivirus software on your system, or another type of security software, chance is good that quite a bit of data is transmitted from your system to Internet servers.
A recent AV Comparatives study reveals that products from all companies selected for the test transmit data to the Internet. Selected for the test were companies like Avira, AVG, Kaspersky, Symantec or Bitdefender.
That's not really something to worry about though without further analysis of the data that is transmitted. Considering that data needs to be transmitted for proper functionality of the program, for instance when urls need to be checked as part of a product's web protection module, it does not cut it to simply state that any data transmission is bad.
The study, which you can download as a pdf document on this page, goes further than that. Each vendor was asked to fill out a survey. In addition to that, network traffic was recorded and analyzed by AV Comparatives.
The questions were divided into the five groups:
- Product information: Are the product version and license information, a unique identifier, and statistical information transmitted?
- Machine information: Are the operating system version, computer name, display resolution, local IP address, running processes, hardware, third-party application information, or event / error logs transmitted?
- Personal information: Are visited urls (malicious and non-malicious), referrer, country or region of the operating system, language of the system, or Windows username transmitted?
- File related information: Are file hashes or parts of files transmitted?Are the detection name, file name and path transmitted? Are executable files and non-executable files transmitted if they are "suspicious? Can users opt-out of sending files.
- General: Use of silent detections, special update deliveries to users with specific IDs, and jurisdiction of data storage.
While some information need to be transmitted as mentioned earlier, others may not, especially if there is no opt-out option available. Avast transmits the local IP address and event- or error-logs for example, Bitdefender the Windows username and hardware information, and Kaspersky non-executable files (but with option to opt-out).
AV Comparatives did not include questions about data retention which is unfortunate. Some companies may use the transmitted data only to determine the correct course of action, while others may save it for a period of time or maybe even forever.
The organization suggests that users only download and install products of reputable companies, and that they read the End User Agreements before they do. While that is the reasonable thing to do, it is not done by the vast majority of users as it takes time and research to understand the legal speak.
Good programs should not only disclose that sensitive data may be transmitted, but also offer opt-out options or make those features opt-in from the start.
What about security software that you have installed on your system? Do you know which data it submits?