This guide tracks privacy issues with antivirus software and is periodically updated with new information.
It goes without saying that reliable antivirus software plays a crucial role in IT security. As malware continues to become more sophisticated and prolific (more than 350,000 malware samples are released every single day), home users and business owners alike need to have protection in place to stop these modern digital threats.
However, antivirus products are not immune to privacy problems. While the antivirus industry is ostensibly on the side of good, many antivirus products behave in a way that infringes on users’ privacy. Whether they intercept web traffic, sell browser history data, or allow backdoor access to government agencies, many antivirus products are guilty of jeopardizing the very thing they are designed to protect: your data.
Here are five ways antivirus software may interfere with your privacy.
1. Selling your data to third-party advertisers
To provide you with the protection you need to keep your system safe, your antivirus software needs to know a lot about you. It keeps an eye on the programs you open to ensure you’re not accidentally executing malicious software, and it monitors your web traffic to stop you accessing dodgy websites that might try to steal your login credentials. It might even automatically take suspicious files it finds on your computer and upload them to a database for further analysis. This means your antivirus software could collect and process an awful lot of your personal data if it wanted to.
With great power comes great responsibility.
While some antivirus providers are quite conscientious with their users’ data and only use it when absolutely necessary, others are much less scrupulous.
AVG – A few years ago AVG came under fire when the company announced changes to its privacy policy that would allow it to sell its users’ search and browser history data to third parties (i.e. advertisers) in order to monetize its free antivirus software. Of course, AVG isn’t the only antivirus company to monetize its users’ data.
Avast – Avast’s popular free android app sends personally identifiable information such as your age, gender and other apps installed on your device to third-party advertisers. As an AVG spokesperson explained to Wired, “Many companies do this type of collection every day and do not tell their users.”
From free VPN services to free antivirus, the old adage rings true: if you’re not paying for the service, you’re probably the product.
2. Decrypting encrypted web traffic
Most modern antivirus products include some sort of browser protection that prevents you from accessing known phishing and malware-hosting websites. However, doing so is easier said than done due to the fact that so much data is now transferred via Hypertext Transfer Protocol Secure (HTTPS).
HTTPS is the protocol your web browser uses when communicating with websites. The “S” in HTTPS stands for “secure” and indicates that the data being sent over your connection is encrypted, which protects you against man-in-the-middle attacks and spoofing attempts. Today, 93 percent of all websites opened in Google Chrome are loaded over HTTPS, up from 65 percent in 2015. If you want to know if a website uses HTTPS, simply check the URL or look for a padlock icon in the address bar.
The rapid adoption of HTTPS has helped to make the web a more secure place, but it has also introduced an interesting problem for antivirus companies. Normally when you visit an HTTPS website, your browser checks the website’s SSL certificate to verify its authenticity. If everything checks out, a secure connection is established, your website loads, and you can browse away to your heart’s content, secure in the knowledge that the website is legitimate.
But there’s just one problem. Because the connection is encrypted, there’s ultimately no way for antivirus software to know if the website you are trying to visit is safe or malicious.
Most antivirus products use HTTPS interception to overcome this issue. This involves installing a local proxy server that creates fake SSL certificates. When you visit an HTTPS website, your connection is routed through your antivirus’ proxy server, which creates a new SSL certificate and checks the safety of the site you’re trying to access. If your antivirus software judges the website to be safe, the site loads as normal. If the website is unsafe, the proxy will display a warning in your browser.
By redirecting your data through a proxy, your antivirus is decrypting the data you send on encrypted connections – data that is only meant to be visible to you and the HTTPS website.
There are a few ramifications here:
- Because your antivirus is faking SSL certificates, there’s no way to be 100 percent certain that the website displayed in your browser is the real deal. In late 2017, Google Project Zero researcher Tavis Ormandy discovered a major bug in Kaspersky’s software. In order to decrypt traffic for inspection, Kaspersky was presenting its own security certificates as a trusted authority, despite the fact that the certificates were only protected with a 32-bit key and could be brute forced within seconds. This meant that all 400 million Kaspersky users were critically vulnerable to attack until the company patched the flaw.
- Most antivirus products query the safety of a URL server side, which means the company could potentially track your browsing habits if they wanted to.
- It increases the risk of phishing attacks and man-in-the-middle exploits.
A team of researchers even published a paper on the troubling security implications of HTTPS interception by popular antivirus companies, where they noted:
As a class, interception products [antivirus solutions that intercept HTTPS] drastically reduce connection security. Most concerningly, 62% of traffic that traverses a network middlebox has reduced security and 58% of middlebox connections have severe vulnerabilities. We investigated popular antivirus and corporate proxies, finding that nearly all reduce connection security and that many introduce vulnerabilities (e.g., fail to validate certificates). While the security community has long known that security products intercept connections, we have largely ignored the issue, believing that only a small fraction of connections are affected. However, we find that interception has become startlingly widespread and with worrying consequences.
VPN.ac examined the issue as well and discovered that antivirus suites carrying out HTTPS interception also break HTTP Public Key Pinning (HPKP):
HPKP is a technology enabling website operators to “remember” the public keys of SSL certificates in browsers, enforcing the use of specific public keys for specific websites. This reduces the risk of MiTM attacks using rogue/non authorized SSL certificates. But HTTPS scanning and HPKP can’t work together, therefore if a website has HPKP enabled, when you access it the support for HPKP for that site will be disabled in the browser.
VPN.ac found this to be the case with ESET, Kaspersky, and Bitdefender:
Tip: Avoid antivirus software that utilizes HTTPS interception/scanning, or just disable this “feature” within your antivirus.
3. Installing potentially unwanted programs on your computer
Even if your antivirus doesn’t pose a direct threat to your privacy, it may come bundled with software that does. As the name suggests, potentially unwanted programs, or PUPs for short, are applications that you may not want on your computer for various reasons.
While they’re technically not malicious, they usually change the user experience in some way that is undesirable, whether that’s displaying advertisements, switching your default search engine, or hogging system resources.
Many free antivirus products come with PUPs such as browser toolbars, adware, and plugins that you may inadvertently allow to be installed while quickly clicking through the installation process.
For example, free versions of Avast and Comodo try to install their own Chromium-based web browsers, which you may or may not want on your computer. Meanwhile, AVG AntiVirus Free automatically installs SafePrice, a browser extension that claims to be able to help you find the best prices while shopping online. Unfortunately, it can also read and change all your data on the websites you visit.
A few years back Emsisoft found that most free antivirus suites were bundled with PUPs. Here were the culprits:
- Comodo AV Free
- Avast Free
- Panda AV Free
- AdAware Free
- Avira Free
- ZoneAlarm Free Antivirus + Firewall
- AVG Free
PUPs aren’t inherently malicious, but they can seriously encroach on your privacy. Some PUPs will track your search history or browser behavior and sell the data to third parties, while others may compromise your system’s security, affect system performance, and hinder productivity. Keep unwanted applications off of your computer by carefully reading installation options during the setup process and only install the software and features that you need.
4. Cooperating with governments
It’s theoretically possible that antivirus software could be leveraged to help government agencies collect information on users. Most security software has very high access privileges and can see everything that’s stored on a computer, which is necessary in order for the software to keep the system to safe. It’s easy to see how this power could be used by nefarious parties to spy on individuals, businesses, and governments.
Kaspersky Lab, a Russia-based cybersecurity company whose products account for about 5.5 percent of antivirus software products worldwide, was embroiled in a major privacy scandal a couple of years ago. According to the Washington Post, Kaspersky software used a tool that was primarily for protecting users’ computers, but also could be manipulated to collect information not related to malware. Kaspersky is the only major antivirus company that routes its data through Russian Internet service providers, which are subject to Russia’s surveillance system.
In September 2017, the U.S. government banned federal agencies from using Kaspersky Labs software following allegations about cooperation between Kaspersky and Russian intelligence agencies. Shortly after, the FBI began pressuring retailers in the private sector to stop selling Kaspersky products, and the British government issued a warning to government departments about the security risks of using Kaspersky software.
Of course, it would be naive to think this issue is limited to Russian software. Similar concerns have been raised recently about Huawei equipment with “hidden backdoors” installed.
“Antivirus is the ultimate back door,” explained Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security, as quoted by The New York Times. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”
5. Undermining security and giving hackers access to private data
Sometimes, security software does the opposite of its desired intent by undermining your security.
One such case occurred with the Royal Bank of Scotland (RBS), which was offering Thor Foresight Enterprise to its business banking customers. In March 2019, Pen Test Partners discovered an “extremely serious” security flaw with the software that left RBS customers vulnerable:
Security Researcher Ken Munro told the BBC: “We were able to gain access to a victim’s computer very easily. Attackers could have had complete control of that person’s emails, internet history and bank details.”
“To do this we had to intercept the user’s internet traffic but that is quite simple to do when you consider the unsecured public wi-fi out there, and it’s often all too easy to compromise home wi-fi set ups.
“Heimdal Thor is security software that runs at a high level of privilege on a user’s machine. It’s essential that it is held to the highest possible standards. We feel they have fallen far short.”
While Heimdal was quick to patch the vulnerability within a few days, it does raise an interesting point. That is when your security software is actually undermining your security.
Choose your antivirus software wisely
In the best case scenario, antivirus companies use your data responsibly to refine their products and provide you with the best malware protection possible.
In the worst case scenario, they sell your data to third-party advertisers, install annoying software on your system, and cooperate with government agencies to spy on your personal information.
So, how do you sort the best from the rest?
- Pay for your antivirus software. Most free antivirus products will be far more liberal with your data than premium software as the company ultimately needs to monetize their services in some way.
- Read the end user license agreement. Know what you’re getting yourself into before you install the product. Take a moment to read the license agreement and/or the company’s privacy policy to find out what the organization intends to do with your data.
- Read installation options: It’s easy to blindly click through “Next” when installing new software. This can result in the installation of browser toolbars, adware, and all sorts of other PUPs, which can encroach on your privacy in various ways.
- Customize privacy settings. Some antivirus software will allow you to customize privacy settings such as usage statistics, browsing behavior, and whether to upload malicious files for analysis. Adjust these settings to maximize your privacy.
- Read AV reports. Some independent analysts release reports on how antivirus companies handle your data. Take the time to read these reports and reviews to get a better understanding of a company’s reputation and how it handles privacy matters.
It’s important to note that this article isn’t a rallying call to abandon all antivirus software in the name of privacy, because there are some good players out there.
Antivirus software is an essential part of modern IT security and plays a critical role in protecting your data against malware, phishing, and a plethora of other digital attacks that pose a real threat to everyday users.
While some antivirus providers are invasive and should be avoided, there are still some companies that strive to protect their users’ privacy. Emsisoft, for example, has earned itself a reputation for providing reliable protection without compromising its users’ privacy. ClamAV is another privacy-friendly option that is completely open source.
So do your homework, weigh up your options carefully and remember that not all antivirus solutions are created equal when it comes to respecting your privacy.
Hi Sven,
Very informative and much needed article. Thank you for writing this.
You stated in the comments how privacy on Android was a joke. I’d like to know which phone you use with which operating system? As far as I’m aware, Apple is no better. So the only other viable option is Lineage on Android. Is this correct?
Many thanks
I do not use a phone very often and simply do not spend much time trying to figure out how to have more privacy on phones. I’m just not someone that spends much time on a phone, outside of phone calls, which obviously are not private anyway. Privacy on a phone is extremely challenging, as we covered in:
Controlling Communication Channels
How to Really Be Anonymous Online
Well it’s been a while since I commented here, but I’ve been reading regularly.
The best two mobile OS right now (IMHO) are GrapheneOS & CalyxOS, they are both built on Android. For security/privacy, GrapheneOS is marginally ahead, but CalyxOS is more “normie” friendly, as you can install the regular Google Play apps you might be used to.
However, since the hardware itself that these two options are based on (Google Pixel Phones), that may be offputting for privacy die-hards. The problem is though, is that Pinephone & Librem5 are difficult to get, Librem5 or Librem5 USA hasn’t shipped for months & Pinephone…you’re essentially a beta tester using a cheap Chinese phone, that is based on hardware that’s years old. You’re not going to attract the masses with that.
I think more will become available, there’s a budding industry for such users.
Hi Richard, good to see you back! It’s been a while.
Indeed! I keep an eye & have shared this site with others. I hope your revenues are up & so are your site regulars.
Hi Sven,
I have heard that ClamAV is very good. My concern is that it does not do real-time scanning (prevents attackers entering). I have also heard that ClamAV does not scan memory.
Is this true and if so should this be of concern?
Regards,
BoBeX
Hi BoBeX, I have not tested ClamAV and do not know.
Hi Sven,
Kaspersky has caused me several concerns.
The first was the persistent recommendations that there is some threat and to upgrade to there paid service. These would come in the form of your email address has been compromised; but they actually offer no information that was not already available on “haveibeenpwnd.com.” (Not my email but family members machines that I had installed the product on)
Secondly, (after an update – in the last three months) Kaspersky were advising of compromised email addresses but these addresses were not specific to the machine or the Kaspersky account; rather, they were of other family members. So Kaspersky was advising a user that “your” (though it was not the correct account) email has been compromised. The advised me incorrectly that “my” email account (not my email account – a family members) has been compromised (Again known from haveibeenpwnd.com). This family member has had no access to my machine or accounts – the same family member is not at all a Kaspersky user; however they are clearly correlating people in my social network.
Thirdly, I contacted Kaspersky about this concern; however their complaint web-form had a very short character limit so I sent them my email address stating that I wished to make a complaint and they did not respond.
Fourthly, I changed my DNS provider to OpenDNS recently and in the information provided to me on what a site would look like, what an error message would say if they had blocked a malicious site. The error message occurs and looks exactly like what was shown; accept, it says blocked by Kaspersky. It appears they are intercepting the page and modifying the content.
Fifthly, Kaspersky is no sending me messages stating, we have detected x amount (say 4000) web trackers. They have only started sending me this message since I changed my DNS provider (Browser based extensions did not trigger this change – it appears clear it was the DNS provider change) (I do not always use a VPN – any of my google accounts or my password manager start complaining when I am not located where they think I should be – probably a good thing)
Kaspersky is monitoring and intercepting a lot if not all of my traffic and I am unhappy with how the use my data. Their hysterics has a great reputation (I do not know if this is warranted) but for me they completely fail on every other account.
I believe they are unethical and possibly use some predatory looking practices.
Regards,
BoBeX
can you review more antivirus products so we have a better idea of what to choose? things like clamav and emsisoft are definitely not the highest rated antivirus programs last I checked. there is also the question on whether or not you can have multiple antivirus programs without hurting the computer or causing conflicts or whatever… is malwarebytes good or a scam? do you use emsisoft? do you use clamav? do you use windows defender? is windows defender spying on us? is bitdefender spying on us? is malwarebytes spying on us? what program should we pay for?
also, a lot of antivirus companies now offer vpn services, such as avast vpn. I presume you want us to stay far away from them?
We don’t get too involved in antivirus solutions here. If you are still on Windows, then the built-in antivirus is more than sufficient, and if you are on Linux or Mac OS, I think you can skip the antivirus and just use common sense, good blocking tools (such as an ad blocker, tracker blocker, malware domain blocker, etc.) and if you see a suspicious link or file, run it through VirusTotal.
Sven. Just a question regarding HTTPS interception as mentioned above and used by certain Antivirus suppliers, and found by VPN.ac. Are we wanting to have both lines green, or both red?
Thanks for your great work, and I am .giving friends a link to your website
If the americans accused Kaspersky of collusion with the Russian government then you can bet that the American government is in bed with AV companies in the US and allied countries. They ddin’t object to Kaspersky’s activities in the name of protectin privacy, but only because their own privacy was compromised. The US government has shown it has absolute contempt for the privacy of its citizens and people worldwide and it has also demonstrated a desire to collect as much information about as many people as possible. Information is power after all. It is extremely naive to think that the US agencies are not taking as full advantage as they possibly can of the high level of access that AV companies have to the personal data and activities of private individuals, companies and other countires. I would even go as far as to say that the vast expansion of AV programs in recent years, in terms of the software they run on your computer and the activities of yours that they monitor, only makes sense as a response to the desire to surveille you rather than protect you.
Hi Sven,
I installed Emsisoft on my SmartPhone. The first thing I’m asked for is to login with Google!
Reading your article that cannot be a good sign, or am I wrong. I believe that ClamAV is not good to protect your device, but is only good to clean an infected one. What privacy friendly reliable AV for Android do you suggest? Bitdefender, Sophos….?
I still think Emsisoft is the best all-around option. I’ve never tried it on Android, but expecting anything to be private on Android is a joke to be honest. It’s like privacy at an airport.
Hi Sven,
Emsisoft for Android consists 4 inbuilt trackers that means leak of privacy. Only one Android antivirus that I found free of trackers is ESET. Please correct me if I’m wrong but each tracker is a broken privacy issue. It is same for Android browsers – full of trackers up to 9 in Opera. But there are still existing without.
I am an old (75) not really technical guy that used to visit pirate bay and download about 10 hours a week of shows on premium channels and some movies….I did this for about 7 years without a vpn (didn’t even know what that was) when covid started I downloaded more movies to watch and got the STOP! or you’re going to jail letter from my isp and from the owners of the movies I downloaded, so I quit and haven’t done it in a year…but now I am paying about $50 a month for premium channels and streaming services, but am watching very few shows, about 10 hours a week and only if its a series or special. the last thing I watched was on showtime and that was 1 hr a week….my question is this: if I get a vpn can I go back to using pirates bay (that’s there only place I visited) to get my sporadic tv shows and reduce the number of premium services I am buying to see the occasional series I want to watch….I don’t download music, software, games, porn, just 5-10 hours of tv shows and an occasional movie…will a vpn allow me to use the pirates bay for the small quantity of what I want…..any feedback that helps me decide if I can just visit just that one site would be greatly appreciated…..thank you
Hi Richard. Yes, in fact, using a VPN for torrenting / Pirate Bay is very common and popular. And any time that there may be a “grey area” with copyright issues, I recommend using a VPN and being smart. Simply enable the VPN on your computer and continue on with business as usual. We also have a guide discussing torrenting with a VPN here.
thank you
In my view, like any privacy or security-oriented product, deciding on whether to have anti-virus depends on your threat model. For someone who doesn’t do a lot of transactions through their computer or or doesn’t go to a lot of websites, then it makes sense to use a free service, like ClamAV, including Windows Defender if you use Microsoft’s operating system.
But for someone who is online frequently and does a lot of transactions including downloading, then anti-virus might be something to consider. For me, I do a lot of surfing and transactions but try to be cautious about my activity or where I go and what I do. The anti-virus I use (Kaspersky) has done a great job of protecting me from all kinds of virus infections which (thankfully) doesn’t happen very often.
when I got this Lenovo win 10 laptop it had Kaspersky, It was was a free 30 day option I immediately dumped it and got Norton because that’s what I’d already paid for, but Norton had been acting evil before I bought this computer. Pretty sure it trashed that old computer I had. They even put me on hold for 4 hours and I was so angry I waited that whole time because we had already had a eula I signed and agreed to, but they made me sign another, mid-contract, saying I would not do a class action lawsuit if we had a dispute, but get my own lawyer, proobably so they could pay them off and I refused, so after putting me on hold for 4 hours they hung up the phone on me. So, they gave me a free month for my trouble then managed to shorten it by 2 months tricking me into an update which turned out to be an upgrade I could tell by numerous signs it was malware and I biotched about it every single day on Facebook but nobody listened or cared. I don’t trust any VPN’s, especially Norton’s. I am still left with a Kaspersky vault folder after uninstalling, so I renamed the empty folder ‘garbagespying’ because I can’t get permission to delete it. but luckily, I do not trust any vaults because Norton ruined that trust relationship, too. I still use Norton because that’s what I paid for, but I don’t ask for remote assistance help anymore and there’s a few other measures I take to protect myself the best I can from them while they allege to be looking out for me. I don’t trust Bill Gates or any of his products, and only a couple of months ago I finally went from win 8.1 to win 10 when I got this machine. You cannot trust anything even if you pay because humans are the creators and humans are corrupt. As for Norton. I never had any intention of suing them. I just couldn’t believe they preemptively wrote that in because they knew they were going to continuously offend and disrupt me so bad I might feel the need to do so. Warning: Update means upgrade in most cases and moving the due date up a month or so. Due date went from February 2021 to December 2020. I truly believe they fried my last computer because I had the unmitigated audacity to call them out for the fact I had my remote assistance turned off on my control panel but they were still able to gain access. I thought I’d have to let them in by turning that feature on. Everything about antivirus screams virus to me and it always has.
Also, I forgot to say, great article. Even a dummy like me can understand it.
Hi Sven,
Thank you so much for this site, it’s an excellent source of information.
One question for you, do you have any thoughts on firewalls?
Hello,
Great site, very good content.
Sven Taylor, what antivirus do you recommend for Android ?
Regards,
So i posted this a little earlier and it looks like it didnt post. A little while ago, i cant remember exactly now i had a mate come over and i was copying something to his usb drive. my bitdefender automatically started scanning the files on the drive and although nothing was flagged up, i did notice that he had lots of game roms on there and i didnt think to ask but i would imagine they were not legal. Having read this article im now really concerned that my paid for bitdefender with my name and address will now be flagged as someone with illegal software and somehow this can be used by the authorities! Is this just paranoia on my part?
I definitely would not worry about that. These scans aren’t for pirated/copyrighted material.
thanks sven.
Got any firewall recommendations?
No, not really. This is not something we have spent much time on.
Hello everyone! I discovered this great site and now I read a bit everyday.
I’ve been following many of the suggestions given by the authors and writers here. I have a couple of questions for anyone knowing about this:
– I use Microsoft Defender: do I still need another AV?
– to optimize my laptop, I have GlaryUtilities: any references on this?
– I also use SuperAntiSpyware: is it good?, concerning privacy I mean
Thank you in advance!
no none of them are good!!
in comparison kasper or bit always win(ransomware, keylogger detection…)
all the win optimizer are like the Chinese android cleaner, file manager etc… there is no such a think about data protection or any agreement about don’t sell your data
SuperAntiSpyware no! believe it ore not for several year I never installed any av or spy protector!!! yeah i use o&o shut because its so tidies editing registry or disabling services manually… after all all i never see any problem with my pc because i know where I’m clicking and I’m going…
just little advise disable all the av kasper,bit,win def etc .. disable any safe browsing like what chrome doing… read more about privacy… install o&o… disable all the telemetry or install 1809 ltsc… instead of using win optimiser which is lie! update your hardware have a ssd…
Thank you for recommendation! Great software!
Bitdefender is best product I’ve ever seen in security suites and believe me I tried everything.
But it’s not privacy friendly like every one in market.
[https://www.europol.europa.eu/newsroom/news/massive-blow-to-criminal-dark-web-activities-after-globally-coordinated-operation]
Looking into that further, I looks like Bitdefender actively monitors the Dark Web for chatter about hacks and stolen passwords and it doesn’t relate to antivirus scanning.
SecureAPlus
[https://www.secureaplus.com/features/compare/]
The name reminds me of one, as in 2a-squared of the old dual detection engines used by Emsisoft’s AV. Or however it was tied. Though with first glance it looks to be similar to HitManPro AV. Maybe on the side of AI steroids.
SecureAPlus is the unique amalgamation of essential security features that protect enterprise endpoints against multiple attack vectors – known or unknown, file or file-less, internal or external.
With multiple layers of defense through its powerful yet simple Application Whitelisting, more than 10 anti-virus engines in the cloud with Universal AV, and AI-powered APEX engine rest assured that it is the only security solution ever needed.
Though that statement sounds off to the enterprise level it’s not really. As the pricing to the consumers endpoint with a comparing of plans and in the features can be realized from the link. Wonder if it can be test ran here?
Hello Sven!
Do you think bitdefender is a good option?
I’ve been using Comodo CIS v.12 for 1-2 years and haven’t experienced what any of the negative comments have mentioned. They do offer a Chrome based browser as an OPTION during the install process; they don’t force you to take anything. Comodo Dragon is actually Chrome with the google services and privacy risks stripped out. It’s rebuilt from the ground up to be far safer than Chrome. Even so, I have been and remain a Firefox user for years.
Regarding Comodo, their firewall may be unequaled. I usually recommend it for intermediate to advanced users. Keep in mind, the default settings are not recommended. The firewall can be hardened to a much greater degree by customizing the settings.