Are Anti-Malware products Uploading Your Private Data?
Privacy & Security By mirimir | Posted on July 14, 2017
Given that you’re reading this on IVPN’s website, you probably care about online privacy. And you probably use VPN services to hide your online activity from ISPs. That’s prudent, because ISPs clearly spy on their customers. In March 2017, the Trump administration blocked FCC rules that would have protected the privacy of ISP customers. The argument was that ISPs should have the same rights to use customer data “for commercial purposes” that Google et alia do. And there’s arguably more in play than ISP profits, given MPAA’s efforts to fight “piracy” and complaints from the FBI about “going-dark”. That’s even starker in the UK. The Investigatory Powers Bill, which went into effect in November 2016, requires ISPs to retain users’ browsing history “for up to a year”.
OK, so you use VPNs. But what about other threats to privacy and security? Well, there’s a fundamental problem: with modern designs, manufacturers arguably have ultimate control over hardware. The driver is ostensibly enhanced security and efficiency for enterprise customers. Most users can only trust that these capabilities won’t be used to pwn them. For desktops, key concerns are Intel’s Management Engine and AMD’s Platform Security Processor. It’s possible to disable parts of Intel ME on some hardware, but brickage is possible.
Moving right along, what about operating systems? You’re most likely using Windows (39%) or Android (37%). There is long-standing concern among privacy-conscious users about spying by Microsoft, especially since Windows 10. Windows 10 does indeed scan computers for pirated software. Google’s business is based on personal data, and it’s rather upfront about that. Both Microsoft and Google disclose that they share personal data with third parties for various commercial and legal reasons. Conversely, Apple has staked its reputation on protecting users’ privacy and security with extreme ecosystem control. The downside for users is that ecosystem control means higher cost devices. One might say that Apple sells stuff to you, Google sells you to others, and Microsoft does some of both.
So anyway, the top concern for Windows users is clearly malware. That’s been the case for decades. For most users, the major threats are probably ransomware, botnets and banking trojans. Some also worry about NSA and CIA malware. However, while the cyberweapon toolkits are impressive, widescale deployment seems unlikely.
However, there is a quandary for Windows users who want protection against malware, but also have hardcore concerns about their privacy. Back in the day, anti-malware software scanned local processes and files, relying on periodically updated threat databases. But given the volatile threat environment, it’s become common to share user information with providers in real time. That apparently includes geographic location, URLs, running processes, names and paths of files, and even “suspicious” files themselves (even documents). The Emsisoft blog has also covered this issue.
Let’s say that you’ve installed the IVPN client on your Windows machine. You use an anti-malware app, registered with (and perhaps paid for) using your real name. So now, the anti-malware servers may see what IVPN exit you’re using, what websites you’re visiting, what files you’re streaming and downloading, what other software you’re running, what documents you’re working on, etc, etc, etc. Even if you’re using a free anti-malware app, there are potentially still records of what you’re doing with and without the IVPN client connected.
There are many anti-malware products, so I will focus on the best-rated and most privacy-friendly. The top award in AV-Comparatives’ 2016 Summary Report went to Avira Anti-Virus Pro. The runners up were Bitdefender Internet Security and Kaspersky Lab Internet Security. Other highly rated products were Emsisoft Anti-Malware, ESET Internet Security, Tencent PC Manager, and ThreatTrack VIPRE. However, according to AV-Comparatives’ 2014 report, Data transmission in Internet security products, Bitdefender doesn’t let users opt out of uploading “suspicious” files. And Tencent isn’t listed. The others do permit opting out. Conversely, AhnLab Internet Security apparently wasn’t rated in 2016, but it reportedly never collects URLs or file names, and doesn’t upload files, just hashes. And finally, Windows Defender (or Microsoft Security Essentials on Windows 7) is arguably the default (and occasionally recommended) solution for Windows users. It’s too bad that we don’t have a more comprehensive set of CIA anti-malware reviews.
So what do these anti-malware providers disclose in their privacy policies? Well, AhnLab and Emsisoft both say that they won’t share personally identifiable information (PII) with third parties, without exception:
AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”
Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”
Avira and Kaspersky disclose that they will share PII when requested or required:
Avira: “Finally, Avira may disclose your PII if we are required by law to provide it to governmental agencies, courts or other authorities.”
Kaspersky: “We are always ready to assist national and international law enforcement agencies if they request it.”
The others go even further. They disclose that they will share PII voluntarily, when there are concerns about “unethical” activity and “safety”:
ESET: “We may disclose Personal Information and any other information about you if we believe it is reasonably necessary to respond to legal requests (including court orders, subpoenas, government inquiry), to protect the safety, property, or rights of ESET, to prevent or stop any illegal, unethical, or legally actionable activity, or to comply with the law.”
Malwarebytes: “We may disclose PII to government agencies, law enforcement officials, and private parties as we, in our sole discretion, believe necessary: (1) to satisfy or comply with any applicable law, regulation or legal process; (2) to respond to lawful requests, including subpoenas, warrants or court orders; (3) to protect our property, rights and safety and the rights, property and safety of third parties or the public in general; and (4) to prevent or stop activity we consider to be illegal or unethical.” [But what about >this claim re user privacy?]
Microsoft: “Microsoft may access or disclose information about you, including the content of your communications, in order to: (a) comply with the law or respond to lawful requests or legal process; (b) protect the rights or property of Microsoft or our customers, including the enforcement of our agreements or policies governing your use of the services; or (c) act on a good faith belief that such access or disclosure is necessary to protect the personal safety of Microsoft employees, customers, or the public. We may also disclose personal information as part of a corporate transaction such as a merger or sale of assets.”
ThreatTrack: “We may also disclose your personal information to third parties to: Comply with any court order or other legal obligation. … Protect the rights, property, or safety of ThreatTrack Security, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.”
Still, none of them are likely as bad as Shrive, or even the FBI’s NIT malware or Geek Squad operation.
I’ve looked at data uploading by seven anti-malware products. I used a fresh Windows 7 Ultimate SP1 (64-bit) VirtualBox VM for each product. I declined all data-sharing options during installation. After updating the products threat database, I did a full system scan, enabled all data-sharing options, and scanned again. The Windows 7 VMs reached the Internet through a pfSense VPN-gateway VM, and I captured packets during scans using the utility in the pfSense WebGUI. Using Wireshark, I analyzed TCP conversations in each capture file.
AhnLab V3 Internet Security 8.0
It uploaded ~7 KB during scan with Smart Defense off, and nothing during rescan with it on.
Avira Anti-Virus Pro:
There was no opt-out for Protection Cloud during installation.
It tried to deanonymize during installation using Mixpanel.
It uploaded ~38 KB during scans, with Protection Cloud off or on.
Emsisoft Anti-Malware:
It uploaded nothing during scans, with Anti-Malware Network off or on.
ESET Internet Security:
It required email to install, and hid LiveGrid options during installation.
It uploaded ~120 KB on first scan, but nothing during rescans.
Kaspersky Internet Security:
It uploaded >400 KB with Kaspersky Security Network off, but just ~15 KB during rescan with it on.
Microsoft Security Essentials:
It hid Microsoft Active Protection Service “basic membership” during installation.
It uploaded ~25 KB with basic MAPS, and nothing during rescan with MAPS fully enabled.
ThreatTrack VIPRE:
It required email to install.
It uploaded 120 bytes with ThreatNet off, and 3.8 KB with it enabled.
Bottom line, AhnLab and Emsisoft seem to be the best options from a privacy perspective. Both clearly state that they won’t share user information with third parties, without exception. AhnLab allegedly doesn’t upload anything except aggregate statistics. With Anti-Malware Network enabled, Emisoft does upload name and path for “suspicious” files, but users can opt out. Emsisoft Anti-Malware was just a third-rank product in AV-Comparatives’ 2016 Summary Report, but AV-Comparatives notes that “all of the programs in our test reached an acceptable level overall”. AhnLab apparently didn’t choose “to have the effectiveness of their products independently evaluated”, and that could be taken as evidence of poorer performance.
On the other hand, Avira and Kaspersky received higher ratings from AV-Comparatives. Neither discloses that it shares PII voluntarily. And both provide the option to decline uploading. However, whichever anti-malware product you choose, declining uploading will increase the risk of detection failure. You could allow uploading while working without the VPN connected, and disable it before connecting. You could also use different anti-malware products with and without the VPN connected. In that case, it would be prudent to delete or encrypt sensitive files that you’ve downloaded through the VPN.
Update
I didn’t look carefully at Bitdefender Internet Security, because users can’t opt out of uploading “suspicious” files. Of the products that I did research, only AhnLab and Emsisoft assert that they won’t share user information with third parties. Even so, I didn’t find any evidence that any anti-malware provider had compromised its users.
Until now, that is. This excerpt from a Europol press release needs no explanation:
With the help of Bitdefender, an internet security company advising Europol’s European Cybercrime Centre (EC3), Europol provided Dutch authorities with an investigation lead into Hansa in 2016. Subsequent inquiries located the Hansa market infrastructure in the Netherlands, with follow-up investigations by the Dutch police leading to the arrest of its two administrators in Germany and the seizure of servers in the Netherlands, Germany and Lithuania.
Bitdefender has admitted that it compromised a user.
Suggest an edit on GitHub.