Serious Discussion Do Antivirus Products Spy on You More Than They Protect You?

[Bot]

Most people install antivirus software to increase privacy and security. But have you ever wondered how much data your AV actually collects from you?


Recent reports and telemetry disclosures show that many antivirus vendors — including popular names like Avast, Kaspersky, and Norton — have been caught or accused of:

• Collecting user browsing data and selling it through subsidiaries.
• Uploading unknown files or URLs to their “cloud reputation” systems.
• Tracking app usage, device info, and behavior analytics for marketing.

Even Microsoft Defender uses telemetry deeply integrated into Windows.


So the big question is — are antivirus programs still “security tools,” or have they become data-harvesting services disguised as protection software?


Points to debate:

• Is AV telemetry a necessary tradeoff for better threat detection?
• Do you trust antivirus companies with more data than Microsoft or Google?
• Should privacy-focused users ditch traditional AV and rely on OS hardening, browser extensions, and sandboxing instead?
• Where’s the line between protection telemetry and spying?
• Do privacy laws like GDPR or CCPA actually protect users here?

 

[Sorrento]

Some are worse than others but an AV has to know more or less everything we do, so I don't really trust any AV totally, its became a part of life, in the UK there are cameras everywhere, so real Ife is not much better so I live with it.

 

[RoboMan]

Data collection paranoia is at its peak the last couple of years. Some people never participated in any software project nor have they read anything about software development and it shows.

Pretty much ALL software has a box in its configuration about telemetry and data collection. It's a must. You can't correctly develop a program, fix bugs, and implement new features without statistics and information. And this isn't exactly bad news for users, on the contrary actually.

There are some programs that will require more data than others, and some programs that are gonna be more aggressive on the type of information they need. For example, operating systems or kernel-level software won't demand or ask for the same amount and type of information than a Weather app for Windows.

I'd start to worry when a piece of software starts uploading my personal documents and files to their servers. But that's never gonna happen. And if it does, I'm sure my antivirus will flag it as malicious behaviour

 

[Miravi]

Data is the new currency in the digital era. In the case of Avast, it just so happened that they were accused of improperly anonymizing the data they wanted to profit from. Telemetry is mission critical for an antivirus, and it's no secret that these cybersecurity networks transmit astonishing amounts of data to process and store on their servers. They don't just upload files and other related information, but also the URLs you visit.

You would need to be exceptionally restrained in your technology choices to escape most of the data collection taking place everywhere all the time. At the very least, it's meaningful to know and accept the conditions of the choices we do make.

 

[Jonny Quest]

I believe with Avast that was a couple of years ago, and was acknowledged and resolved?
And even though this is two years old, my be helpful in some way. See page 7 summary chart.

https://www.av-comparatives.org/wp-content/uploads/2023/07/avc_data_sending_2023.pdf

 

[jackuars]

Really great answers by Roboman, Sorrento and Miravi.

In short, antivirus software needs to collect data to work effectively, but that also means users have to accept a trade‑off between protection and privacy in a world where nearly every digital service is harvesting information in some form.

 

[Divine_Barakah]

Data collection paranoia is at its peak the last couple of years. Some people never participated in any software project nor have they read anything about software development and it shows.

Pretty much ALL software has a box in its configuration about telemetry and data collection. It's a must. You can't correctly develop a program, fix bugs, and implement new features without statistics and information. And this isn't exactly bad news for users, on the contrary actually.

There are some programs that will require more data than others, and some programs that are gonna be more aggressive on the type of information they need. For example, operating systems or kernel-level software won't demand or ask for the same amount and type of information than a Weather app for Windows.

I'd start to worry when a piece of software starts uploading my personal documents and files to their servers. But that's never gonna happen. And if it does, I'm sure my antivirus will flag it as malicious behaviour

Google, thought it's not a security product, asks to submit your browsing data to it so that it can offer better protection.

Privacy is a right. Your personal data is not just your personal documents. You have a life in the real world and so you do online. The amount of data collected about you is insane. The data is collect to feed and train AI, to send you targeted data and even for surveillance. I'm not OK with any of this especially if it did not ask for my consent.

We have seen a lot of "functioning" products that never collected any data. I do understand that data collection is sometimes required, but how this data is used or maybe sold to 3rd parties is sth else.

 

[jackuars]

Google, thought it's not a security product, asks to submit your browsing data to it so that it can offer better protection.

Privacy is a right. Your personal data is not just your personal documents. You have a life in the real world and so you do online. The amount of data collected about you is insane. The data is collect to feed and train AI, to send you targeted data and even for surveillance. I'm not OK with any of this especially if it did not ask for my consent.

We have seen a lot of "functioning" products that never collected any data. I do understand that data collection is sometimes required, but how this data is used or maybe sold to 3rd parties is sth else.

Look, I’m totally with you on the selling data/surveillance aspect. That stuff is unacceptable. But there is a massive misunderstanding about what product teams actually use this data for vs. what marketing teams do. There is a lot of paranoia going around.

I work as a Product Manager, and honestly, the 'functioning products of the past' argument is a bit of rose-tinted glasses. Those products were full of bugs; people just lived with them.

From my side of the fence, here is the reality:
If I release an update without telemetry, I’m flying blind. I only know there’s a bug if a user gets angry enough to write a support ticket. By the time that ticket reaches me, 10,000 other users might have already uninstalled the app.

It also stops software from becoming bloatware. Users always ask for niche features, but data often shows us that maybe only 0.05% of people actually use them. That allows us to cut the dead weight so the app stays fast for the 99% of people who don't care about that feature. We don't care who clicked it, just the total numbers.

Plus, hardware is a nightmare now compared to the 'old days.' There are millions of driver/screen/chipset combos. If a video player crashes on one specific Nvidia driver version, the team physically cannot reproduce that in the lab without the software sending back technical logs.

I get the privacy concern, truly. But it feels ironic when people post about this from smartphones that harvest more data in an hour than a desktop app does in a year. We have to draw a line between an app stealing your identity and an app just asking, 'Did I crash on startup?'"

 

[Zero Knowledge]

Some great posts here. I'll add that as time goes by I'm less worried about telemetry, I get it's needed and useful so I accept that.

What I don't accept is targeted advertising or tracking, that to me is

 

[Victor M]

As long as they have procedures/program-routines to mask out the personal info I am not too concerned. AV's have to collect data to provide wide protection, whether is is regarding software reputation, or malware behavior. Personal data need to be masked out, like substituting *** for your credit card number.

 

[Divine_Barakah]

As long as they have procedures/program-routines to mask out the personal info I am not too concerned. AV's have to collect data to provide wide protection, whether is is regarding software reputation, or malware behavior. Personal data need to be masked out, like subsituting *** for your credit card number.

Some great posts here. I'll add that as time goes by I'm less worried about telemetry, I get it's needed and useful so I accept that.

What I don't accept is targeted advertising or tracking, that to me is

Data collection is not the problem, but rather how the collected data is being used. For example if you use MD web extension, I believe all your visited urls will be submitted to MS, but how does MS use the colleccted data?

A product like Emsisoft offers a web extension that is privacy-friendly and as far as remember, it does not send any of the visited urls back to Emsisoft. I know I am talking about one point, but it can be valid for a wider perspective. its either you respect my privacy or invades it and use my data for different purposes there is nothing in between

 

[Victor M]

In the end you have to trust their processes. When they have a privacy prolicy, then you are better off.

In my case, I don't really care. My AV is on my pwn machine, I don't use it much, it just sits in the DMZ waiting to be pwned. And then I study it. My daily driver is a Linux machiine. Not your typical big-corp arrangement.