ESG data shows that 57% of enterprises have either already switched to free antivirus software or are actively exploring the option. It makes some sense: Free AV programs have posted competitive efficacy rates against paid versions, and AV is increasingly viewed as an IT operations checkbox as opposed to a pure endpoint security control. There also seems to be a decreasing need to assign budget for AV. The thinking is that those dollars could instead be spent on newer technologies such as advanced endpoint anti-malware products, endpoint forensics, or endpoint analytics. For many organizations, ditching paid antivirus for a free product could be viewed as a sensible cost-cutting move.
But then something like today’s Avast news hits the wire. Avast, an extremely popular free antivirus product that regularly posts competitive efficacy rates, has apparently been stealthily spying on users. Even users who claim to have custom-installed the product and opted out of the toolbar are reporting that the toolbar magically appeared in the browser later on, slowing their system and deleting competing toolbars. Why? Avast offers a product called SafePrice, which helps customers find competitive prices when shopping online. And it should be noted that SafePrice can be a perfectly valuable tool for those who select it and choose to opt-in to the data collection functions. The problem is that for the unaware, the SafePrice extension is sending non-anonymized browser history to Avast servers (ostensibly to help Avast target customers with prices and ads that fit their user profiles).
Browser extensions collecting data on a user is not new, and sadly, it is not even unexpected. But there is a separation of church-and-state issue at play here. Users tend to download Avast to block adware and spyware, even the "benign" versions. By playing both sides of the fence, Avast has compromised its integrity more than slightly. And in the larger sense, this incident may cast a shadow of doubt over free AV as a whole—free programs still need to make money, and if other free AV vendors methods for profit are as questionable as Avast’s seems to be, then maybe users (and, more importantly, enterprises) will continue to choose paid AV products that do not blur the line between security and profits.
There can be comfort in knowing where a vendor’s loyalties lie and for traditional paid AV vendors like McAfee, Kaspersky, Symantec, and Trend Micro, there is no doubt about how and where their bread is buttered. For free vendors, Avast’s faux pas may cause customers to think twice before switching to a free competitor because those vendors might be operating in a much grayer area. As the accurate old saying suggests, “There’s no such thing as a free lunch.”