We are all familiar with the concept “there is no
such thing as a free lunch”. There is always an agenda that involves us giving
information up or doing something to earn the lunch.
Recently Kaspersky Lab announced their adding of a
free antivirus to their portfolio, making them a member of the growing list of
vendors that give away their software, apparently for free.
We all know that there is no such thing as a free
lunch, or security product, so what’s the catch?
I’ve taught my son that when you download an app
that’s free you need to understand how the company makes money, maybe
advertising, cross‑ and up‑selling, in‑app purchases, and if you can’t see how
then you are probably what they make money from. Of course, it may be by all
the methods mentioned, the key is to understand what you are trading to use a
free product.
Let’s investigate how the free eco systems works by
installing a free antivirus product: (not Kaspersky), but the one that claims
to have the most users.
The first install screen offers the free antivirus
and by default a Google Toolbar for Internet Explorer, unless I select to opt
out in small print at the bottom of the screen. Apparently, my Internet
Explorer will benefit from searching from any website, translate pages
instantly, and auto-fill web forms with one-click. Internet Explorer does ask
for confirmation to install the toolbar and the vendor’s own security add-on
the next time I open it.
After installing, and on the first run of the
antivirus program, I am told that I am now sharing data and if I don’t wish to
then I can switch this option off in the settings of the product. Taking a look
at the privacy policy on the vendor’s website I am told that among other things
the URLs of websites I visit, along with web searches through search engines,
are being collected.
Further down in the privacy policy I am advised
that sensitive personal data is not collected, this includes sexual preference,
religion, political views and health. For most of us I think it is fair to say
that all of these could be gained from search and URL data which is now being
shared.
The intricacies of privacy policies, what can or
cannot be collected and then whether the data is anonymously shared with third
parties is complex even for those who understand and are interested. For the
less technology-literate this is most likely incomprehensible. We are often
presented with the words “shared with third parties” on websites,
registrations, product installations and in privacy policies.
Companies that share data commercially are highly
likely to be receiving payment for the sharing. In most scenarios it is
probably better to consider sharing as meaning “sold”, but very few people
would agree to sharing if the words presented actually said “sold to third
parties”.
For transparency on this topic, ESET collects some
data. We use it to improve our products and provide the services you purchase
from us. In some instances some of it must be shared, for example our online
store may share it with the payment processing service when you purchase a
product. We do not sell your data to a third party, and never will.
During the installation an icon appeared on my
desktop – a secure browser. I don’t recall seeing any mention of this during
the installation process. Running this browser presents me with a Yahoo! search
page. This seems at odds to the claimed benefits of Google I was presented with
a few moments ago.
The next time I open Internet Explorer I am advised
that the Google Toolbar and the additional add-on are slowing my browsing down
by 2.36 seconds; the obvious implied recommendation is to disable them. The
experience is confusing – nothing seems to be working together to improve my
security, which was the reason I installed the product.
Back to the reason I installed, opening the
antivirus product presents me with a welcome gift. I need to unwrap it, I am
being offered an upgrade to the paid product with additional features at a
discount.
Taking the first scan option starts an in-depth
look at my machine, scanning for viruses, network threats and performance
issues. At last I am getting what I came for, protection, or am I? The user
interface is littered with options that are not available unless I upgrade to
the paid product, for example Firewall, Banking Protection, Secure Shredding to
name a few.
The advertising within the product interface has
changed and now offers me additional products from the vendor. There is also a
big green ‘Activate’ button; pressing this presents a screen offering a
discounted upgrade or confirming my choice of free. Confirming free takes me to
another screen offering me a free trial of the paid product. There is a
continual up-sell.
To summarize my experience, Internet Explorer now
offers me Google Search, the new browser offers me Yahoo!, my URL and search
data is being collected and can be shared with third parties and I am being
continually upsold to.
Remind me, what was the price of this free product?
The vendor is making money from Google by
installing the Toolbar in Internet Explorer, monetizing search with Yahoo! in
the newly installed browser, probably selling the data collected to third
parties, and lastly, they would make some directly from me should I decide to
purchase a paid license or their other products. It is also worth noting that
both Google and Yahoo! may be collecting my browsing data as well: what we
search for and our preferences are a valuable commodity.
What happens when it all goes wrong and I need
help?
Not surprisingly when you use a free product
support is limited, mainly a self-help service. If you do need that extra level
of assistance of a person to help you then payment is required. Either a single
support incident or you will again be subjected to an upsell to support every
device you own, which will set you back in excess of $175 per year. That just
made free rather expensive, especially when paid products, for instance from
ESET, get free support.
The example above may explain why Microsoft
includes a default free antivirus product in Windows 10. They want the user to
have a pleasant experience using the operating system without having to combat
continual changes and messages because of a product they installed. For those
who have experienced the disruption after installing a free antivirus product,
then Windows Defender may seem like a good idea, but there is a fundamental
problem when too many people make the same decision.
A dominant security product causes a monoculture, a
default standard for cybercriminals to attack. Research shows that there is an
increase in malware infections when there is a vendor with dominant market
share in any particular geography. The cyber criminals only need to look for
the weakness in one product to infect a significant portion of devices, thus
the majority can become infected as a result of using the most popular program.
For the detectives out there you may have also
spotted the other benefit to Microsoft in the example above. By removing the
need for third-party, free antivirus products to be installed, the browser
search engine and homepage defaults are not being altered, so a typical user
continues to use Bing/MSN, thus increasing Microsoft’s search revenue.
When you have an asset that’s as important as your
identity there is a need to protect it from harm or theft. Understanding the
value of the asset may help you decide what the cost of the protection should
be.
Are you willing to trade your browsing history to
gain a few dollars and get only the most basic antivirus protection? Most of us
would consider this data very personal, it’s worth more than a few dollars
especially if it’s being shared with third parties for commercial purposes.
The assets I have on my personal machine, which
include personal data and my identity, deserve protection without compromise
and for this I am willing, and recommend others, to pay. Let me put it a
different way though, would you use a free lock on your front door, or would
you and your family feel safer if you purchased one?