Update, Aug 7 – 17.30 CEST: We updated the article to address concerns from vendors that considered it was targeted rather than being about the free eco-system, as was intended.

We are all familiar with the concept ‘there is no such thing as a free lunch’. There is always an agenda that involves us giving information up or doing something to earn the lunch.

Recently Kaspersky Lab announced their adding of a free antivirus to their portfolio, making them a member of the growing list of vendors that give away their security software, apparently for free.

We all know that there is no such thing as a free lunch, or security product, so what’s the catch?

I’ve taught my son that when you download an app that’s ‘free’ you need to understand how the company makes money – maybe advertising, cross‑ and up‑selling, in‑app purchases – and if you can’t see how then you are probably what they make money from. Of course, it may be by all the methods mentioned, the key is to understand what you are trading to use a free product.

There are numerous ways free products can potentially make money and, like me, you may have experienced ‘some (or all)’ of the examples below at some stage. All these methods are examples in use by free security products being offered for download at the time of writing.

Internet search – Probably the most written - and complained about - method of monetization used by companies distributing free products. Companies such as Google, Yahoo and Bing want you to use their search engines as they make money from advertising in the search results. Every user is a valuable revenue asset so paying for the distribution of toolbars, setting browsers to default search or even installing an additional browser can be extremely lucrative for a company distributing a free product. These are typically offered as a default option during installation and are not related to the product being installed; for example a security product offering a search toolbar that has no security benefit to the user.

Browser vendors have attempted to control the setting of search – they want you to continue using what came with the browser – by imposing policies that limit the installation methods used, or to force user confirmation of changes. An example of this is Microsoft’s Browser Extension Policy that prohibits programmatic changes to browser features including but not limited to homepage, search box and address bar. Enforcing a policy is a tough job and while efforts are made to ensure compliance, there are companies that will work out how to circumvent the limitations.

Upgrades – It is common for free products to provide a limited range of functions beyond antivirus. Additional features such as antispam or a firewall are typical features that are used to up-sell the user to a paid version of the product. In theory this should be a fair way to monetize a free product and in some circumstances it is, but there are numerous products where buttons labeled ‘register’ or ‘activate’ take the user into a sales process to upgrade, as opposed to the actual action indicated on the button. While some companies offer upgrades using a legitimate and easy to understand method, the level of aggressiveness in some security products would seem at odds with being a trusted security provider.

Locked functionality – Limiting the core functionalities of a free product. Examples of this are seen in security products that scan for malware but do not remove any malware without payment. Displaying a message that states you have an infected machine and requiring payment to remove the infection is a scary scenario for many novice users. Look out for the words ‘free scan’ at the time of download, if there is no mention of ‘remove threats’ this typically means there is not a free fix.

Cross-selling – Vendors have portfolios of products that provide different security functionality such as VPNs, online backup or parental controls. A customer using a free product is a good prospect to buy additional products, as they already know the brand and are aware of the need for security.

Bundled installs – During the installation of the product it either installs more than just the security product without your consent or makes offers of other products from other vendors. This can include the first item discussed, search toolbars. Bundling other products can also generate revenue: for example, offering an alternative browser has the same effect as defaulting search settings but avoids the policies that browsers impose to confirm changes being made to their search settings.

Support – Ever needed help? We all do at some time! Products that you pay for typically offer support to help you in your hour of need. With a security product this is particularly important as it may be related to an incident that is causing you concern. Providing support to free users is time consuming and costly, which is why it is often outsourced and used to monetize the user. Check out what support is offered – will you need to pay and how much? Companies that offer free products may charge more for a single support incident than it would have cost you to purchase a paid product that included support. They may even attempt to up-sell other support services to cover all digital devices. These policies can set you back in excess of $150 per year and are typically set to auto-renew.

Collecting and selling data – Security products require access to everything you do and store: malware can hide anywhere from web pages, email and documents to applications. Collecting threat data for the purpose of security or transferring data between the website and the payment provider in a checkout is normal. Some vendors go beyond this and collect data that has commercial value to third parties. Read the privacy policy before you install, and if a company is collecting and sharing browsing data that you would consider personal, you should be aware so that an informed decision can be taken on whether to use the product or not. The words ‘shared with third parties’ in the context of data you consider personal would probably be better represented as ‘sold to third parties’.

The word ‘anonymized’ is often used in privacy policies to give a warm feeling that no data can be used to identify you personally. Rather than debate this here I recommend you read this recent article in The Guardian. It demonstrates how anonymized data collected by a security product was used to easily identify individuals using a range of techiques that are trivial to implement and auotmate.

Third-party advertising – More common in mobile versions of security products, a small banner ad across the bottom of the screen that comes from an ad network. This is seen across the whole mobile, free-app space and is typically done responsibly. However, I have seen mobile products display questionable ads for dating sites. If you are installing a free security product on your kids’ phones, consider paying for a product so that advertising is not displayed.

Remind me, what is the price of a free product?

The business models above may explain why Microsoft includes a default free antivirus product in Windows 10. They want the user to have a pleasant experience using the operating system without having to combat continual changes and messages because of a user-installed product. For those who have experienced the disruption after installing a free antivirus product, Windows Defender may seem like a good idea, but there is a fundamental problem when too many people make the same decision.

A dominant security product causes a monoculture, a default standard for cybercriminals to attack. Research shows that there is an increase in malware infections when there is a vendor with dominant market share in any particular geographical location. The cybercriminals only need to look for the weakness in one product to infect a significant portion of devices; thus the majority can become infected as a result of using the most popular or default product provided as part of the operating system.

For the detectives out there: you may have also spotted the other benefit to Microsoft in the example above. By removing the need for third-party, free antivirus products to be installed, the browser search engine and homepage defaults are not being altered, so a typical user continues to use Bing/MSN, thus increasing Microsoft’s search revenue.

When you have an asset that’s as important as your identity, there is a need to protect it from harm or theft. Understanding the value of the asset may help you decide what the cost of the protection should be.

Are you willing to trade your privacy for a few dollars and get basic antivirus protection? Most of us would consider the data being collected as very personal – the data is probably worth more than the few dollars you are saving, especially if it’s being shared with third parties for commercial purposes.

The assets I have on my personal machine, which include personal data and my identity, deserve protection without compromise and for this I am willing, and recommend others, to pay. Let me put it a different way though, would you use a free lock on your front door that allows the company rights to enter and look round your house, or would you and your family feel safer if you purchased a fully featured lock that only you have the keys for?