Where do we draw the line on data collection? (ie Prevx)

Read the audit report and google the names of the auditors: http://www1.prevx.com/PrevxHomeAudit.pdf (this gives very explicit detail of what is collected and what is not)

And finally on their mission statement:

I know that a lot of people have reservations about data being sent from your computer, but this can't ALWAYS be a bad thing. Where do we draw the line? Having a more than average interest in scientific information (psychology and cognitive studies in particular), I've had to learn how to sort out garbage data from real scientific study. No, I am by NO means an expert, but there are skeptic resources out there that can help tremendously, that apply to any kind of scientific data being presented. A couple of the things you generally look for are attention to detail (ie if they "don't have time" to make sure the details are straight, their tests are meaningless), lack of emotive/marketing speak, and sources you can verify. The info provided by Prevx seems to fit both of these catagories.

They've taken the route of practicing full disclosure of their intent, the data they do and do not collect, and they offer you a strong product and service in return. They've labeled this info as "important" for you to read, and put it right there with the download links instead of using obscure language that's buried in EULAs and such. The final point that strikes me is that they are marketing to large enterprises and ISPs (parnering with Sun, IBM, and Microsoft), not the small obscure ones that need the underhanded kind of sleazy tactics offered by such things as spyware.

One of the reasons I'm bringing this up is that I am seeing more of this coming out, and I think the overall subject deserves some consideration. Pivx (the makers of Qwik-Fix) is also selling a similar kind of service of detailing current threats. I think this is going to be an important part of how the industry is going to curb the ever growing threats, and we are going to have to ask ourselves where we are going to draw the line. On one hand we don't want to give up privacy, but on the other we don't want to get swept away by paranoia to the degree that it becomes counter productive. I personally see nothing at all to raise any red-flags regarding Prevx, and actually commend them for presenting it the way they have. What do you guys think? Not just about Prevx, but this whole concept and other companies that are compiling statistics for the pros to use? What about AV companies that send home statistics of what virus/trojan/worm you have encountered?

 

Good post Notok,

I totally agree with you. From what I have read from the PrevX site, I personally have no problem with information being sent to PrevX. My concern is independent verification of what is actually being sent to them. I have seen to many times programs calling home with more info than was admitted to. I am not saying this is the case, just that I want to be sure that the actuality is indeed what PrevX claims as to "calling home".

 

The PDF is actually independant.. normally I wouldn't lend that much creedance to something like that posted on the developers website, but googling the names does show that they aren't likely "bought experts" (http://www.isg.rhul.ac.uk/people/academic.shtml)

 

I suppose its indepedent like how the auditors of Enron were indepedent...

 

The audit is independent as far as PrevX hired an outside firm to do the audit. Obviously money exchanged hands which made the audit not independent in that aspect. Notice the use of the word "commissioned".

The auditors were not able to do an in depth code analysis on PrevX. Instead, they were given limited code for brief analysis.

The version audited was a beta version in existence on Oct. 15. It is not the actual software that is available for download and use today. Did anything change in the software? I would have waited and had the audit done on the release version downloaded from the PrevX site. This would have added more legitimacy to the audit.

These are some of the reasons I an personally awaiting further "independent" analysis of the information that is sent to PrevX from our systems.

Again I say if the only info that is exchanging hands from our PC's to PrevX is what PrevX states, I have no problem with that.

Below is attached a section of the audit that I base these assumptions on.

 

I have no reservations about Prevx per se, I have not heard or read anything about the company to the effect that they are less than they purport to be. My basic problem is with the appearance of the whole issue. With version it was free and we had to register and were restricted to only 5 attempts at downloading the software without having to re-register, additionally version 1 did not phone home to check how other people handled the same alert, version 1 only phoned home to register (which I fully understand and agree with, they did write the software and do have a right to see that it is being used legally even if it is free) Version 2 however phones home during or just after an attack/alert to see how other people handled the same alert. My problem with this is multifaceted, first how do we know the person/people that encountered this alert before were competent and handled it correctly? Just looking at the recent election here in the US, no matter which side you voted for or whose cause you supported just over or just under half the country is comprised of idiots that do not share or follow your beliefs, who is to say the same will not happen with this "advice net"? Some people are not computer savy enough to know that they should not allow the alert they are seeing, but because someone else did they will to. Secondly while it seems to me to be quite needed for a company to do the right thing and just make software because it is needed instead of to make a profit, it is almost unheard of in today's society. Hopefully Prevx is on the up and up and they are just being the honest hardworking internet citizens they should be and hopefully more companies will follow suit and start looking out for everyrone else instead of trying to make a profit. I guess in a way it is the same as Computer Associates and Panda giving away software for a year, it is just a different way to go about it. They are giving away the software and selling the information that it generates. It's just that it appears like an advertising scam, I suppose I will give Prevx a chance, at least the effort they are making to improve the internet for everybody seems like a more than worthy cause.

 

Version 2 however phones home during or just after an attack/alert to see how other people handled the same alert.

I beg to differ, a check of my firewall log showed Prevx phoned home hourly, I have serious reservations about this!

 

Really? That certainly goes against what the copmany is saying. They say it only phones home during an attack/alert. Anyone else seeing this? I didn't leave it on long enough to see a pattern.

 

In the PDF it actually states that it collects the data and sends it off at timed intervals since you may not be online every time you get an alert.

At any rate, on the subject of "independant experts", here's a book worth checking out:
http://www.prwatch.org/books/experts.html
Fact is that you can't trust any experts fully. Ultimately you'll have to come to your own conclusions, which leads us to question at hand: Where do we draw the line between security and privacy? Anyone have any feedback?

(I'll post more info on the subject of distinguishing real information from bunk as I find it)

 

It seems it does call home hourly - allthough, ethereal shows it doesn't send any data - not on my machine at least (There is no HTTP contents).
The last time I saw it sending data was after an alert - but not directly afterwards.
It seems the software is NOT calling home as soon an alert occures,
it seems it connects at certain times or in certain periods to the
prevx server and reports the alerts collected since the last report.

In general, I dont have a problem with prevx so far. I think this is an extreme good product and sharing the attack data with the rest of the users
out there is the price for this free software - as long it really doesnt contain
any personal stuff, Im willing to pay this price.
At the moment, I don't believe they are doing spyware. When you surfe the web, you see so many
articles and public announcements of the company...they dont make a secret of what they are doing in any way at all - rather the opposite, they really
think they do something good for all of us. So they must
be very clever or incredibly stupid with this strategy

But Im still watching...

 

Ok, I think we should draw the line for software that the phone home function can not be turned off/ or preferably it comes off by default and you can enable it if you wish. Similar to Zone Alarm's alert advice and settings submission. You can have them on or off if you wish and doesn't adversely affect the software in either case. This policy of you must have the phone home function enabled as it is part of the software is over the line in my opinion. Even with as it appears they have the best of intentions.

 

What about AV products that do this? I think it's more fair to have it up-front that this is the price you pay for the product. I think we need more "community involvment" and information sharing to raise awareness of what's going on out there. Something that allows you to benefit the security community & industry just by using a security app seems like a very positive step. (the need for trust in the company is a given, just as with any security app.)

(btw, not trying to defend anything here, the intent of this thread wasn't even to focus on prevx in particular, just the overall concept of collecting and selling data to security pros that can put the data to good use. Prevx is just the latest and clearest example.)

 

Yes I totally agree that this example at least is a lot more fair in that they tell the users about it. I also believe that AV or any other software should not be doing so without the users permission either. I realize that it does help other users, but the same rules that apply to the real/criminal world should apply to the cyber world. Just because someone is mugged,robbed or raped doesn't give the rest of us the right to know the details. The same should apply to cyber attacks. Yes in a since the rules of the medical world could also apply if virii are to be considered "epidemics" so it would seem to be a rather complicated issue to protect all users from security breaches/violations as well as the privacy of all users. A very interesting thread you have started. Let's see where it may lead. Hopefully the debate can be spirited yet still stay civil.

 

I think the fact that spyware has used some of these methods really spoils things. Had they been up front from the beginning, we probably wouldn't have this epidemic.. but really, how many people do you think refused to be Neilsen families based solely on privacy concerns?

Both good analogies, flyfran, and both bring up different sets of concerns. In order for flu shots to be effective, scientists need data on what strain of flu to vaccinate against. But with violent crime, how intimate do the details need to be to curb the problem? We use security software that protects against certain behaviors, but which behaviors to protect against? Covering too many bases tends to bog things down too much, not enough can leave you unacceptably vulnerable. Then there's the bigger picutre of curbing the crime at the levels of the OS, networks, and society at large.. our international policies are coming down on us now. We don't need to give corporations rights akin to the patriot act to gather info, but giving them sufficient data can allow these exploits to be stopped before even reaching our computers. It will be interesting to see where it all goes.

Like I say, I bring this up because I'm seeing this kind of thing grow. There are more websites and services giving pros details on attacks and vulnerabilities, and we should do what we can to support them, but the question is to what extent.. I guess the point is that this is something we will all have to decide for ourselves, and a decision we are going to have to make sooner rather than later. What level of responsibility do we want/have to take on ourselves?

My current job is actually a good example of all of this. I do fraud prevention for over the phone credit/debit card transactions. To do this, all we need is the name, address, and phone number associated with the card. Some people consider this a serious privacy violation because so many companies abuse that information. Of course the victims of this fraud are equally adamant that we don't get enough information. There was recently an article talking about corporations abusing this kind of information, and it actually listed just about all the corporations that employ my place of work as the only companies that DON'T abuse this information. I guess it's a question of compromise.. both in terms of privacy and what the alternatives mean to our everyday lives. Where is the benefit when the criminals still have your personal info, but now your privacy demands mean that companies are either forced to process hundreds of thousands of dollars in fraudulent orders daily, or flat out deny the same amount of transactions to legitimate customers?

It's a vexing problem. At least we have a place like Wilders to hash out these thoughts and opinions