avast! Privacy Policy explanation

Some users have raised their worry regarding avast!'s privacy policy despite the fact that avast! is NOT some evil corporation mining user data intentionally. In fact pretty much all antivirus companies collect certain user data through their statistical engines and feedback systems. avast! as any other modern antivirus solution is no exception. The worry is because the EULA has been expanded with v7.0 release. Mostly because the functionality has expanded as well and with it, the requirement to cover all the new features in EULA as well. I'm going to explain it from technical perspective why they need to know certain information and why is it useful to them.

The most important chunk of EULA for the "Free Antivirus" which is the most popular here...

8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;

This means that avast! Antivirus will send back to avast! team the info on which URL (webpage address), specific piece of malware was detected.
They need this information so they can inspect the domain and block it through Network Shield in order to prevent other users from getting infected by different versions of same malware found on that address. There have been many malware in the past that have been released from same URL, just in a modified binary form. Meaning the released malware was the same thing, it was just modified so quickly signatures in traditional antiviruses couldn't keep up fast enough. Blocking it through Network Shield means it doesn't need new signature updates every 5 minutes, but it will just block access to that URL altogether, preventing any further infections regardless of available virus database signatures. By submitting suspicious samples tot he virus lab it helps to better understand them by further analyzing the samples and create better and more advanced measures to accurately detect them in the future.

8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;

This includes the date, country, file path and probably also version of installed OS. This helps virus lab to better understand how malware spreads, where it installs itself and so on.

8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;

If the scanned email contains malicious or suspicious attachment, it's sender and subject line will be submitted to the virus lab to help them better understand the way how malware writers are spreading the malware.

8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;

Spam detection is solely keyword based on Bayesian algorithm which reads the words in email and compares it to the local database to identify spam messages. You can read more about it here:
http://en.wikipedia.org/wiki/Bayesian_spam_filtering

avast! doesn't submit entire e-mail messages anywhere. It only submits data from the e-mail header (header is the place where sender info is stored along with other details like time and date) of a SPAM flagged message. It probably also submits statistical data regarding keywords detected in spam messages. So they can further improve spam filter by making it more aggressive and more accurate (meaning it will spot more spam messages and make less mistakes while doing so).

8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;

This one is similar to the point 8.1, except it covers submission of suspicious samples from local hard disk opposed to "remote" URL's in point 8.1.
If some EXE is detected as suspicious (be it by heuristics, behavior shield, FileRep or anti-rootkit heuristics) it will eb automatically submitted to the avast! virus lab for further analysis. So they can fine tune heuristics, create exact signatures to detect it accurately and to further gain knowledge on evolving threats by actually poking the samples.

8.6 Certain information about your computer hardware, software and/or network connection;

Statistical general information about hardware, software or network (what kind of CPU is used, what OS version, does it have service packs, what network drivers and socks are used and so on. This helps the virus lab further understand malware behavior and spreading (which OS's does it affect, which bit versions, be it 32bit or 64bit, is OS patched and if anything is possibly hijacking the network connection. Nothing personally identifiable is collected using these methods.

8.7 Certain information about the installation and operation of the Software and encountered errors or problems;

Like most programs, avast! also features submission of error data to the developer (in this case avast! Software). It can include anything from OS version, avast! version, what system drivers are installed, what system hooks are used and memory dumps. However to my knowledge, none of this is automatically submitted. You have to generate the package yourself when avast! technician requests you to use this function in the Maintenance category. So it is always on user to hand over the package with full consent and knowledge. Memory dumps can include sensitive information but i can assure you that avast! only uses it to resolve problematic errors or issues that cannot be resolved in any other way than by looking at the memory data directly.

8.8 Statistical information about threats detected by the Software;

This means OS version, country where it was detected, how many times it has been detected etc. Sure they will know you are from UK, Austria or Slovenia, but then again anyone can do that by just looking at your IP address. And IP is the very foundation of ALL communication on teh internet.
No need to worry as it's all just general statistical data that you can even check yourself here: http://www.avast.com/maps

8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

This covers the WebRep feature. Since this is a webpage rating tool, it has to access every visited URL and since the feature works in the cloud, it also requires submission of URL for verification. Depending on the status, info is returned to the user and he/she will see a green, yellow or red WebRep icon along with additional info provided for it (several subcategories that mark what kind of webpage it is, be it pornography, gambling, phishing or just a web store etc etc).

WebRep also verifies search results in a similar way as regular URL addresses to let user know what they might visit even before they actually do that.
Again marked with green, yellow or red icon next to the search result.

Both of these features are also used by many other antivirus solutions like AVG's LinkScanner. Or Web Of Trust (WOT).

With avast! v7.0, web protection also includes anti-phishing for webpages. All the above mentioned methods are further utilized to prevent fake webpages pose as Online Bank login form or something similar that could steal sensitive user data.

I hope this brings some more understanding to the whole matter and calm down certain users who think avast! is some special exception regarding privacy policy in some strange bizarre way. If you don't believe me, i suggest these users to go and read EULA's from all the other technically similar products from competition. You will see that they have the same or very similar privacy policy terms. And just like any other serious security company, avast! Software does take great care about their users privacy.

I will also direct someone from official avast! team here to fill in the specific details that are out of my reach but may be missing.

 

I am getting really put off by the data collection as it seems every company is doing it these days. If it's not google it's facebook, if it's not one of those it's someone else. It makes me want to just get rid of my av altogether and run sandboxie and some on demand scanner.

BTW- as indicated above, I see Avast now classifies cookies as malware...really? That will give them the excuse to track anyone, anytime. Plus to be able to determine the "several sites visited before the infection" there would seem to need to be a history kept by avast all the time. Or does avast just use the browser's web history?

The combo of this new EULA with the download.com affiliation really turns me off. Maybe others are fine with it. But avast is just doing the same thing other companies do by evolving to a mega-info-collecting heartless, lifeless, corporation.

 

Thanks for posting RejZoR.

 

I think people are also concerned about these parts:

 

No.

No, that gives us nothing, even less the right (that we don't want...) to track. Tracing cookies are issued by malicious or legit sites you visited yourself. The detection is done by some applications like SuperAntispyware.

No, avast does not act or think this way. Besides, we do not get money collecting any info, we only try to provide a better protection line for our users, have all the data anonymously and for statistical/technical reasons (and it does not include sells or money...).

 

Ok, lets do it the other way, because apparently this will never end no matter what we explain or say.

Go and please read EULA from Norton, Kaspersky, AVG, Panda Cloud and so on. Then come here with your findings. Because i'd really like to know what clicked in your heads now to trigger this over-exaggerated paranoia around avast!.
I've seen far worse privacy concerns, issues or breaches and no one made such massive fuss about it like you guys do about avast! this very moment.

 

I'll bite:

Roboscan, recently discussed here.

"DATA COLLECTION AND USAGE
No third party software is installed with the Software. As part of the Software, additional software components (“Software Components”) authored by Company may be incorporated into the Software or installed alongside the Software for the purpose of Software maintenance, updates and aggregate usage statistics. The Software Components installed may include Software Update and Software Error Reporting Tool. Through Software Update and Software Error Reporting Tool, Company does not collect, use, or disclose any personally identifiable information."

"Software Error Reporting Tool requires user action and explicit consent to report Software errors to Company. Information transmitted by Software Error Reporting Tool may include Software name, Software version, stack dump, loaded modules, crash address, operating system information and a non-personally identifying unique ID."

 

Assuming this is an accurate quote from the EULA, the writers are either claiming that tracking cookies are malware or they need to rewrite their EULA.

 

Then what are tracking cookies? Lovely biscuits that everyone want? They could say it falls into the PUP category but who ever goes into such detail inside EULA? No one. So leave it at that and stop nitpicking.

 

Technical/Rejzor, could you guys perhaps confirm that my interpretation of the first quote posted by Boerenkoolmetworst is correct;

"The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software.
Unless you have permitted otherwise, the information collected by the Software is used anonymously in aggregation with similar information from other users of the Software for analytical purposes to identify new viruses and threats and for improvement and development of the Software and for statistical purposes."

As far as I understand, only if a user has specifically allowed Avast, the company can use their identifiable information (personal details entered when purchasing Avast products).
Without such specific permission, Avast will only use anonimized data.
To me this seems the only reasonable interpretation but perhaps a confirmation might be useful?

 

One problem is that when you affiliate yourself with sites such as download.com there is an inherent loss of credibility. Maybe that loss is a little, maybe more than a little. It probably depends who you ask. But however you slice it, nobody has an obligation to believe anything you have to say.

 

Apparently you and your fellow Avast team member have a dispute as to whether tracking cookies are classified as malware by Avast. If you two Avast guys can't agree what the EULA means how is the rest of the world supposed to figure it out?

 

First of all i don't work for avast! nor distributor at the moment (i just maintain free support for local users at the moment). Secondly, tracking cookies aren't malware as is, but the aren't harmless either. However NO one will EVER go into such depth or detail in EULA, so why do you drill into something irrelevant? If you have questions about what cookies are and how can they invade your privacy, ask that somewhere else. Here for example:
https://www.wilderssecurity.com/forumdisplay.php?f=42

 

bite No. 2: Avira

Avira EULA

13. Collection of Certain System Information

Avira uses certain applications and tools through its website and within the Software, to retrieve information about your computer system to assist Avira in support of the Software. With expanded online testing of files (feature Avira AntiVir ProActiv Community as of Version 10 of Avira paid products) Avira sends suspicious programs only (executable files) to its secure German data centers. Avira does not send any personal data. Files such as pdf, doc, xls as well other personal data, like pictures and videos are not being automatically sent.

Not personal data

Avira records in irregular intervals the domain names, IP addresses and browser types of the visitors of the Avira website. This information is used for the logging of the global access to the Avira website. Nevertheless, this information is not related with the storage of the personal data in any way.

You will not be identified on the basis of your IP address even if our web server records it. Consequently, your identity remains undisclosed.

 

These type of concerns, real or FUD will never stop. It has been the same for many (if not most) security products with cloud or intelligence built in. I have seen this exact turmoil for Kaspersky, Prevx, WSA, ZA, OA, Norton, Avira, etc. EULA are open to interpretation by design to safeguard companies from claims and disputes. Either you trust the explanation given out of the EULA or you will have to move to another product you can trust.

In other words:

You don't like the product EULA? Simply don't use the product and choose something you can trust and feel comfortable with.
End of the story.

Next?

 

AVIRA doesn't offer half of the advanced features avast! has. And is nowhere near as cloud powered as avast!. So logically they only cover that in their EULA.
Will you start to rage when they get the same features and include them in EULA? I doubt you will...

 

And some explanation from Ondrej Vlcek (Vlk)...

 

RejZor,

Don't get your posters confused... I've not raged here, merely pointed out the facts as presented by two of Avast's competitors. Posts that you encouraged when you vaguely referred to other vendor's EULAs and solicited examples of even more EULAs.

Would you prefer I post the EULA from Avast 6? It is quite different. As I said over in Avast's forum, it is unfortunate that the legal department got the final word on the EULA without someone overseeing what they proffered.

 

You can post avast! 6 EULA all you want, but avast! 6 doesn't have features that avast! 7 now has. That's why EULA just HAD to be changed.

 

I guess there is worse.

But I've seen better.

For example, Avira and Kaspersky.

It has been a while since I read those EULAs, but if you opt out of in-the-cloud technologies the privacy statements are better.

 

RejZoR,

Duh. But changed to what and with what implications. Privacy is a concern for us all in this current web culture and legitimate questions about Avast's new EULA have been raised and should be raised. And answered, as Vik is doing by going back and forth to the source.

This EULA is poorly worded and perhaps means that Avast is not doing a good job in protecting end user's privacy. Not clear as of now and hopefully it will be cleared up.

 

Have you read Vlk's reply? EULA is the lawyers talk. And Vlk explains that betteer than i wanted. They need to condense 5 times the text i explained in the first post into few 10 lines of text. That's why "personal identifiable" info means IP address alone for example...

 

Youve forgotten to include

12.Privacy
By entering into this EULA, you agree that the Avira Privacy Policy, as it exists at any relevant time, shall be applicable to you. See www.avira.com.
which then leads to ....
http://www.avira.com/en/general-privacy
and
.............................
Transmission of personal data to the third parties

Avira also uses the services of other contractual partners, for products dispatch, orders proceeding for issuing the invoices and payment procedures. Our contractual partners are obligated to treat the personal data with confidentiality and to use it only for services related purposes or transactions in behalf of Avira

In the case of digital product dispatch of the Avira software and licences, Avira cooperates with a third party (online shop elemnt5), in order to give you the chance to place your orders and effect payments in an easy and comfortable way over the internet.

Avira will not transmit your personal data to the third parties without your explicit consent (not even for marketing and sales purposes or to the address brokers), unless Avira is obliged by a legal regulation to do so. In certain cases, Avira is obliged to reveal your personal data to the government offices or other legal agencies according to the applicable law.

Security of personal data

In order to protect your personal data we have met the safety precautions according to the German privacy acts, the present privacy policy and the international information security standards. This procedure enables us to protect your personal data against abuse, unauthorized access and disclosure, damage, manipulation or deleting. The credit card information are transmitted to the online shop of our partner element5, encrypted, via ssl /secure socket layer) protocol.

Please note that Avira will provide this company data to its world wide subsidiaries. Therefore, the personal data received from our customers can be forwarded to all our subsidiaries in the entire world. In some countries the collection, the transmission, the storage and the processing of the personal data will be performed from the Avira contractual partners.

All the Avira employees that have access to personal customer data are obligated to ensure the confidentiality of the personal data and its use.

Statistical information

This website uses Google Analytics, a web analysis service of Google Inc. ("Google"). Google Analytics uses so-called "cookies", text files that are saved on your computer and that make it possible to analyze your use of the website. The information generated by the cookie when you use this website (including your IP address) is transferred to a Google server in the USA and is saved there. Google will use this information in order to analyze the use of the website in order to put together reports about website activities for the website operator and to provide further services for website and Internet use. Google may also transfer this information to third parties provided that it is legal to do so or if Google commissions the processing of this data by a third party. Google will never associate your IP address with other data Google has collected. You can prevent the installation of cookies with a corresponding setting in your browser software. However, we would like to explicitly point out that if you do so, you will not be able to fully use all of the functions of this website. By using this website you agree to the processing of your personal data as collected by Google in the aforementioned manner and purpose.
..................................................
eulas are pretty much the same horse of a different colour imo.

 

So the one thing everyone can agree on is that the EULA is not accurate.

 

So will someone talk to the lawyers then?