AV-Comparatives - Data transmission in Internet security products

Discussion in 'other anti-virus software' started by Petrovic, Apr 29, 2014.

  1. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    471
    Location:
    The Hill Country of Texas
    Is this the "Detailed Error Data Collection" under Norton Community Watch? That's all I see under Administrative Settings.

     
  2. Mayahana

    Mayahana Banned

    Joined:
    Sep 13, 2014
    Posts:
    2,220
    Apparently that is what controls what it sent to them. It seems nothing, or almost nothing is sent with it off.
     
  3. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    what things do you consider are not common knowledge?most av's do have a privacy policy which is available for you to read,most av's disclose in that policy what they do collect from your machine,you just need to do a little reading
    It's fairly obvious as AV's become more cloud based that data will and needs to be exchanged both ways,how would any company gather the info needed to base any reputation based system on?magic or guesswork prob wouldn't work!
     
    Last edited: Jan 12, 2015
  4. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    People who take privacy/infosec seriously would value studies like that, and eagerly welcome additional detail and refinement. We see studies where security products are evaluated for their protective abilities, receiving positive scores for blocking threats and even some data leakages. However, that is only one side of the equation. Data transmissions that expose potentially sensitive info to other parties (including but not limited to cloud-AV companies) must be assigned negative scores that are applied against the positive scores to arrive at a final score. Scoring data transmissions is not easy. Finer details can make a huge difference, and those often aren't easy to flesh out let alone factor in. Plus, some program settings would shift scores and thus require re-testing/scoring. Its real work. Work that is far too complex and/or time consuming for 99.99% of individuals. Professionals included, more due to time-constraints obviously. Thus, there is much to be said for reputable organizations contributing what they can.
     
  5. 142395

    142395 Guest

    I guess such scoring will be one-sided, and better to leave dicision on each user.
    The number of info sent itself is not the determinant factor, rather some combination can be crucial but those can heavily depends on each individual's belief. General consensus about privacy won't be as easy as about security (some even don't care about privacy at all.). Also we can't know how those info will be actually treated, we can read privacy policy or EULA, but there's no guarantee they actually follow it so we rather see what the company have been done, and it forces me not to use some products (I don't mention name of them as it can cause unwanted objection), even if they have fine written policy.
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    Have you considered that the three products in bold do not need to gather that information since a certain parent company already does it and thus manages to fulfil the need for statistics to improve the engine and the cloud database/infrastructure

    *just a conspiracy theory :p
     
  7. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    My main point was that users trying to make such decisions need detailed information. However, I do think that some type of scoring could be done to make those decisions easier for most. I'm not talking about "final scoring", where the negatives would be applied against the positives. That's something that only the user can do. It would involve selecting a weighting factor for each prior to combining them so as to strike the right balance for their application. Those very concerned about privacy/infosec would place a heavier weight on negative data transmissions. Those not at all concerned would apply a zero weight.

    I'm thinking separate scores. When you do look at it one side at a time, it is much easier to make objective calls. For example, from a privacy/infosec POV it is clearly worse to phone home full URLs vs hostnames, clearly worse to phone things home along with a GUID vs without one, so forth. That's the type of information a data-transmission score would try to convey. Not subjective things like whether the receiving organization can be trusted.
     
  8. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    any companies policies must be adhered to in most countries,I do realise not all countries have enforcement, otherwise they would find themselves open to litigation,not just by users but the bodies entrusted with making sure companies,no matter how big, do follow them:-google and their stealing of folks unsecured wifi data is a good example,they thought they could do what they wanted and get away with it because they are so large and commercially powerful,they couldn't!
    As for security companies,bona fide ones,collecting info,I would be slightly worried if they didn't,its seems one of their main tools for improving their products for the end user,and it isn't just security companies who collect data on internet users,read googles end user agreement(if you have a spare week!)
     
  9. 142395

    142395 Guest

    Okay I got it and surely such scoring will be possible. However, one thing I bit care about is once such score is published by AVC, many people won't pay attention in details and start to believe this is absolute ranking where it's actually partial ranking. I already saw some people just count up how many items each AV met and make that ranking. It's easy to refute such naive ranking, but it won't be easy if a ranking is made by AVC.

    Also, like Steve, I hope such scoring don't cause "competition" or don't become a fetter for protection. No 2 cloud reputation system works the same way. Some need geografical info but others may not. Each AV vendor use different strategy. People can choose the product which shows high level of protection in dynamic test while good score in privacy, but that good score may just suggest their cloud system haven't yet adopted big data analysis which might not be necessary in current situation but sooner or later will be must to combat evolving global threat especially in corporate environment. Vendor who have many corporate user worldwide and provide not only AV/EPP but wide range of products or services will get disadvantage in privacy competition.
     
  10. 142395

    142395 Guest

    But how many people actually know privacy law of country which his AV belongs? I only know summary of my country, a little about US and Germany, none of others. I use Kaspersky, but don't know Russian law at all. And given many cases where big company made a fuss...I have to admit things come down to matter of trust.

    Unfortunately, I don't have spare week!:thumbd::D:(
     
  11. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    the laws regarding your privacy relate to the country you are resident in,although I do think the prosecution of a Russian or Chinese based company by one of the western govt enforcement bodies would be problematic
     
  12. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    I would say: and vice versa.
     
  13. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    possibly but because of their communist background neither country recognises most of the laws regarding privacy,they also don't recognise(or didn't used to)patent or copyright laws,that is why they copy and blatantly sell those copies,look up Chinese BMW X5

    http://www.bmwblog.com/2008/12/19/bmw-loses-court-battle-to-chinese-x5-clone/
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Just came back to this report to check something, and noticed this part:
    However, in the results, there is no information on which product uses SSL/TLS for data transmission. Collecting this much data and then sending it in plain text over the network is really bad and totally unacceptable for a 'security' company.
    It would be nice if this information could still be provided @IBK
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.