avast! Privacy Policy explanation

Discussion in 'other anti-virus software' started by RejZoR, Mar 5, 2012.

Thread Status:
Not open for further replies.
  1. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Oh man, either i'm retarded or you're so god damn stubborn. You seem to bitch about EULA for 4 pages and quite frankly, i just don't get it what you want to know. We already told you that avast! Software is NOT(1) selling or giving user data to anyone despite what EULA might be saying. They just have to mention all that in it for legal reasons. We already told you it's a trustworthy company.
    And yes, they are collecting ANONYMOUS(2) STATISTICAL(3) user data with sole purpose of providing enhanced protection to ALL their users.

    Since you don't seem to understand plain English, 3 crucial points:
    (1) http://dictionary.reference.com/browse/not
    (2) http://dictionary.reference.com/browse/anonymous
    (3) http://dictionary.reference.com/browse/statistics
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,889
    Location:
    localhost
    LOL... :thumb: :thumb: Well said...
    I am afraid it's a lost battle, it's better to ignore.

    They will never get out of their questions since they are using the EULA as their source for information on the design of the software. They need to address the developers with questions that may not be answered (not releasing details on how the software works).

    I have seen this before, you are wasting your time and give fuel to the FUD. :)
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,250
    Location:
    Outer space
    Thanks for the link :)
     
  4. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    This article might explain and/or clarify some of the confusion surrounding any company that has always relied upon EULAs and is now faced with integrating more Cloud features into its standard operation, since SLAs are more common when it comes to Clouds, as opposed to EULAs. The transition period creates an almost inescapable no-man's land between EULA structure and SLA structure:

    http://www.zapthink.com/2012/02/21/rethinking-cloud-service-level-agreements/

    (Below is the last paragraph of the article):

    There is an important warning here. It seems that every enterprise and government agency is looking to move many of their apps to the Cloud, and they’re hiring consultants to do the heavy lifting. However, both customer and consultant are still thinking of the Cloud as a glorified managed hosting provider, responsible for maintaining uptime-based SLAs. The reality is quite different. As Cloud-based deployments mature, the line between development and operations blurs, as Cloud behavior merges with application behavior. It will take several years before anybody will have a clue how to write—let alone comply with—an SLA that addresses this new reality.

    And here's a link from a lawyer's perspective on the complexities of transitioning from standard software dissemination to Cloud sharing:

    http://www.fizzlaw.com/article/is-your-future-under-a-cloud

    At the very least, these two articles legitimize the current confusion/concern being discussed in this thread, since Avast is making the transition to more Cloud based features. And ultimately, as others have pointed out, it does boil down to the trust one puts in the company providing the software or service.
     
    Last edited: Mar 8, 2012
  5. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,201
    No offense, but that's the least professional response I've seen in a long time.

    I don't trust ANY security product. That's why I investigate. And if the pros outweigh the cons I may install the software.

    Why are you taking this personally ??
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Off the top of my head I would add:

    WebRep
    3) Besides the http and maybe https, what other URI schemes would trigger it? Reference: http://en.wikipedia.org/wiki/URI_scheme
    4) Confirm it explicitly checks for and strips any URI userinfo (hxxp://username:password@example.com/)
    5) What if any protections are there to prevent private URIs from being sent? A private URI being one which would not be transmitted in the clear over the net, for example: a) home user surfing private home server, b) home user surfing private work server via VPN, c) work user surfing private work server
    6) Is the connection to avast secured? Some would think this unimportant due to the http scenario where you are already sending a URI over the net in the clear from your IP address. However, in addition to what was mentioned in #5 there are other scenarios. For example, what if someone configured a local proxy which establishes an encrypted connection with a remote proxy so as to thwart ISP snooping.
    7) Can you enable avast program logging at a level which will allow you to review what was sent?

    FileRep
    3) Is the connection to avast secured? Even someone 100% comfortable with sharing information with Avast would want to know whether file information is sent in the clear for anyone in between to capture.
    4) Can you enable avast program logging at a level which will allow you to review what was sent?

    I think most if not all of those things can be investigated by someone evaluating 7. I mean, if they understand them and have some tech skills.
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    ot posts removed
     
  8. nord1

    nord1 Registered Member

    Joined:
    Dec 1, 2010
    Posts:
    126
    TheWindBringeth,

    Still trying to understand how Avast handles the cloud, although Vlk has gone some way to putting me at my ease. So I was looking at Immunet 3 to try and understand the different ways other anti-malware vendors on the cloud handle information sent from an end user's computer.

    Immunet "identifies" suspicious files which are submitted automatically, howevrer, if you worry about this procedure, although it's OptIn, you can OptOut easily. Immunet also says this about the process.

    "Immunet collects tracking information such as your IP address, browser type, the type of operating system you use, details about your computer hardware, the applications you have installed on your PC, the domain name of your Internet service provider, and pages you visited on our Sites. None of the information identifies you personally and we do not link aggregate information to Personally Identifiable Information."
     
  9. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    They say nothing about file identification through cloud. If they use cloud, they have to do it one way or another, but since they don't mention it, no one really knows either...
     
  10. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    And that's a valid point. (And one, I believe, you made before -- in that Avast was more up front with its new EULA by declaring the truth/realities behind using Cloud technology in its latest release.) And it might be that Cloud technology, by default, is going to reveal more info than non-Cloud technology. But given the possible security ramifications, some users might be inclined to decline any product that incorporates Cloud technology as a result, unless or until it's proven that Cloud technology provides a significant improvement over non-Cloud technology. The question is whether or not Cloud technology is basically more advantageous to the consumer, or the a/v company. (Not in terms of exploiting privacy, but in the way the company implements its updates.)
     
  11. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, ppl should also understand that "cloud" for one is not the same "cloud" as for someone else. "Cloud" can be file hosting on remote server or it can be the same word "cloud" which just means partial information lookup on remote servers. With first one, someone could theoretically open that file. Where in avast!'s case of "cloud", all they could see is the filename and location on your disk. Which is a lot different and far less of an privacy issue right?
     
  12. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Another good point. Unfortunately, "Cloud" is now being used so indiscriminately that it's become somewhat of a basket term -- meaning different things to different people.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    I concur that one point of confusion is the term "cloud" itself, as it can be used to refer to any one or more different characteristics of a system. Similar if not identical types of functionality to what we've been discussing have been achieved via legacy architectures that were not called "cloud". If I had to guess, the first time I encountered client software passing hashes and other information about local files to a server so that the server could identify those files and reply with good/bad type information was 20 years ago. IOW, I think in today's world the term "cloud" provides a (possibly strong) clue but I don't think it is guaranteed to communicate whether a specific type of functionality exists.

    Perhaps I missed it, but I haven't see avast break down exactly what is sent to them as a result of FileRep queries. I saw vlk (?) say hash + metadata but haven't seen the metadata elaborated on. I saw jamesc post in the avast forum a redacted HTTP POST capture which I think demonstrated that the FileRep query is in the clear (intermediaries can capture) and includes the full pathname to the file. It would be good if this were more fully fleshed out.

    Conceptually speaking, it would seem better and in many cases would be better to upload less than complete information about a file vs a full copy of the file. However, whether it IS better depends on the specific context. Two examples:

    Say the file in question is a GIF creator exe. Such an exe might be called "a non-revealing file" because its presence on someone's computer doesn't reveal something sensitive (at least to me anyway). A full-copy upload of a non-revealing file is by extension not an issue. That file could be uploaded without sending full pathname (which of course can be revealing). If it is sent without full pathname, that is better than the avast scenario previous described. If it is sent with full pathname, that is no better or worse than the avast scenario previous described.

    Say the file IS revealing (publicly available encryption tool you use or a program one particular financial institution gives to its customers that have a certain type of account... something you might have acquired via private connection). Full copy *or* hash+metadata approach, a reveal would occur. As for whether the reveal would come to result in actual harm is a separate issue. You can't control the later, but you can at least try to control... eliminate or reduce... the reveals.
     
  14. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    You expect in depth explanation of things most companies prefer to keep private. Now, security through obscurity doesn't always work, but it helps sometimes. For the most part, 99% of users only care if the feature does the adequate job for what it was intended. In this case, efficiently detecting malware.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Hi Nord1. I haven't started phase 2 yet (looking at other solutions). All I can do at this point is reinforce what I think you already know: the devil is in the details and brief, often broad disclosures aren't going to give you those details. For example, what does "details about the applications you have installed on your PC" mean? Might that include the full pathname to application programs? If so, in some cases that will collect the user's account name (ouch) which in some cases will be the user's full name (ouch), making what is collected personally identifying. Could that happen with <deleted>? Gotta dig for that answer if it interests you. Whatever your concerns are, I would suggest you begin with the assumption that they would be applicable to every AV program you look at and then try to eliminate them based on something credible.
     
  16. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Even name is not a problem imo. After all, i live in a small country and my name and surname appears several times even though it's not even the most common one. Now imagine any other bigger country. It just gets irrelevant without any other details which in avast!'s case, they do not have.
     
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    The reason full pathnames, and to an extent even filenames, are considered potentially sensitive is because there is no way to know how they were chosen and thus there is no way to know what a recipient will have. Examples:

    C:\Documents and Settings\JohnDoe\ChaseBank\Acct5938573598\SecureLogin.exe

    This communicates the user's computer account name, their name, the name of their bank, and the account number at that bank.

    G:\BelchertownClinic2\Patients\JaneDoe\Aug-18-1972\Conditions\Current\CervicalCancer\PET2.exe

    This communicates that a specific medical clinic in a uniquely named small American town has a patient named Jane Doe, her birthdate is Aug 18th, 1972, and she has Cervical Cancer

    N:\Documents and Settings\XYZAccounting\TaxReturns\2012\JohnSmith\FormsReceivedForSSN078051120.exe

    This communicates the name and Social Security Number (an important financial number here in the USA) of XYZAccounting's client.
     
    Last edited: Mar 13, 2012
  18. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    If anyone is using such dumb database system it's prone to abuse even without avast!... And i don't think anyone is using such system if it's half serious organization. And even if it does, then you guys should also bring in the discussion other products like Kaspersky, Panda Cloud, Symantec, NOD32 etc etc, because frankly, they all use such systems.
     
  19. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    1. What other products are or are not doing is irrelevant to this discussion.

    2. Discussing/comparing other products in a thread discussing one particular product is a clear violation of the TOS.
     
  20. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    And why should only avast! be pinned on a wall? If we do it, lets do it with everyone or no one.

    TOS only covers childish arguing between 2 brands which is better. If we compare several of them in cases like this, i can't see a reason why that wouldn't be allowed.
     
  21. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Because this is a thread specifically talking about Avast. If you have issues with other programs, then start a thread and discuss those other programs.

    Again...if you want to start a thread discussing all of the different a/v products, and their various EULAs, fine. It's just not appropriate for this thread.

    The bigger question is: Why do you want to bring other products into the discussion in the first place? Have you never heard the expression: Two wrongs don't make a right? (i.e. Even showing that other programs might be doing the same wrong thing does nothing to remove the spotlight from what Avast is doing. And no matter how many people are doing the wrong thing, it doesn't make them right by some sort of majority rule; it simply means they're all wrong.)
     
    Last edited: Mar 14, 2012
  22. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    Well, you're hammering avast! specifically even though you obviously are admitting that every one else are doing cloud things the same way. But you say you don't care about that. You just want to pin avast! on the wall and you are doing just that. What is this, some kind of personal vendetta against avast! ?o_O
     
  23. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Again...this is the Avast forum. We're discussing Avast.

    (You sound like some little child who got caught doing something wrong, and your best defense is to talk about all the other kids who were doing the same thing.)
     
  24. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,570
    Actually its wilderssecurity forum....you are getting confused o_O and personal insults is against the TOS too ;)
     
  25. skbaltimore

    skbaltimore Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    306
    Report it to the mods.
     
Loading...
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.