Does the free version of Avast sell "anonymized" clickstream data?

Talking about the Vizio case, AJ007 wrote on HN:

https://news.ycombinator.com/item?id=13585104

And moonfern replied, writing:

That is mind-boggling.

 

I didn't think this was new news.

If the product's free...

https://lifehacker.com/5697167/if-youre-not-paying-for-it-youre-the-product

 

True enough, @Krusty, but damn. Back in the day, when I was on Windows and used free anti-malware, this was one of my key concerns. And it's my impression that providers used to avoid this stuff, being concerned about bad PR. But now, it seems to be the norm. So it's "OK", because it's in the TOS. And Vizio would have been "OK" if they had disclosed.

 

Well I don't know if it is OK, but nowadays I expect to pay some way when I get something for "free". Usually the price would be my data.

 

Hi @mirimir ,

I'm not suggesting that all providers do this, there are some with decent intent, but specifically with Avast, I can't see this company spending time developing their AV just to give it away out of the goodness of their heart. At least if you do spend the time to read their EULA you will see it is actually quite clear that they will share data.

I'm not saying it's right, but hey, software developers want their pay day too.

 

Sure, but how many people read EULAs?

So do we all But damn, a malware scanner sees every file that you create and open. That's a lot of sensitive data to be selling, even after being (who knows how adequately) anonymized.

 

You're right! No argument from me.

 

ever heard of hash ?
do you really believe, that an AV scanner upload every files it scan? damn , i don't want be the guy with a limited data usage and using an AV which upload 100gb of datas

 

Well, if a hash is good enough identification for a malware scan, it's still identification, no?

 

@mirimir identify what? hash is like the file DNA, it is a given value of the file's total bytes ; if this value changes, means the file has changed. it doesn't means you have access to the file content. you just have a serie of number.

to use an anology, the hash is like an anonymous bank account number; everybody can have it, doesn't mean they will access the content.

https://en.wikipedia.org/wiki/File_verification

does your DNA possess your knowledge and memory? No (dont point Assassin's creed, or some fancy vampire movies )

 

LOL... he means the security soft vendor can associate the hashes (> files) with a user's system. That's if the vendor collects non-anonymized\identifiable user data, store it, and track it. In other words, the vendor can fingerprint a user's system and know what is installed on it.

 

Indeed, many people should take this advice to heart.
On the other hand, there's a also a lot of paid products were the consumer is still the product and there are free, opensource, products were the consumer isn't.

 

Really don't know what the "big stink" is about. The activity is disclosed in the EULA as noted previous:

"AVAST may publish or share such information with third parties that are not part of the AVAST Group but will only ever do so after removing personally identifiable information."

Plus all PII data is removed.

Really wish people would "wise up" to the fact that is "no such thing as a free lunch" when it comes to free software. My bitch is with security vendors which do like activities with their paid software and don't disclose it.

 

Microsoft collects far, far more user information than any AV vendor. As an example, do some research about how Microsoft collects information when Office documents are created and modified.

https://technet.microsoft.com/en-us/library/mt599629(v=office.16)

It's nothing absolutely terrible, but I'm sure it will send the ultra-privacy-sensitive types through the roof.

 

On that regard, read this: https://privacy.microsoft.com/en-US/windows-8-privacy-statement notability:

Uses of information

• We use the information collected to enable the features you're using or provide the services you request. We also use it to improve our products and services. In order to help provide our services, we occasionally provide information to other companies that work on our behalf. Only companies who have a business need to use the information are provided access to them. These companies are required to keep this information confidential and are prohibited from using it for any other purpose.

​

This implies that the data Microsoft sends to "other companies" does indeed include PII.

​

 

To be fair avast! does display a "important, read this" screen during its install procedure which is a lot more than other software vendors do.

 

Of course the other problems with EULA's is they're often vague and even couched in legal jargon that is difficult for the end-user to understand fully.

 

Yes, that's what I mean.

 

Also, an AV may not upload every file on your system, but usually it does upload every executable file. The reason you don't see tons of uploads and insane data usage it because most files have already been uploaded in the past, and as you said it only has to check the hash with the cloud. They may not be able to reverse the hashes, but since they have the original files as well, it does not matter.
(Of course document file types etc are usually not uploaded because privacy, but I was trying to make a point on lack of practical privacy that hashing gives in this case.)

 

so you are wrong

 

some may upload unknown/suspicious executables/files like HMP does. and it will be shown or will be spotted if you have a network traffic tool.

during a scan AVs upload checksums , not the file itself.

http://mattgemmell.com/hashing-for-privacy-in-social-apps/

so AVs collect the checksum (a serie of number) , upload this number only, then compare it to the one in its database. The content of the file isn't uploaded.

 

@guest - Dude, if they can tell from a hash whether a file is malware or not, they obviously have a copy of the file. Maybe not from you, but clearly the same file. And exactly the same file, because otherwise they couldn't know whether or not it was malware. Anyway, so they know that you have this file. And they also know who else, in their database, has this file. And maybe they know more about the file, even what it is. Maybe having that file makes you a person of interest.

 

@mirimir

ok let me explain simply:

1- AV vendor (let say Norton) get the original legit executable and/or hash from the file vendor. (let say Google)
2- they use that file in their whitelist database (google.exe will be whitelisted by hash)
3- some malware researchers find a zero-day malware (let say googlefake.exe)
4- the researcher submit it (upload) to Norton , from it , Norton has the malware and from it get its hash , then they put it on its blacklist/signature. from now on , all detected hash from googlefake.exe will be deployed to every Norton's client via cloud, signature, etc...
5- Google release google.exe v2 (so it is google.exe with a different hash) but they didn't submit it yet to Norton.
6- average dude using Noton AV is the 1st guy executing it , since the database don't have it , it will generate an alert and flag it as "unknown" (because it is neither on the whitelist or the blacklist).
Now some vendors like Surfright (Hitman Pro) will auto upload the unknown file for verification. (same principle when someone upload a file to Virus Total) .

important point : if your AV is just local-based , there is no upload, because the hash is compared locally. hence no leaks.

now answering your questions, in the case you are using a cloud-based product.

1- if they can tell from a hash whether a file is malware or not, they obviously have a copy of the file. Maybe not from you, but clearly the same file.
Answer : point 1 and 4

2- Anyway, so they know that you have this file and they also know who else, in their database, has this file.
Answer: In the worst case of a shady spying vendor they will just know that customer "x" was infected by malware "x"; not much a privacy issue there, they don't have any sensitive infos from the user.

3- And maybe they know more about the file, even what it is.
Answer: obviously they know that it is malware "x" or legit file "x". still no privacy issues.

4- Maybe having that file makes you a person of interest.
Answer: now you hit pure paranoia but let say i follow you paranoia: do you think that -by acquiring a file so dangerous to makes you a person of interest - you will be flagged only because the AV detected it?
i don't think so, you will be flagged by the authorities as soon as you got the file.

Another example , let say you a are a pedophile owning dozen of videos and photos; even if the AV upload their hash, they won't know it is illegal content, because the scanner don't open, read, record the file's content.
Using this example,and your concerns above, if you were right, fighting pedophiles would be so easy that they will all end up in jail in less than a week. same goes for all criminals, terrorists, hackers, malware writers, etc.. and we wil have peace in the galaxy.
So obviously, you are wrong because it can't be implemented. For your points to be right, the only way would be a worlwide system uploading and analyzing every file from each computer in the world, and only if the file isn't encrypted ...

possible ? in movies, yes, in real life probably not.

 

Guilty - https://www.wilderssecurity.com/threads/cyberfox.384457/page-4#post-2650957