Does the free version of Avast sell "anonymized" clickstream data?

hehe hey you didn't post the checksum !!!

 

Knowing that you have a particular file may be sensitive information.

What's sensitive is that it's "x", and that you have it.

How would "authorities" (whatever they are) know that you got the file? Maybe someone mailed it to you, on a flash drive. Maybe you downloaded it via Tor, or from Freenet, or wherever. And maybe you didn't realize that your AV is snooping on your stuff

The scanner doesn't need to know anything about content. It's the hash that identifies the file as containing "illegal" content. Maybe you don't even have information needed to decrypt it. For example, I have the WikiLeaks insurance file lying around somewhere

And this, by the way, is not a hypothetical vulnerability. There is a hash database for child pornography, and it's been used to track data transfer in Freenet, resulting in arrests of users. Most of whom probably didn't know what their node was transferring.

 

@mirimir you are way too paranoid. You worry way too much about what doesn't really matter. my opinion is unless they can read the content of my files , i dont care.

 

Don't know how other AV vendors do their checking but at least Avast indeed seems to upload whole files (but maybe whole upload is done only to previously unknown files? It would be terribly ineffective to upload every same exe file again and again from the same computer ....)

https://blog.avast.com/how-does-avast-detect-new-malware

From that link:
Avast has a massive database called FileRep that contains more than 5 BILLION of these kinds of files.

Every day, 250,000 Windows executable binary files flow through FileRep and go through a 100-point checklist to determine if the files are safe or not. And every day, about 40,000 files are classified as malicious and are locked in quarantine so they won’t hurt you.

EDIT: And AV vendors definetely can and will track you
http://www.makeuseof.com/tag/antivirus-tracking-youd-surprised-sends/

 

Yes, this makes sense.
After they have received one example, they can analyze it and it is now "known" in their cloud/database and the AV-clients don't need to upload the whole file anymore.

 

Not me, life is too short already.

And most of those EULAs almost always reserve the right to change it at instant notice anyway,
so things that were just fine and dandy (example: "We will never sell your private information to 3rd parties")
will some sunny day be "We will never sell your private information to 3rd parties .... for less than $1000

It's just crazy what some software manufacturers stuff in their EULA's

http://www.makeuseof.com/tag/10-ridiculous-eula-clauses-agreed/

 

Nice

 

Two points:

1) The privacy/infosec risks associated with exposing hashes are general in nature. They are not limited to the "illegal content" and "person of interest" scenarios. If you imagine what an aggressive dataminer/profile-builder could accomplish by:

• Collecting hashes for a liberal set of potentially harmful filetypes from huge numbers of machines
  
• Correlating hashes with specific machines via sticky/static client IP Address and/or UUID in the phone-home event(s)
• Maintaining and leveraging a large database of those file hashes and associated file metadata
• Extrapolating what the collected information reveals in terms of those machines, the people and/or companies that operate them, their hardware/software arrangements and security postures, the various peripheral devices they own and/or interact with, their interests and activities, the entities they have relationships with as revealed by their apps and/or files they have in common, etc, etc.

It is rather easy to understand why those who place importance on privacy/infosec would consider hash collection a potential threat.

2) Cloud AV may collect considerably more information than just file hashes. So the potential exposure one has to misuse of information by the receiving party can be significantly greater than what file hash reporting alone would entail. I'm too lazy to lookup some of the threads where we talked about that, but the chart from:

Data transmission in Internet security products (Last Revision: 20th May 2014)
https://www.av-comparatives.org/data-transmission-internet-security-products/
(edit: I see Stefan Froberg linked to an article that linked to this)

does mention some of the things a privacy/infosec oriented person would want to consider. I wish we could convince someone to publish an updated and expanded version of that report.

 

Right.

But about Freenet:
https://www.deepdotweb.com/2015/11/27/police-log-ips-making-arrest-by-planting-own-nodes-in-freenet/
https://emu.freenetproject.org/pipermail/support/2016-July/005640.html
https://www.reddit.com/r/Freenet/comments/4ebw9w/more_information_on_law_enforcements_freenet/

 

I suppose some people would worry about postal service workers "steaming" our mail open to read the contents prior to delivering to us if it weren't for the WWW

 

lol yes they may put their letter in a titanium box with biometric lock lol.

i rather "hide in plain sight" than hide with tons of security features. more visible is the security , more you attract attention for those you wanted to avoid.

 

mirimir, does this answer your question?

 

Thanks

So they admit that they collect information. And they admit that they may share it with third parties. But language about "remov[ing] anything that identifies you personally" is iffy. And they don't say anything about LEA policy.

But hey, it's nice that they have an opt-out policy

 

@mirimir identify you how? if you don't use your real name , what are the chances to be identified?

 

Avast informs you at installation, and tells you you can opt-out at any time, but instead of showing the opt-out in that same window like many competitors do, you have to wait until the installation is complete and then go into the settings and find the opt-out yourself. I guess they made it that way so less people will opt-out because of the extra effort required.

 

Uh, that's exactly what happened here in few years ago.

Local post office opening customer letters, in bulk, so that they could scan them.
Don't know if they still are doing it but clearly a little law like secrecy of correspondence is a joke in my country.

 

And that is also what happened before the WWW was here. Go see Das Leben Der Anderen/The Lives of Others. The Stasi were not the only ones doing it..

 

You don't activate it with an email address now so avast don't know who I am. I guess they could figure it out though with IP address etc.

 

The truth is avast and all the software we use with "open" policies on data gathering are just a grain in the sand..Nobody knows what is really harvested everytime we enter the web...I don't doubt even the black suits have their endeavors watched by someone.

 

That is not difficult to circumvent then.

 

For me, not much. But for those less paranoid, the possibility is pretty real, I think.

 

hehe less paranoids (aka classic users) won't even care about their file hash getting collected. They use social networks to giveaway their life for free already

 

Sad but true

 

For me, the balance has now shifted away from that strategy being safer, because of the risks of false positives from mass surveillance (and mass data collection including hash profiles). Since we are now all potential suspects on the end of algorithmic (and likely extremely primitive) selectors for data mining, you can be selected by accident, even if you're in plain sight and "innocent". Real life consequences, no redress or legality, and no human involvement most likely.

Of course, there are risks to adding security/anonymity features, but for sure, the equation has changed. I also suspect with recent events, recourse to security and anonymity will become less uncommon, thus reducing the risks on that side.