Prevx and Privacy

A subtheme in this thread about Prevx and privacy has emerged, and so I’m starting a separate discussion specifically on that subject. Prior comments include:

Can a Prevx user kindly post the current EULA so that the privacy policy can be examined by all? (Thank you.)

 

Here is their privacy policy.

 

Trjam, the link you provided in post #2 appears to be the Prevx website privacy policy. I was seeking to see the privacy policy for the actual Prevx application, which – based upon the comments of PrevxHelp – is contained within the EULA.

Can you kindly upload the current Prevx EULA to this thread? (Thanks.)

 

The EULA is quite long and I'm only on a Blackberry at the moment because I'm at RSA - I'll get it uploaded soon, but you can just uninstall/reinstall and you will see the T&C screen if you click View Terms and Conditions.

 

Here's what I found; emphasis mine:

P.S. Shall I trim for clarity/brevity?

 

Thanks crofttk for the info!

 

What precisely is included within “the attack data”? Does it include:

• Suspicious files
• History of URLs visited by the user
• Configuration information about the user’s PC (e.g., hardware, operating system settings, presence of other anti-virus software)
• Other information?

This restriction appears to be exceptionally “customer unfriendly.” For example, Norton Internet Security has a similar capability (“Norton Community Watch”)—the key difference, however, is that a user can choose to either participate or not participate in the community.

P.S.: Thank you, Crofttk, for posting the EULA.

 

You're both welcome.

I must say, that second piece excerpted by Pleonasm was quite an eye-opener (admitting I hadn't actually read this). That doesn't mean I am hereby P.O.ed but am interested in Joe's and others comments on it.

 

I'm happy that someone, Pleonasm this time, rises this issue. Privacy is my number one concern...fortunately or unfortunately...it's part of my character, I don't like the others to have not even 0.00000000000001 % of my life under their eyes.

Although, I never replied about the marketing story on the other thread ( I wanted but had no time ) to Pleonasm, I'm here supporting Pleonasm's concerns. I don't like much the fact that the discussion goes around prevx, since we could do it in a more general way ( great idea for a thread...check all privacy statements...get infos about how various sec software work privacy-wise etc).

In any case, I have to agree with the 'customers unfriendly' said by Pleonasm about that phrase in point 12 of the EULA.

I have matured an opinion about what companies are trying to achieve with this type of users' partecipation. One and only thing. Create a solid and huge lab, a mine of informations, in order to be able to build valid enterprise products. Getting as customers organizations, companies, governments and other big players is priority number 1 for most of the companies. Actually is there where they can hunt the big money.

So, Prevx's EULA and not only Prevx's say one simple thing. We need you home users...yes we do...we actually need infos from you...because we need to have the knowledge base and the informations in order to build products that we can sell to those clients that bring big money...and hey...we cannot spend resources and time...so if you are not ready to provide data...we don't need you...be sure...that with aggressive prices...intelligent trial types...we'll get soon the test and infos base we need...so...etc. All the rest is a typical privacy policy that they and we know well that is a useless "paper" for the 99.9999% of the home users, since we have no technical means to prove that a company violates its EULA and mainly we cannot afford a court race (if we finally manage to prove something). For sure it's great that an EULA exists, but I don't know if it has any meaning at all in real life.

Again I have to say, I respect Prevx. I don't feel comfortable with the fact we take Prevx as our start point for a discussion that could be easily made for any other security product or all of them.

 

I have to admit, there is merit in your point. Nevertheless, we start somewhere and, if Pleonasm could pardon me saying so, I'm not sure we HAVE to actually restrict the discussion solely to Prevx as long as it gets at the main thread topic in a comparative or contrasting way. Otherwise, I guess another thread could cut a much broader swath.

 

One set of thoughts that seems to match Prevx (and some others) at http://rationalsecurity.typepad.com/blog/2007/12/thinning-the-he.html sums up the model pretty well. The individual hosts are just nodes in an anti-malware network, nodes that collect data and receive the results of collective intelligence in near real time. But key to this is giving the data centers access to system content, activities, and results, not necesssarily personal ID data-although things can't really be anonymous if you want near-real-time email infection warnings like Prevx puts out today, but you aren't required to sign up for My Prevx. And there need to be controls against malicious nodes as well as a lot of Quality Assurance in the data centers which Prevx seems to understand. But attacking the zero day/close in/exotic threats seems to require that kind of attack, and users need to decide how much privacy they are willing to give up to be in it. Holding the data until you get a chance to review it just won't hack it-we are really talking about instrumenting system activities and their impacts, not asking for data from users.
So I am using Prevx, intend to treat them as part of my trusted computing base, and think a lot of interesting things are happening there and elsewhere.

 

As I stated some time ago in another thread, I dislike very much all security products that rely on this type of "community". First, because no matter what their EULA says, sending data about what happens on your computer is a breach of privacy. Sure, they will say they do it anonymously, but I find it hard to belive there is no IP logging of any kind. Also, sending information about the security status of my computer to a third party is IMO a very bad idea.
Second, security based on this kind of "community" model is flawed. Security software should answer to a problem on a particular computer based on what happened there, not on what other users said in a similar situation. There is a dangerous trap here for the software companies that use this model: even if their products use other types of signature/behavior analysis methods, they tend to give the "community" the final word, and that can make them be more careless in implementing the real signature/behavior analysis methods (i.e. after all, even if we made a mistake when we programmed the HIPS, our tool will use the community and find out if the executable is malware or not, isn't it?)

 

I understand pleonasm's interest in the topic, but keep in mind, this applies to all products nowadays.

So if you feel you've uncovered a 'gold nugget', I agree with 'NoIos' and 'crofttk', prevx most likely won't be doing anything different from any other security vendor.

The topic should be renamed to 'community based protection' and privacy.

I've read section 12, and it says twice about focussing on ensuring a user is 'anonymous' - We do not receive or record any personal data that can or will be used to identify you or your computer.

If they were doing otherwise, and this applies to every company, staff usually are the ones quick to report any unethical behaviour.

So I'd take a deep breath and rest easy. Until I see facts, to me it's just 'what ifs' and 'heresay'. I mean, what if microsoft was taking all my system, use and browsing info while I perform an update? What if your ISP is storing all your data, what are you going to do, use a couple of tin cans and string to communicate?

 

Threatfires Privacy Policy

Similar model to Prevx for some threats.
Note :you can opt out of threatfire's community protection.

 

After reading the EULA I have no problem with my Privacy and will continue to use an support Prevx

TH

 

If PrevX do not receive IP and other machine related info (beside the malware info), how come I get emails from PrevX everytime my PrevX find something?
That means, my IP or some other info IS sent to PrevX, how else do they know that it was my computer?

 

Hello all,
The reason for the blunt statement of "either allow the data or don't use the product" is that the analysis really DOES require the data. There is simply no way to detect the newest threats if we don't know what to look for so we are forced to send up the data. It would be like saying you want to be protected against viruses using a standard AV but you don't want the AV to read the files on disk... it simply isn't a feasible request and if you disagree that strongly with our model then you really shouldn't be using our products.

Signing up for MyPrevx associates your license key with an email address/notification so at that point the data is aggregated, but that is only triggered by a user action - before that point the data is anonymous.

As other products move into the "cloud", it is going to be impossible to desire complete anonymity, and frankly, users probably don't have complete anonymity currently with conventional AVs anyway - the request to download signature files has to send up data identifying the machine or at least the IP address.

In regards to the data collected - the data is about the programs themselves and the behavior they create. We do not collect historic data of URLs visited by the user, but we do collect some information about the user's PC, including which AV they're using and what OS they have, as well as some other high-level pieces of data.

All of the data which we collect is directly used for security reasons. Some of the pieces of data are there "by accident", i.e. the IP address is included simply because it is an internet communication resulting in server logs - every website's privacy policy mentions the collection of IP data because there really isn't a way to NOT collect it, especially if you want to investigate potential attacks against your server.

To be frank, we really aren't interested in who you are - we're interested in protecting you. To do that as best as possible, we require some information but I assure you that we are legitimate with the data which we collect.

 

And as long as our Data is safe at your end then again I see no problem using Prevx 3.0

TH

 

I agree with Triple Helix. And the bottom line is READ the info before agreeing to or purchasing anything. I'll stand behind Prevx and thank them for all their hard work at keeping my computer safe.

 

Agreed. As long the data is safe there, who cares...

 

Why would you collect data "including which AV they're using and what OS they have, as well as some other high-level pieces of data." I don't want to use Prevx unless the collection is restricted to what Prevx detects and data that can't be helped.

 

AV data and OS data is extremely important.

We use the OS data to apply logic about threats targeting OS components and to facilitate cleanup - during cleanup, we check if any OS component is infected or replaced by malware and we then download the correct, original version from our servers and install it back over the infected copy. If we didn't have OS data, this wouldn't be possible

AV data is used as an extra way of determining the security of the endpoint. If we see that a user doesn't have an AV installed or that they are missing critical patches, we apply harsher heuristics against unknown files as they will be statistically more prone to getting infections.

AV data and OS data both also allow us to track down problems within the community - we're able to see, in realtime, the number of users using certain AVs on certain OSs that are also using our products so we immediately know if something caused a wide-ranging incompatibility which allows us to correct issues very quickly.

Hope that helps

 

that is still good enough for me.

 

Holy cheesenuts! You back again!?

 

PrevxHelp, can you kindly address this critical question? Your comment that “we do collect some information about the user's PC, including which AV they're using and what OS they have, as well as some other high-level pieces of data” is helpful, but appears not to be exhaustive. Please provide a complete listing of what specific information could be collected by Prevx.

On a more general point, it seems to me that the definition of “attack data” could be fluid and could, in theory, mean anything that Prevx wants it to mean at any moment in time. In other words, Prevx alone is both “judge & jury” in deciding what constitutes “attack data” and, as a consequence, the company has complete freedom under the terms of the privacy policy to upload anything from the user’s PC at the company’s own discretion simply by adjusting its own internal definition of “attack data.”

NoIos and Saraceno, you are correct. I called it “Prevx and Privacy” because this thread was a branch from a prior threat specifically about Prevx, but the concepts are more broadly applicable to any cloud-client anti-virus solution.

The problem, Saraceno, is that the determination of what personal data could be used to identify the user is a subjective judgment. For example, does Prevx upload not only a suspicious file but also the path (folder) in which it was found? What if the suspicious file is within C:\Users\<user> on a Windows Vista system? In that case, Prevx has uploaded and retained the user name, a clear breach of privacy, in my estimation.

What if Prevx has detected malicious code in a PDF exploit, or a malicious macro in a Microsoft Word document, or malware stored in an NTFS alternate data stream on a Microsoft Excel file? Will Prevx upload a PDF or a Word document or an Excel spreadsheet, each of which may contain personally identifiable information? Based on the existing privacy policy of Prevx, the answer, unfortunately, appears to be “yes.”

PrevxHelp, can you kindly expand upon this explanation? You seem to be implying that the anti-virus scan is run entirely within the cloud—i.e., that all files are uploaded and scanned on your servers rather than on the client PC, which is obviously not feasible from a practicality perspective. Thus, I must be misunderstanding the process.

Also, consider this alternative used by McAfee in their cloud-client anti-virus solution: “This new technology (Artemis) looks for suspicious {executables, object code, DLL} files, and when found it sends some kind of checksum (with no personal/sensitive data) to a central database server hosted by McAfee AVERT Labs” (see AV Comparatives – McAfee Artemis). Why couldn’t Prevx upload only a MD5/SHA1 hash of a suspicious file, thereby enhancing and protecting the confidentiality of the user’s information?