Avast 7 Free ( Privacy )

[PrivacyMatters]

Weren't you answered in your concerns about privacy?

Tech, your assurances in the forum are fine, but I and (especially) the company I work for have to go by what we agree to in writing. And the written EULA does not make me feel comfortable with Avast's protection of our privacy. Especially given how much it has changed from the privacy policy in previous versions. Here's the link to the privacy policy for version 6: http://www.avast.com/privacy-policy. Compare that to the privacy section in the new EULA, they are (as I said before) vastly different.

To igor, the phrase you quoted is contradicted by other sections in the agreement -  the "generally" phrase I mentioned before, and especially section 8.3:

8.3  Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;

I find it hard to see how this can be done truly anonymously. And it's not just incoming email, Avast can scan outgoing email as well, which then identifies me as the sender. Even if the sender's name isn't used, combining an IP address with the subject of an email and providing that information to anyone other than the intended recipient of the email crosses a line that I'm not comfortable with.

Look, other people may be totally fine with this. But as has been stated by others, most people don't bother to read the EULAs, and I'm just suggesting that people carefully read the EULA for themselves and make their own decision.

[Lisandro]

The layers have the final word. The EULA must apply to all countries around the world and all situations.
But, what matters to me and all avast users is what avast do with any information and how could it handle it privately.
The seriousness of the company is what concerns. The trustfulness of our users.
But, for sure, if you don't trust in your security company, it is better to move.

[igor]

List of IP addresses and e-mail subjects would certainly appear rather personal to me, too (but before you said that, something like that has really never cross my mind... I mean, e-mails and their subjects are hardly of any interest. Anything like building a list of sent/received e-mail is certainly not done, besides the privacy issues, what would it be good for?)
If the IP addresses are used for anything, then it's some geographical distribution of something (i.e. statistics). Single IP address is irrelevant (and the pure amount of data basically prevents the exact matching you might be imagining).

My guess (but it's my personal opinion, I didn't know that the EULA has been changed anyhow) is that the change is simply the lawyers trying to avoid any possible liability for any unexpected/hypothetical future problems (after all that's what EULAs are generally for, right?). The previous EULA has been written a long time ago by who knows who... and probably needed some "facelift".
I'm certainly not aware of any changes in data processing, and I believe no non-agregated (i.e. identifiable) personal information should be given to anyone (with the exception of the registration data for the reseller you purchased the license through, if they already don't have that info).
But I can understand that what I'm saying doesn't really change what is written there.

[Pindakaas]

List of IP addresses and e-mail subjects would certainly appear rather personal to me, too (but before you said that, something like that has really never cross my mind... I mean, e-mails and their subjects are hardly of any interest. Anything like building a list of sent/received e-mail is certainly not done, besides the privacy issues, what would it be good for?)

Maybe for investigation , if it is requested by a law order , or other investigation by other company's who might have some use for it ( marketing wise )

[igor]

Well, that's quite a hypothetical scenario... if we were really ordered something like that by the law, I don't know if they would ask us whether our EULA permits that. But the user would already have to be identified somehow (we couldn't really enable such logging for all users, the servers wouldn't survive such load), and releasing a special program version just to handle a particular user... I really don't think that would happen. If this is your only worry about that, then you can sleep peacefully

As for marketing... I can imagine using some of the information we already have for our own marketing, but selling users information to 3rd party companies, for unrelated marketing, that would IMHO be way over the line a security company could do. And as I said, the user base is big and the servers have limited resources (not mentioning the subsequent processing), so adding submissions of unrelated stuff (at the expense of the needed information - false alarms, malware/heuristic detections etc.) is rather unlikely.

[FlyingRobot]

Here's the link to the privacy policy for version 6: http://www.avast.com/privacy-policy. Compare that to the privacy section in the new EULA, they are (as I said before) vastly different.

I ran an avast 6.0.1367.0 setup program on a machine with avast 6 already installed.  You can see the "main page" in attachment one.  The "End User License Agreement" link at the top, when clicked, caused a temporary eula.txt file to be created and displayed.  This EULA had no privacy section.  The Privacy Policy link under "Improve avast...", when clicked, initiated a GET http://www.avast.com/go.php?verb=privacy-policy-community&src=setup&lang=eng and that ultimately took me to the same page or content as the URL you posted above.  Said content appears to be a simple privacy policy applicable to the avast website rather than the software.  I'm not sure the link always took you to the same destination page as that is controlled by the webserver and theoretically something could have changed.

I took a look at where avast 6 had previously been installed.  There is an EULA text file down in there.  It has a modified date of Feb 22, 2011 and a creation date of March 6, 2011.  Various other files have a creation date of March 6, 2011 such that I believe that is when avast 6 was installed on the machine.  A quick Google suggests that may have been shortly after it was released.  I took a look at the corresponding PDF at http://www.avast.com/eula.  That PDF has a PDF creation date and modification date of Feb 22, 2011.  I compared ONLY the privacy section in that PDF to the privacy section in the EULA text file in the installation directory.  The privacy sections are identical (I copied the section text into txt files, cleaned up some white space differences, then verified the hashes matched).

Based on this, it appears to me that what we see at http://www.avast.com/eula is what was shipped with avast 6 but not necessarily what someone saw when they clicked on the setup program privacy policy link.

[Pindakaas]

This information gets collected by Avast ,



8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;
8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;
8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;
8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;
8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;
8.6 Certain information about your computer hardware, software and/or network connection;
8.7 Certain information about the installation and operation of the Software and encountered errors or problems;
8.8 Statistical information about threats detected by the Software; and
8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

This is what they do with it ,

The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software. Unless you have permitted otherwise, the information collected by the Software is used anonymously in aggregation with similar information from other users of the Software for analytical purposes to identify new viruses and threats and for improvement and development of the Software and for statistical purposes.


And it gets worse ,

The collected information may be transferred to third parties or to other countries that may have less protective data protection laws than the country or region in which you are situated (including the European Union). AVAST takes measures to ensure that any collected information will receive an adequate level of protection if and when transferred. Notwithstanding anything to the contrary in this Agreement or any Documentation or other materials provided to you in connection with the Software, AVAST reserves all rights to cooperate with any legal process or government inquiry (including, but not limited to, court orders and law enforcement requests) related to your use of the Software. In connection with such cooperation, AVAST may provide documents and information relevant to a court subpoena or government or other legal investigation, which may include disclosure of your personally identifiable information. AVAST may also use statistics derived from the collected information to track and publish reports on security risk trends.

No personal information gets send ?
It gets send to even other country's and also for court orders and law enforcements request.
And they can also use the info to track and publish reports on security risk trends.

How is that safe ?

Why does Avast need to send information to foreign country's with less protective data laws ?
For the legal isseus i can understand , if it gets a court order , but most AV vendors give information out free will.
If the information is send to the other country's , the other country's can send the info to yet another country or company , and so on , so it goes worldwide.

My opinion is only send information to company's who have similar privacy policy , and only send info to the company that you actually need to send information , for example transactions.
Not for marketing , that is my opinion , a antivirus is there to protect you in general , not with double standards.

[igor]

The text says "other country ... than the country in which you are situated".
That's quite obvious - after all, AVAST Software itself is located in a different country unless you're Czech (and we certainly don't have special storage in every possible country in the world to keep the "local" data there) - so it applies to any possible submit there is.

[Lisandro]

Also some comments of RejZoR here: https://www.wilderssecurity.com/showthread.php?t=319578
Could make things clearer.

[Pindakaas]

Firefox says that the connection is not secured , wierd

[Pindakaas]

The text says "other country ... than the country in which you are situated".
That's quite obvious - after all, AVAST Software itself is located in a different country unless you're Czech (and we certainly don't have special storage in every possible country in the world to keep the "local" data there) - so it applies to any possible submit there is.

I live in the Netherlands , to what country is it transferred then ? , to Czech Republic then right ?

[igor]

Definitely.

[Pindakaas]

Definitely.

 ?

[Hermite15]

Definitely.

 ?

http://g.co/maps/c9kgj

[igor]

Yes, the company is located in Prague, so there's where the data go, too.