Avast!'s and Panda's EULAs

I think they are saying in a legalistic way that they are, indeed, selling your personal and browsing information to the highest bidders!  :emotion-6:

Avast's official response
https://forum.avast.com/?topic=157693.msg1140066#msg1140066

A couple of days ago, howtogeek.com published an article about Avast and accused us of spying on our users. Given that the article contains a number of inaccuracies I feel it is necessary to react. As these are some pretty serious allegations, I also hope that we will be given some room on their site to defend ourselves. We requested the opportunity to discuss the author’s findings, but he declined to do so.
 
The article basically says that Avast used the SafePrice browser extension to spy on its users. That the SafePrice extension (which they first call “adware”) collects all URLs that the user visits, and then sends them to the cloud, together with a user ID. To demonstrate the problem, they used Fiddler (a free browser monitoring tool) to dissect the requests being generated by SafePrice and found the user ID in some of the requests, concluding that the product is “spying”. Finally, they say that all of this was true up until last week when we made SafePrice a standalone extension (removed it from the main Avast Online Security extension).
 
Let me start by saying that Avast’s browser extensions, together with some other modules inside Avast, rely heavily on cloud functionality. That is, in the particular case of URL scanning, we do transfer the URL the user is visiting, together with additional metadata to the Avast cloud, which then does the necessary processing and synchronously returns the answer. By scanning URLs in the cloud, Avast is able to detect malicious activity, from viruses and malware, phishing and hacking. You may not realize but collecting URL information for this very purpose is extremely common in the security industry, as this information is essential to providing this kind of service.
 
Now, regarding Avast SafePrice. SafePrice searches the web and offers its users the best price possible when shopping online from sites we trust, safeguarding users from possible online scams. While formerly the user had to do research and visit price comparison portals, SafePrice now offers automated help to find the best and trustworthy offerings. Avast SafePrice sends data to our server regarding the products our users are looking for and the URLs they are visiting. All personally identifiable information is stripped in real time, so the shopping data is completely anonymous. Again, I don’t think this can come as a surprise to anyone – I mean, did you expect SafePrice to have all the product IDs and all the offers stored locally? That just doesn’t make sense at all.
 
Originally, SafePrice was indeed part of the main Avast browser extension (as the article suggests). However, as most of the people in this forum know, in July 2014 we changed the strategy and moved it to a separate extension. The installation of this extension is now completely voluntary (on an opt-in basis) and its presence doesn’t influence Avast’s efficiency to block malicious sites. Since we have made this change, SafePrice accumulated almost 3 million installs just from the Chrome Web Store alone and became the most popular shopping extension for Chrome.
 
By the way, the other allegation was that Avast pushes SafePrice while recommending that users remove other similar browser extensions via Avast Browser Cleanup (BCU). I have explicitly checked our BCU database of community ratings and found that all the major shopping extensions, including PriceBlink, InvisibleHand, Shoptimate, and Groupon have good ratings and are not recommended for removal by BCU. Only those that our community of users have assessed as poor are so recommended.
 
One of the other issues raised by the article was whether the user ID is PII (personally identifiable information) or not, and why it is being transferred. The Avast user ID is a random, machine-generated ID that is created during the installation of the product. So by itself, it is certainly not a piece of PII. And the reason we include it in the request is because context is very important. The efficacy of a security product is severely limited if requests are done without a context, i.e., if it is not possible to tie them together into a “stream”. And in the case of SafePrice, we use the user ID just to be able to count our active users. In general, we really don’t see anything bad in doing this, in fact, if we were, we would have probably tried to hide what we’re doing in some way – while, as the author of the article uncovered quite easily using Fiddler, the user ID is there just as a regular json field. Which makes me even more frustrated, as it is very likely that if we actually made the field less noticeable, the article probably wouldn’t have been written. We’re not trying to hide anything.
 
Now, the key is not only what information is collected, but also what is done with the collected information and how the user is informed about the collection process. Avast is committed to protecting its customers on all fronts, which is why we inform our users, even beyond our EULA and Privacy policy, that their browsing information will be collected but stripped of personally identifiable information and used to improve services, such as online web security. We actually tried to make this very, very explicit, and that’s why we have the screen (attached) in the Avast installer.
 
As you can see, the title of the screen says “Please Don’t Skip This – Read it Carefully”. Honestly, I don’t know how to make it more explicit than this.
 

If you have any additional questions, I’d be happy to answer them.

Thanks,
Vlk

When I started this thread, I specifically didn't link or refer to that howtogeek article. I didn't find it well written, and it seemed like a rant. It is not a site I frequent, nor am familiar with. It did however spur me to do a bit of research.

 I haven't used avast! in a couple of years, but certainly do not recall seeing any of the advertising graphics pictured in the article. Then again, I have most cookies blocked, and seldom get any ads in any of my browsers. I did not wish to adress the specific issues raised in that article, but would note that what few ads I receive do not seem to be targeted at me based on previous searches. And I certainly did not switch to Panda because of any ads or search results related to avast!

But I thought it would be timely to review the Privacy Policies of both avast! and Panda Free AVs for comparison, to generate some discussion. Frankly, I was disappointed with both EULAs. The "notwithstanding" clause from avast! was just obscure legalese, which seems to contradict previous clauses to let them share info with whomever they want,  and Panda choses to hide its Policy with Spanish.

I tend to agree with Dale, and always assume that when I register and provide personal info to any vendor, at least some of that info is collected and made available to "business partners" and "third parties" for marketing purposes. All I can do to mitigate this is to configure my cookie policies in a  given browser (especially blocking 3rd party cookies), use a junk email account, never give my real name, and to use a good ad-blocker.

Panda's AV EULA is a bit more problematic, in that I was referred to a legal document on their website, written in Spanish. I might have to enlist Hernan to interpret. However the part I see written in English says:

Hi Joe.

I am finally in. Thanks to Stacy and Robert. Also to ky331 who contacted Robert.

About the Panda EULA. To tell you the truth it does not sound like an EULA because it does not talk about the program but the site, and what it might collect by the used of cookies. There is a small paragraph where Panda security is named, but I do not know if it is reffering to the program.

Now, it explicitly says that private information of the user can be shared with other Panda Security stablisments around the world and resellers; However, it also says it is done accordingly with some law in thier organic civil code and internacional agreements to protect the privacy of the users.

I think all this mess, like you said, it is just ranting. Which program does not collect info ? Which site does not collect info ? What they do with it ? Well, I believe there are laws about it. Aren't there ?

A big company like Avast, Panda, Google, Facebook, even a site like How To Geek if they share or sell the info they collect without sanitize it ( with private info about the users ) have a lot to lose. I have seen it latetly visiting sites where there is a warning that they use cookies to see what one is doing and if one does not want to agree to it the site does not work. Others sites just warn you and it is one decision to continue or not. Also you see it more and more when installing programs ( Like Avast ) beside the EULA you get another window warning you so there is nothing sneaky about it.

Thanks Hernan for the Panda info.

I figured you must have been having login problems. Good to see you are back.

Obviously all downloaded software and website registrations require collection of some personal info. What is done with this info is anyone's guess these days.  The EULAs have become too obscure to determine what the privacy policies really allow. The days when these policies would simply say "we will not share your personal info with anyone"are gone, it seems. Now we get confusing subordinate clauses, and 5 page EULAs that would require a lawyer to interpret.

All I can say is that in all the years I used avast! and Panda, I never was targeted by adware.

Welcome Back, Hernan... great to see you again  :emotion-2:

EULAs have become a joke, as it's generally acknowledged that most users don't bother to read them at all.   Let's face it:   if you really want that program... especially if it's a paid one and you've already bought it... you have little (practical) choice other than to accept its EULA.

Whether actually true or just an "urban legend", there's the classic story about a EULA including a clause "agreeing to give up your first-born son to the software's authors"... likely a test to see if ANYONE bothered to read it :emotion-4:

Thanks. Thanks to everyone.

All I can say is that in all the years I used avast! and Panda, I never was targeted by adware.