I ran an avast 6.0.1367.0 setup program on a machine with avast 6 already installed. You can see the “main page” in attachment one. The “End User License Agreement” link at the top, when clicked, caused a temporary eula.txt file to be created and displayed. This EULA had no privacy section. The Privacy Policy link under “Improve avast…”, when clicked, initiated a GET http://www.avast.com/go.php?verb=privacy-policy-community&src=setup&lang=eng and that ultimately took me to the same page or content as the URL you posted above. Said content appears to be a simple privacy policy applicable to the avast website rather than the software. I’m not sure the link always took you to the same destination page as that is controlled by the webserver and theoretically something could have changed.

I took a look at where avast 6 had previously been installed. There is an EULA text file down in there. It has a modified date of Feb 22, 2011 and a creation date of March 6, 2011. Various other files have a creation date of March 6, 2011 such that I believe that is when avast 6 was installed on the machine. A quick Google suggests that may have been shortly after it was released. I took a look at the corresponding PDF at http://www.avast.com/eula. That PDF has a PDF creation date and modification date of Feb 22, 2011. I compared ONLY the privacy section in that PDF to the privacy section in the EULA text file in the installation directory. The privacy sections are identical (I copied the section text into txt files, cleaned up some white space differences, then verified the hashes matched).

Based on this, it appears to me that what we see at http://www.avast.com/eula is what was shipped with avast 6 but not necessarily what someone saw when they clicked on the setup program privacy policy link.

This information gets collected by Avast ,

8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;
8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;
8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;
8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;
8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;
8.6 Certain information about your computer hardware, software and/or network connection;
8.7 Certain information about the installation and operation of the Software and encountered errors or problems;
8.8 Statistical information about threats detected by the Software; and
8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

This is what they do with it ,

The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software. Unless you have permitted otherwise, the information collected by the Software is used anonymously in aggregation with similar information from other users of the Software for analytical purposes to identify new viruses and threats and for improvement and development of the Software and for statistical purposes.

And it gets worse ,

The collected information may be transferred to third parties or to other countries that may have less protective data protection laws than the country or region in which you are situated (including the European Union). AVAST takes measures to ensure that any collected information will receive an adequate level of protection if and when transferred. Notwithstanding anything to the contrary in this Agreement or any Documentation or other materials provided to you in connection with the Software, AVAST reserves all rights to cooperate with any legal process or government inquiry (including, but not limited to, court orders and law enforcement requests) related to your use of the Software. In connection with such cooperation, AVAST may provide documents and information relevant to a court subpoena or government or other legal investigation, which may include disclosure of your personally identifiable information. AVAST may also use statistics derived from the collected information to track and publish reports on security risk trends.

No personal information gets send ?
It gets send to even other country’s and also for court orders and law enforcements request.
And they can also use the info to track and publish reports on security risk trends.

How is that safe ?

Why does Avast need to send information to foreign country’s with less protective data laws ?
For the legal isseus i can understand , if it gets a court order , but most AV vendors give information out free will.
If the information is send to the other country’s , the other country’s can send the info to yet another country or company , and so on , so it goes worldwide.

My opinion is only send information to company’s who have similar privacy policy , and only send info to the company that you actually need to send information , for example transactions.
Not for marketing , that is my opinion , a antivirus is there to protect you in general , not with double standards.

The text says “other country … than the country in which you are situated”.
That’s quite obvious - after all, AVAST Software itself is located in a different country unless you’re Czech (and we certainly don’t have special storage in every possible country in the world to keep the “local” data there) - so it applies to any possible submit there is.

Also some comments of RejZoR here: https://www.wilderssecurity.com/showthread.php?t=319578
Could make things clearer.

Firefox says that the connection is not secured , wierd

I live in the Netherlands , to what country is it transferred then ? , to Czech Republic then right ?

Definitely.

?

http://g.co/maps/c9kgj

Yes, the company is located in Prague, so there’s where the data go, too.

Initially.

What are you implying with that? avast! is not selling the data to anyone. Why don’t you go accusing Kaspersky, Symantec, AVG and everyone else as well? They use very similar techniques and mechanisms of collecting data. I’d really like to hear what has avast! done to deserve all this. I’d really like to hear that.

Why should i go to them , i dont want to use their products , well i did use Norton before , but i removed it from my computer because they do not take your privacy serious , they are even known to put holes in their security for federal malware ( i dont know if they still do it but ), and AVG is spreading their toolbars in allot of wrappers , which i do not like either , but thats not my point now , i wanted to try something else , i wanted to try Avast , that is why i ask these questions so i can make up my mind if i want to install it or not.

And im not saying Avast is bad or something , they are improving and improving their security products , they have 1 of the best ( if not the best ) free antivirus product in the world , but im not doubting that , i want to know about privacy , if i like something and i want to try it , i want to make sure i am satisfied with it , if i didnt want it i wouldnt even bother posting a thread , i cant fight the whole world.

So, how many times do we have to repeat the same thing that avast! is:
a) not intentionally mining personal data
b) not selling or distributing it to anyone

So why i read this then ,

8.1 URLs of visited websites that the Software identifies as potentially infected, together with the information on the nature of identified threats (e.g. viruses, Trojans, tracking cookies and any other forms of malware) and URLs of several sites visited before the infection was identified to ascertain the source of the infection;
8.2 Information and files (including executable files) on your computer identified by the Software as potentially infected, together with the information about the nature of identified threats;
8.3 Information about the sender and subject of emails identified by the Software as potentially infected, together with the information on the nature of identified threats;
8.4 Information contained in emails reported by you as spam or as incorrectly identified as spam by the Software;
8.5 Copies of the files identified by the Software as potentially infected or parts thereof may be automatically sent to AVAST for further examination and analysis;
8.6 Certain information about your computer hardware, software and/or network connection;
8.7 Certain information about the installation and operation of the Software and encountered errors or problems;
8.8 Statistical information about threats detected by the Software; and
8.9 If your version of the Software includes the Website reputation function, which provides information on reputation of web sites as potential sources of malware, and you set the Website reputation function to active, the Software may send AVAST the URLs of all websites you want to visit and the results of your web searches through search engines.

The above information gets send too ,

The information collected by the Software is generally not correlated with any other personal information related to you that AVAST may be processing such as information given by you to AVAST or its distributors or agents during the process of ordering and downloading the Software.

The collected information may be transferred to third parties or to other countries that may have less protective data protection laws than the country or region in which you are situated (including the European Union).

Or am i seeing things wrong , then correct me.

The EULA is the EULA. You read it, and if you do not like it, I suggest you change products.

You quote the EULA, and then ask if you are wrong? Of course you are not wrong, you directly quoted the EULA. “Seeing things wrong”? Your eyes work fine.

It is almost like you are testing?..comparing every statement to the EULA, waiting for some kind of “AH-HA!!” moment when all your darkest fears are revealed to be true and justified. But you already had your moment when you read the license agreement. It is as clear a statement as you are going to get from any company, written with legal help to help protect against liability.

This question was already answered.

This question was already answered.

The changes in the EULA are obviously related to the new Avast features.
WebRep is one thing – as the URL database is in the cloud, it’s quite obvious that the URLs are being transferred to our servers. Similarly for FileRep (file hashes + metadata).
This is basically how these things work (the database cannot be stored locally, simply because it’s a multi-terabyte thing).

Regarding the “personally identifiable information” clause - please note that the term “personally identifiable” is quite stringent. For example, the IP address is considered as “personally identifiable” (at least in the European jurisdiction). Yes, we have to work with your IP addresses (because that’s how communication on the Internet works). Yes, we do store server-side logs (containing this info), as without them, we wouldn’t be able to troubleshoot any infrastructure problems.

Regarding the transfer of the information to third parties or to other countries. Well, this is a bit subtler. We reserve the right to work with technology partners, and if useful, share some information with them (e.g. number of users running each version etc). The clause is probably little too vague (or too scary) - the EULA was written by our law firm and they always try to put in more than less.

(Same applies e.g. to the tracking cookies mentioned there – avast currently doesn’t do anything with these but they’re still mentioned there)…

Thanks
Vlk

Regarding the avast 7 WebRep:

• What portion of the URL is sent to avast? Just hostname? Hostname and some path? Hostname, path, and query params?
• Will WebRep send such information to avast when the user is visiting a site via HTTPS? If so, is that only done when a user is using a search engine via HTTPS (to provide reputation info for sites listed in the results) or is it also done in some other cases?

Regarding the avast 7 FileRep:

• What is the metadata that is sent? Does it vary based on filetype?
• A wide range of filetypes can contain some kind of threat (executables, various “office” type files that support macros, at least some types of media files, some image files too IIRC). Will FileRep only send you information about traditional executable file types or will it also send information about such other filetypes?

PS: I hope you understand that some of us aren’t casting aspersions regarding your handling of information. We just want to understand what the software on our machine might send to you.

Ok thanks for clearing that up , you say if useful share some information with them , like number of users running each version , what else ?

Because numbers of users running each version is not really personal information.

I ask much but i want to be sure.