http://www.howtogeek.com/199829/avast-antivirus-was-spying-on-you-with-adware-until-this-week/
I am speechless!!! :o :o :o >:( >:( >:(
http://www.howtogeek.com/199829/avast-antivirus-was-spying-on-you-with-adware-until-this-week/
I am speechless!!! :o :o :o >:( >:( >:(
I’m not.
All this information is already mentioned on the avast website.
Guess they didn’t read it and also not the EULA.
Thank you Kenny. The article contains a lot of incorrect information and mixes some facts together (such as the traffic generated by SafePrice and the traffic generated by the URL and antiphishing requests). We are preparing a more concise answer, please stay tuned.
Yes an explanation would be good?
VLK thank you cant wait
We wouldn’t want this to slip from the front page would we…
A couple of days ago, howtogeek.com published an article about Avast and accused us of spying on our users. Given that the article contains a number of inaccuracies I feel it is necessary to react. As these are some pretty serious allegations, I also hope that we will be given some room on their site to defend ourselves. We requested the opportunity to discuss the author’s findings, but he declined to do so.
The article basically says that Avast used the SafePrice browser extension to spy on its users. That the SafePrice extension (which they first call “adware”) collects all URLs that the user visits, and then sends them to the cloud, together with a user ID. To demonstrate the problem, they used Fiddler (a free browser monitoring tool) to dissect the requests being generated by SafePrice and found the user ID in some of the requests, concluding that the product is “spying”. Finally, they say that all of this was true up until last week when we made SafePrice a standalone extension (removed it from the main Avast Online Security extension).
Let me start by saying that Avast’s browser extensions, together with some other modules inside Avast, rely heavily on cloud functionality. That is, in the particular case of URL scanning, we do transfer the URL the user is visiting, together with additional metadata to the Avast cloud, which then does the necessary processing and synchronously returns the answer. By scanning URLs in the cloud, Avast is able to detect malicious activity, from viruses and malware, phishing and hacking. You may not realize but collecting URL information for this very purpose is extremely common in the security industry, as this information is essential to providing this kind of service.
Now, regarding Avast SafePrice. SafePrice searches the web and offers its users the best price possible when shopping online from sites we trust, safeguarding users from possible online scams. While formerly the user had to do research and visit price comparison portals, SafePrice now offers automated help to find the best and trustworthy offerings. Avast SafePrice sends data to our server regarding the products our users are looking for and the URLs they are visiting. All personally identifiable information is stripped in real time, so the shopping data is completely anonymous. Again, I don’t think this can come as a surprise to anyone – I mean, did you expect SafePrice to have all the product IDs and all the offers stored locally? That just doesn’t make sense at all.
Originally, SafePrice was indeed part of the main Avast browser extension (as the article suggests). However, as most of the people in this forum know, in July 2014 we changed the strategy and moved it to a separate extension. The installation of this extension is now completely voluntary (on an opt-in basis) and its presence doesn’t influence Avast’s efficiency to block malicious sites. Since we have made this change, SafePrice accumulated almost 3 million installs just from the Chrome Web Store alone and became the most popular shopping extension for Chrome.
By the way, the other allegation was that Avast pushes SafePrice while recommending that users remove other similar browser extensions via Avast Browser Cleanup (BCU). I have explicitly checked our BCU database of community ratings and found that all the major shopping extensions, including PriceBlink, InvisibleHand, Shoptimate, and Groupon have good ratings and are not recommended for removal by BCU. Only those that our community of users have assessed as poor are so recommended.
One of the other issues raised by the article was whether the user ID is PII (personally identifiable information) or not, and why it is being transferred. The Avast user ID is a random, machine-generated ID that is created during the installation of the product. So by itself, it is certainly not a piece of PII. And the reason we include it in the request is because context is very important. The efficacy of a security product is severely limited if requests are done without a context, i.e., if it is not possible to tie them together into a “stream”. And in the case of SafePrice, we use the user ID just to be able to count our active users. In general, we really don’t see anything bad in doing this, in fact, if we were, we would have probably tried to hide what we’re doing in some way – while, as the author of the article uncovered quite easily using Fiddler, the user ID is there just as a regular json field. Which makes me even more frustrated, as it is very likely that if we actually made the field less noticeable, the article probably wouldn’t have been written. We’re not trying to hide anything.
Now, the key is not only what information is collected, but also what is done with the collected information and how the user is informed about the collection process. Avast is committed to protecting its customers on all fronts, which is why we inform our users, even beyond our EULA and Privacy policy, that their browsing information will be collected but stripped of personally identifiable information and used to improve services, such as online web security. We actually tried to make this very, very explicit, and that’s why we have the screen (attached) in the Avast installer.
As you can see, the title of the screen says “Please Don’t Skip This – Read it Carefully”. Honestly, I don’t know how to make it more explicit than this.
If you have any additional questions, I’d be happy to answer them.
Thanks,
Vlk
Thx for explnanation Vlk. Btw, i assume SafePrice is standalone only for Chrome, because for Firefox i still have it inside AOS settings. Not sure if it was pre-checked or not though, but it’s still there.
Yes, I don’t see anything out of line (sinister) here at all. I’m sure some may,
The added Screen certainly informed the user of intentions
No worries
VLK…thank you
Thanks for the explanation.
The author may not have wanted this printed but there’s always another way to get the message across:
http://discuss.howtogeek.com/t/avast-antivirus-was-spying-on-you-with-adware-until-this-week/20550/26?u=bob3160
I’ve never believed in that stuff a) because it was incorrect b) I’ve trusted avast more than 10Y and it served me well, why should I believe 8) c) people, read the information in the setup
And VLK, thanks for even more detailed explanation
Thanks Vlk. Sad that the author does not want to discuss.
Anyway, I will be thinking twice (or more) on recommending Howtogeek for now on (if they don’t change their policy).
It is in their FB too. And I was not able to be so gentle as Bob was commenting this >:(
They did reply to my post and claim that they were never contacted by Avast:
http://discuss.howtogeek.com/t/avast-antivirus-was-spying-on-you-with-adware-until-this-week/20550/28?u=bob3160
Being gentle is just a way to catch them with honey before you kill them with insecticide.
I think you should join that discussion (using a disposable e-mail address or alias) to post your response. But then that just might fan the flames over there while the author grins in having an even more active discussion. You want to defend yourself but instead the ignorants giggle and pee.
(Update: I see someone posted a link there to this thread.)
Although you try to make it evident regarding the usage policy, the problem is with lazy users. How many actually read the EULA presented to them during an installation? I recall 2 products that I aborted their installs because I didn’t agree with the EULA. Most users don’t the EULA. They’re too lazy. Reading skills have waned. Maybe the EULAs should be animated and show cartoon characters explaining it, like in Jurassic Park (http://www.youtube.com/watch?v=iMsJe3TymqY). Alas, anything longer than 8 seconds will get skipped (http://www.statisticbrain.com/attention-span-statistics/). It’s obvious the author (and his immediate respondents) never read the EULA or anything in the install screens. Click, click, click is all they do. If you want to upset them or slow them down, just put a borderless Next button at the top middle of the screen instead of at the usual bottom right location. I’ve seen some EULA screens that, at least, require the user to scroll to the bottom of the EULA window before the Next button gets enabled.
“in the particular case of URL scanning, we do transfer the URL the user is visiting, together with additional metadata to the Avast cloud, which then does the necessary processing and synchronously returns the answer.”
WOT (Web of Trust) and McAfee SiteAdvisor would have to do the same thing. After all, somehow they would have to see to where you visit to know what reputation to return to you. Yet one respondent to the article mentioned he would switch to WOT. Not a clue has he. By the way, if you ever bothered to join WOT and then looked at the comments on why some users rated a site the way they did, you’d realize that WOT is worthless. Too much retaliation and too many ignorant raters. Besides, you usually get a non-descript yellow alert (unrated site) because the vast majority of sites are not listed in their database. They have 10 million sites rated out of 1 billion for all of 1% coverage (http://news.netcraft.com/archives/category/web-server-survey/) and with ratings by inexpert users. It didn’t take but a few days to drop WOT after seeing mostly yellow markers and reading inane comments by raters. The spam/scam/phish sites go dead in a few days as the cybercriminals are constantly rotating through new domains while trying to push traffic to them during their short lifespan. I’ve deemed web reputation as worthless. I don’t install the one in Avast, either.
These boobs probably don’t even know all the sites they visit are collecting similar information from them, like using Google Analytics. Someone tweaks their ears about Avast and since it’s news to them then they’re obviously ignorant about all the other sites collecting metrics on them. They want to revert to 1994 but forget how there wasn’t much “web” back then. Someone every few years regurgitates the Flash cookie scare while totally ignorant of DOM storage in all web browsers. Searching the web for information has become a practiced art in knowing what to cull out as crap. Many aren’t even datestamped so you can’t determine their relevancy.
Ever see that commercial where the gal is waiting for her date to show up who is a French model because he said so on the Internet (http://www.youtube.com/watch?v=X-pHe879l60). The sad part is there are a LOT of netizens just as dumb. The scammers love 'em.
I am still not convinced by their answer, does not sound solid :
I just find it funny how they attack avast! just because they had nothing to hide and left the ID there visible to the user. I bet 3/4 of other vendors collect more data with unique ID’s as well and submit all of it in an encrypted stream of data to their cloud. But since they can’t exactly catch it with a Notepad, it’s somehow not their problem and they don’t get bothered by that fact. They just seem to jump at avast!.
All this noise sure generated a lot of traffic on their webpage… Like i said, sensational news is sensational. They weren’t after the truth really, they just want the clicks and visitors… If they were after the truth, they’d inspect other vendors as well, but they just couldn’t be bothered with that…
Folks, let’s not crucify Howtogeek either, his heart is in the right place and many individual points in the article are accurate. Our issue is that it then draws a nefarious conclusion instead of a more innocent conclusion. After the article came out, we requested a call with him for myself and possibly Ondrej to understand his research, discuss it, etc. Initially this was accepted and we set a time.
A few hours later, we got an email cancelling it. Here is that message in total: “Upon further consideration, I believe there is little value in having a meeting with the CEO and COO of Avast at this time. The article written is based entirely on documented research and analysis over a lengthy timeframe and How-To Geek stands by this article. How-To Geek’s single objective is to provide information that will help the users. Avast is free to publish any statement regarding their product or respond to our article.”
The point he has recently complained about is we did not state that he invited us to make a public statement. As you see, in the last paragraph he did do that. However, I found it unusual that he thought we needed his permission to make a public statement and thus did not acknowledge that “permission”. We of course did make one which you read from Ondrej.
As a company we try our best to be honest and straightforward with our users. Can we do better? Of course and that is why we constantly make changes in what we do. The fact of the matter though is that all purveyors of free products need to make money and we try various initiatives to do so. Some work and some do not. But in all cases, we ensure our users and their data are not abused. For example, we have totally stayed away from advertising which many of our competitors with toolbars are heavily into.
Howtogeeks surely supports themselves with advertising. From what I see that advertising involves both targeting and retargeting. When I visit the site, I see ads from Bitdefender and AVG, an advertisement for a somewhat scammy PC cleanup product/service, and a huge banner ad for Norton. These ads are probably all based on the content of the article–antivirus. But, there is also an advertisement for flights to Argentina and for OpenTable. These came from re-targeting as I was searching for such flights yesterday as we are going there for the 2015 product launch and I was making dinner reservations on OpenTable for a dinner with my wife. Now, these ads are surely all served up by the Google ad networks and Howtogeeks probably has little or no involvement in what ads are placed but many argue that advertising retargeting violates the privacy of the user (as the user when visiting the website gets no notification that their past browsing behavior will be examined and relevant ads served) and the advertising of scammy services on such a trusted site gives the scams an aura of credibility.
But the point here is Safeprice. Is it perfect? Of course not. Are we hiding anything? Of course not. Will we improve it? Of course. In anything we do though, we will be open and will not abuse the trust of our users.
I never could understand why a shopping extension was introduced into a browser safety and web reputation extension. Think about it.
Anyway, thanks for the heads-up.