Hi everyone
AV-Comparatives just published a study which analyzed the data transmitted from each AV product back to the vendor of that product. It can be found on their website. There has been a fair amount of chatter on various forums about the study raising concerns that internet security vendors could be capturing private data and sharing it with others.
First, we agree that the study on Data Transmission done by AV-Comparatives is a welcome and worthwhile area for discussion and investigation. In this time of deteriorating personal privacy protection, we should all be concerned about what data is shared and with whom.
Second, and very importantly, Webroot has stated in the past and states again that we have no arrangement or agreement with any government agency, in the U.S. or any other country, for sharing data, nor have we been asked to make such an arrangement. We respect and comply with all laws where we do business and do nothing to break or circumvent those laws.
Third, we did not respond to AV-Comparatives questionnaire for this study. So we assume they reached their conclusions about the data we use from our User License Agreement. Our License Agreement describes data we commonly use to make malware determinations as well as data we may need to use in special circumstances (like where we have to push an urgent update out to a specific set of agents or send an urgent communication to a user.)
As you on this forum understand a lot better than other computer users (except maybe the criminals who are writing malware) the AV community needs data to defeat malware. Limiting data collected to a simple file hash does nothing to catch malware the next time it appears because the stuff is polymorphic. To even have a fighting chance you need to collect some data that can help you make behavior-based determinations. Things like OS level, basic hardware configuration, source URLs, and process information are essential to making a successful determination the next time you see this type of file.
One suggestion in the study is that a user should be asked to agree each time a computer is scanned whether she wants to send this data or that data. If that were implemented, we would end up with a lot of unprotected users. So we should discuss practical solutions that address concerns for privacy, but balanced against the user’s need for protection against increasingly dangerous and aggressive malware attacks.
As we said, this is a good area for discussion. We do not think implying that internet security vendors are all privacy invaders is constructive. But we thank AV-Comparatives for raising an important issue.
AV-Comparatives Data Transmission study comments
+6Fundamentally, AV is a closed-sourced product given root-level access to your machine and free to install its own updates. You are delegating to have access higher than yourself.
If you are going against the highest levels of the United States government, running Windows, and running US-based antivirus, you are negligent. I know that's blame the victim, but at a certain point you are attempting to prove a negative. In computer software. Yeah. I wouldn't go up against Russia running Kaspersky, either.
Although I agree with the overall push of their document and think it's important for consumers to know, limiting data can limit efficacy. Have fun with partial-picture, daily virus updates of virus hashes finding anything.
However, Webroot needs to be more transparent, and more trustworthy. You need to disclose the access controls, auditing programs, and layers of assurance Webroot takes in protecting data from outside AND INSIDE threats.
Whose job is it in your company to make sure you're accountable. To your rules and guidelines? To your reputation? To me? Who identifies the risks your customers will see in your armor and procedures and be their advocate? And how passionate are they about that?
This is a rant I would make to any company. If I didn't trust Webroot - trust me - I wouldn't be here. I live my life every day knowing the immense power and inspective abilities you have over my endpoints. Over my company. And I delegate them to you, every year. But if I didn't have the benefit of experience, of earned trust over years and products, what would I think as a customer? Perhaps I am an isolated case, to consider these things.
If you are going against the highest levels of the United States government, running Windows, and running US-based antivirus, you are negligent. I know that's blame the victim, but at a certain point you are attempting to prove a negative. In computer software. Yeah. I wouldn't go up against Russia running Kaspersky, either.
Although I agree with the overall push of their document and think it's important for consumers to know, limiting data can limit efficacy. Have fun with partial-picture, daily virus updates of virus hashes finding anything.
However, Webroot needs to be more transparent, and more trustworthy. You need to disclose the access controls, auditing programs, and layers of assurance Webroot takes in protecting data from outside AND INSIDE threats.
Whose job is it in your company to make sure you're accountable. To your rules and guidelines? To your reputation? To me? Who identifies the risks your customers will see in your armor and procedures and be their advocate? And how passionate are they about that?
This is a rant I would make to any company. If I didn't trust Webroot - trust me - I wouldn't be here. I live my life every day knowing the immense power and inspective abilities you have over my endpoints. Over my company. And I delegate them to you, every year. But if I didn't have the benefit of experience, of earned trust over years and products, what would I think as a customer? Perhaps I am an isolated case, to consider these things.
---------------------------------------- Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester Find me on Twitter!
1 person likes this
Mike, many thanks for posting and sharing important and valuable informations.
Redards,
Mike
Redards,
Mike
+2While the possiblity of sharing data with intellegence agencies is alaraming, the implication that all of these stats are being recorded with the inclusion of personally identifiable information is moreso. For me, the fact that none of the data can be tied to any one account sort of makes sharing data a moot point, because it cannot be tied to any individual.
How does webroot handle this? Does it gather personally identifiable information? And store it? The AV-Comparatives report seems to indicate that it is recording user IP as well as the machine name. Sanitizing the data would be in the users best interest, I think, because even if you do not deliberatly share this information does not mean that someone cannot at a later time gain access to it. As we've seen, organzitions, even security organizations can get hacked, and if all of that data is sitting there with personally identifiable information on a webroot server and some hacker manages to get ahold of it, that's far mor alarming to me than any intellegence agency grabbing hold of it..
How does webroot handle this? Does it gather personally identifiable information? And store it? The AV-Comparatives report seems to indicate that it is recording user IP as well as the machine name. Sanitizing the data would be in the users best interest, I think, because even if you do not deliberatly share this information does not mean that someone cannot at a later time gain access to it. As we've seen, organzitions, even security organizations can get hacked, and if all of that data is sitting there with personally identifiable information on a webroot server and some hacker manages to get ahold of it, that's far mor alarming to me than any intellegence agency grabbing hold of it..
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.