Why is McAffee, Avast, Symantec free ? They collect and sell your data! (updated)

Did you ever wonder why companies like Oracle or Adobe always wants to install unwanted software such as McAffee along with their free Java or Acrobat Reader ?

Or why so called “Best Antivirus Software” such as Avast or Symantec comes for free from your provider or pre-installed on your PC ?

Are those companies so generous? Do they only want your best?

You guessed it : No, of course not. They want money. Not just your money.

They get paid for every single installation of this unwanted piece of software!

So why is that ?

Because the unwanted software gets paid because it collects your data and they sell it.

Ok, you don’t believe me right ?

So here is an example:

Avast recently confirmed that they collect your data while running on your PC and scanning for viruses (see here if you don’t believe me)

Jumpshot is selling your data for just as much as US$ 500 per month! per account (see their pricing on www.jumpshot.com)

Avast claims that they don’t make money out of that but do you believe this ?

Do you believe McAffee, Ask with their Ask Toolbox and others don’t make money with collecting your data?

I personally don’t.

UPDATE:

It’s a funny coincident that Tim Cook yesterday talked about the very same subject. His speech at the Electronic Privacy Information Center (EPIC) is really worth reading and most of what he said speaks my mind. You can find his speech on the verge .

He said for instance:

“You might like these so-called free services, but we don’t think they’re worth having your email or your search history or now even your family photos data-mined and sold off for God knows what advertising purpose,” … “And we think someday, customers will see this for what it is.”

Don’t trust the evil!

Regards,

Marcus


Scary piwik findings – Update 3

Maybe not all of you know what Piwik is. It is very nice tool for website statistics. I like this tool especially because it offers features to hide and even don’t record visitors IP addresses and private information but still generates nice and good website statistics. So I would call it basically the opposite of Google Analytics.

Since Piwik is getting increasingly popular, many websites started using Piwik but like so often, even Piwik requires some basic understanding of PHP, Linux and Server security. Some website Admins seem to be blinded by the easy user interface and assume it is as easy to configure.

Obviously that’s not the case. There are several open (and more worse: half-done) Piwik Installations out there which can be accessed by anyone easily. Such installations are quite dangerous for the webadmin because they reveal a lot of important insight information about the server configuration and it will not take much to use such an installation to hijack a complete server.

You may wonder how such servers can be found. This is also quite easy and in that case Google is our friend (in other cases I would reject this statement vehemently). As mentioned some posts before, Google can be used to search for URLs with specific parameters if you prefix your search term with

allinurl:

so in case of Piwik you can enter

allinurl: "piwik/index.php"

Which will give you a list of websites where piwik is installed. It is funny alone to browse through these findings which often contains error backtraces and error logs.

I was even (not) more surprised that some installations even allowed anonymous access with admin privileges. To check for this, one just needs to add either either this:

/index.php?module=UsersManager&action=anonymousSettings

or this

/index.php?module=Installation&action=systemCheckPage

to the Google result list url right after

.../piwik

So for instance

http://www-nice-website/piwik/index.php?...

becomes

http://www-nice-website/piwik/index.php?module=UsersManager&action=anonymousSettings

UPDATE 1:
There seems to be an issue with Piwik that it is possible to download statistics even if there is no view access. If you add

?module=API&method=Live.getLastVisitsDetails&idSite=1&period=month&date=2015-05-01&format=Tsv&token_auth=anonymous&expanded=1

You will get a nice Excel or CSV file with the website details of Site=1 (change to any other number for additional websites).

UPDATE 2:

I did contact the German “Piraten Partei” before I wrote this blog post. So far: no answer. Meanwhile they responded to the press that they intentionally left the Statistics open to the public. This is fair enough as there is nothing to hide.

However, two questions remain:

  1. why don’t they tell us that they are collecting our information (especially search queries, website referrals and exit sites) ? In their website disclaimer (even on Andrea Bogners website) they say “Eine Speicherung von Verbindungsdaten … erfolgt nicht” which means “we don’t store connection data” which is obviously wrong.
  2. If they intentionally left their Piwik stats accessible, why don’t they officially link to these stats. Is there just an elitist circle who had or has access to these stats ?

UPDATE 3:

Please read this separate post for a further update.

Best Regards,

Marcus