Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data

kworpy , 2 months ago

Can't believe a company with a notorious history of spying on users is at it again for the 234th time!

danielfgom , 2 months ago

They should be put out of business and those responsible jailed

swordgeek , 2 months ago (edited 2 months ago)

This is fucking garbage.

When a company gets caught with their hand in the cookie jar, it's not a punishment to put one of the cookies back.

Fines should be ten TIMES what the company made from their misbehaviour, not ten percent.

EmperorHenry , 2 months ago

that is one of two reasons why I stopped using their software.

Too many scare-ware screens and too much bloatware that you have to be mindful about not installing.

crusty , 2 months ago

Cost of doing business

EvilEyedPanda , 2 months ago

Jesus christ right!! I'm curious how much they made off that data.

ilinamorato , 2 months ago

Five years ago, I posted on Reddit about how Avast had installed a browser without my consent and set it as default while I was out of town and away from my computer. That post has had comments added to it several times a year ever since, meaning that they're still trying that nonsense. They stole my data without my consent by importing all of my browser data, and now it's come out that they blatantly sold it without my consent as well.

I said it then, and I say it now: If you install something without my knowledge or consent, you're a virus, plain and simple.

Chocrates , 2 months ago

Do we know how much money they made on it? If it was more than $16.5 then it was still a good step on their balance sheet.

This stuff needs to be fined at the full income they made from the tool plus some penalty. Corporations only care about their balance sheets.

Tier1BuildABear , 2 months ago

And people still think they can trust password managers lmao

FinalRemix , 2 months ago

Why? What's wrong with Keepass?

Slovene , 2 months ago

Keep ass?

Burn_The_Right , 2 months ago

Sign me up!

Slovene , 2 months ago

OK, but you need to come down to the War Farts Center.

Tier1BuildABear , 2 months ago

Who knows? I just keep track of my own passwords so when the rest of you find out I won't be a part of it lol. Everyone on lemmy is so anti Google and anti Microsoft because of what they do with your data, that it's actually hilarious that so many just freely give EVERY SINGLE PASSWORD for their accounts to password management apps, like nothing bad could ever come from it.

If you can keep track of your passwords yourself, why take such a massive gamble?

ilinamorato , 2 months ago

You're smarter than the collective wisdom of the entire cybersecurity community, I see. Researchers who have been doing this for decades have nothing on you. People with peer-reviewed studies and bucketloads of data are like pawns in the face of your vast intellect. When FOSS password managers fall, you'll be the only one left standing and the world will bow at your feet. Certainly you are the first person to have ever thought of this.

Tier1BuildABear , 2 months ago

Be a sarcastic ass all you want, at least I can remember a password without relying on some random company lol. You keep giving all your passwords away though, no skin off my back

ilinamorato , 2 months ago

One password. Yes, that's the problem. Thank you for so eloquently disassembling your own inane point.

Tier1BuildABear , 2 months ago

I'm sorry you can't even remember one. Maybe work on reading comprehension first. Have a great life!

ilinamorato , 2 months ago

You said "a password." That's one. I think my reading comprehension is just fine, but I admire your commitment to misunderstanding the point at every turn. It solidly explains why you're against password managers when literally everyone who knows anything about Internet security is for them.

Oh, I can remember far more than one. But I can't remember the 687 that I have currently stored in Bitwarden. Can you? Can you accurately and correctly remember six hundred and eighty-seven unique and distinct passwords? 687 unique and distinct passwords that are long and complex enough to be difficult to guess? Can you constantly monitor all 687 accounts for when they show up in data breaches? Can you recognize all 687 login screens for when they're spoofed for a phishing attack? Remember, some of those are banks! You've probably given a couple of them your SSN! There are 687 potential land mines out there. Good luck!

Tier1BuildABear , 2 months ago

Jfc I don't fucking care whether or not you believe me, do whatever you want with your passwords.

I could use "A" breath of fresh air
I could go for "A" bite of pizza
I can remember "A" password where you can't

Next time use context clues

Now please shut the fuck up, this entire interaction with you has been enough for the rest of my life, and at this point you're literally the last person I would ever listen to about passwords. Have a good "A"!

ilinamorato , 2 months ago

I also don't like to be wrong, so I understand why you're lashing out. And oh for the love of God please don't listen to me about passwords! I'm not a security professional. I'm just saying you should listen to the people who are, not just go with your gut feeling about what a safe way of securing your online life is.

Tier1BuildABear , 2 months ago

Lashing out =/= defending myself and refusing to put up with your bullshit. I said why I don't use password managers and you enter the conversation being a sarcastic asshole. I don't have to put up with that, call it lashing out or whatever the fuck you want but if you can't handle the heat then stay out of the kitchen. Now fuck off already.

ilinamorato , 2 months ago

You arrogantly said why you don't use password managers and I pointed out how your premise is incorrect and there's data to prove it; like this report from two years ago that cracking an encrypted password vault is orders of magnitude harder than cracking a password you can actually remember, or a report from a year and a half ago that not using one makes you three times more likely to experience identity theft. I pointed this out sarcastically, because you gave your opinion arrogantly. Since then, and since you've reacted with such anger and vitriol, I've turned the sarcasm down. I'm sorry that I hurt you with that joking response at the start.

But I'm not going to stop fact checking you in this thread because I don't want someone else seeing this and thinking that our positions are equally based on fact. They're not. You have a feeling; I have facts.

If you want me to stop, then stop posting misinformation.

Blaster_M , 2 months ago

That works great when you're young, kid, bit when you get older, you're going to be forgetting and resetting a lot of those passwords.

Tier1BuildABear , 2 months ago

I don't think anyone on lemmy is under 30 lol

ikidd , 2 months ago

https://github.com/bitwarden/

Tier1BuildABear , 2 months ago

Yeah, those. Thanks for the example.

ikidd , 2 months ago

So is your problem with using a password manager at all, or just the companies/sources of them?

Tier1BuildABear , 2 months ago

Any company trying to get my data, really, and my passwords are the most sensitive of my data. Even if I coded one myself, and kept it completely local, my passwords are all in one place if that device gets compromised.

I can remember my passwords, so why take the gamble?

JDubbleu , 2 months ago (edited 2 months ago)

Because by not using a password manager I guarantee you are duplicating passwords between services. This means the second a service you use is compromised, every single service you use with that same email/password combination is compromised. Even if every one of your passwords had a slight deviation malicious actors know people do this and will likely be able to write a program that attempts those deviations on other services. You're effectively leaving your security up to weakest link in services you sign up for, and security is more often implemented poorly than implemented well.

By using a password manager you generate a 20+ character long password that is unique to each service you use. These passwords being random and unique to each service protects you from rainbow tables and other hash table based attacks. In the event Bitwarden or another password manager you use is breached anything they get will be worthless as long as your master password is not compromised (which should only ever exist in your head) due to the data being encrypted at rest.

It is a similar concept to using a secure, trusted middleman for processing payments instead of giving your credit card to every single site that asks for it.

Tier1BuildABear , 2 months ago

Just curious, how do you know they're secure? Like how do you know it's only local and not being uploaded somewhere? I'm not about to tear through the code of open source password manager apps to make sure it's "safe" when I can keep track of them myself, but yes, I do see your point about that not being as safe as them being completely randomly generated for each account

JDubbleu , 2 months ago (edited 2 months ago)

The great thing about open source is that anyone can read the code. Even if you don't read every line yourself there are others who will. In popular projects it's pretty much a guarantee any suspicious or malicious changes get caught almost immediately due to the visibility of everything.

As for local-only I trust Bitwarden and their encryption schemes enough that I use their cloud sync, but you can always self host it in a Docker container with no Internet access if you're concerned about it.

ikidd , 2 months ago

Well, you do you, but I'm happier with complex unique password locked behind a 2FA open source self hosted encrypted vault than I am remembering a few passwords shared amongst services. I have 400+ entries in it, and if I get hit by a bus, my wife has access to it with her yubikey.

Tier1BuildABear , 2 months ago

You do you as well, one of the amazing things about all the technology we have available to us lol.

fosstulate , 2 months ago (edited 2 months ago)

People should consider using a double-blind scheme with cloud-connected managers.

The service you're setting a password for gets the actual credential, being two components <randomcomplexity><specialrule>, whereas the manager gets only <randomcomplexity>

Consider the example of U})wJAL0}RhIr')Rgs{,&^>I3/ versus U})wJAL0}RhIr')Rgs{,&^>I3/based

It protects against password database compromise at least. Keyloggers, MITM, etc. are another matter.

taanegl , 2 months ago

This is a careful reminder to be VERY SCEPTICAL about not only "anti-viruses" (like bro, Windows defender is good enough), but also browsers. There is a high probability that the company is either a data broker or fintech... looking at you, Opera.

lemmyingly , 2 months ago

I tried Windows Defender a couple of years ago for an entire year. I thought it was dog water. The anti-ransomeware feature was the only nice thing about it. I now use BitDefender.

kringkastingssjef , 2 months ago (edited 2 months ago)

What are you clicking on all day?

lemmyingly , 2 months ago

At least once every 6 months I come across a top Google result trying to download malicious scripts. The web searches are innocent, eg. "Iso standard metric thread" or "bee keeper hive monitor", which are both search terms in the past where a top result had malicious scripts.

JTskulk , 2 months ago

Sounds like you need the noscript browser extension instead.

lemmyingly , 2 months ago

Sounds like a horrible internet experience. No thanks.

JTskulk , 1 month ago

Nah it's pretty good. Just a little rough at first as you whitelist the websites you go to. After that they all load quicker since you're blocking a bunch of tracking and advertising sites.

kworpy , 2 months ago

If you use antivirus software you're a dumbass. Just don't download viruses?

taanegl , 2 months ago

Yes, that's why regular people should stick to Windows defender instead of downloading and installing a third party one, because it does the job just as well.

Also, it's Windows.

TrickDacy , 2 months ago

$16.5 million is not even a slap on the wrist

Contend6248 , 2 months ago

A great business model actually

HootinNHollerin , 2 months ago (edited 2 months ago)

Is there a class action lawsuit?

LoremIpsumGenerator , 2 months ago

Cybersec company ❌

Advertisement/Data mining ✔️

n0m4n , 2 months ago

I wonder what other uses there are to sell data that is not for advertising? My second thought goes to what is in place to stop a middleman from saying that they would not sell information for advertising purposes, but selling the data for "quality control of data acquisition" purposes.
If you are getting a service for free, you are the product.

drawerair , 2 months ago

Political campaigns? A political candidate may want to know his opponent's supporters and may think he can do a more targeted wooing. 1 may say it's advertising too.

Also, he can send bots to the political discussions that folks participate in. The bots can start nasty political arguments.

A greedy religious figure may want to encourage more to join his religion. More members, more cash.

slowroll , 2 months ago

this, i prefer the service based on Free and Open Source Software,

dangblingus , 2 months ago

If the software is free, but not open source, it's harvesting your data. How else do you think these companies stay in business?

the_post_of_tom_joad , 2 months ago

If you pay tho they're also harvesting your data. And if you don't use your service they make a ghost profile and harvest that data.

prole , 2 months ago

The only way to fully prevent it is to remove the profit-motive altogether.

the_post_of_tom_joad , 2 months ago

Sounds fun!

GreatDong3000 , 2 months ago

Yeah I love it when people say "if you don't pay you are the product" as if paying for youtube premium, google one, reddit premium or spotify will stop them from harvesting your data haha that's how naive we were back when we thought data was collected only for ads.

the_post_of_tom_joad , 2 months ago

how naive we were back when we thought data was collected only for ads.

Yeah their cozy relationship is terrifying considering Edward Snowden's revelations. It's such a simple workaround the constitutional right to privacy. Simply buy data from a willing company. And we wonder why they don't make laws against private companies' data mining...
🤔

Fredselfish , 2 months ago

Free my ass! Avast charges money for that service. Hell they make you subscribe to use any service outside basic virus scan. So customers paid to have their data stolen and sold.

CustodialTeapot , 2 months ago

I dislike this sentiment. Just because something is FOSS or open source, doesn't mean it's not harvesting your data or doing something nefarious.

Contend6248 , 2 months ago

A good example would be Yuzu (the Switch emulator), it was open source and collected so much telemetry that Nintendo might go after their users.

This might be fear tactic but it shows you that you aren't safe

Chocrates , 2 months ago

I don't know about Yuzu's data collection but they were destroyed because they existed.

Dudewitbow , 2 months ago

kinda wrong sentiment to get from the statement. statement is only saying if

if free and NOT open source > data harvest

it doesn't necessarily imply that

if free and open source > doesnt data harvest

at all. its just you have the ability to find out via code of they do or not. thats more or less in the boat of logical paradoxes you can make.

lemmyingly , 2 months ago

So companies like Proton and BitWarden are harvesting your data with their free tiers?

russjr08 , 2 months ago

I haven't looked into Proton, but BitWarden is open source both server side and client side.

N2Narkosis , 2 months ago

Proton is open source as well. Free tiers are supplemented by subscribers. https://proton.me/support/proton-plans#proton-free