Questions about Internet Security

New version of Internet Security and no way to opt out from invasive Security Cloud information gathering. You have vague privacy policy, oh i mean policy how to breach privacy legally of your 'customers'. In old times software which would snoop you and send so much information back to home was called spyware, now its called virus protection. Also I would like to mention that your websites privacy policy still claims that I have option to opt out...

Now as questions (software = Internet Security, you=F-Secure)

If I uninstall Browsing Protection, will your software stop snooping my web surfing habits and sending them to you?

If I disable deepguard, will your software stop sending information about programs I use back to you and all items your Security Cloud 'privacy' statement says?

There seems to be somekind advanced network protection in addition windows firewall (guess you were too cheap to have actual own firewall), what information it sends back to you if any and what it actually does?

Does your software collect machine hardware data (mac's, serial numbers etc.), software install data, various GUID's etc. and send them back to you? Note that there is no reason to send such data to you but to in hopes of monetizing it.

Now I seem not to trust you much, thats true, but I still trust that few options you have left in your software to still work.

Comments

  • NikKNikK Posts: 935 Rock Star

    Right click the F-Secure systray icon and select "Open common settings". In the left pane click Privacy. There you can opt out from the Security Cloud. For more information you can click the Help button or go to Security Cloud

     

    As it says on that screen, you contribute anonymous data to further improve the service. To answer your other questions I suggest you read these documents:

     

    http://www.f-secure.com/static/doc/labs_global/Public%20Information/IS2014%20Data%20transfer%20declaration.pdf

     

    http://www.av-comparatives.org/wp-content/uploads/2014/04/avc_datasending_2014_en.pdf

  • VilleVille Posts: 515 F-Secure Employee

    Hi @Mirami 

     

    We have published what data is sent for Internet Security 2014. I'm personally not aware of any changes in 2015 version, so this should still be accurate.

     

    IS2014 Data transfer declaration.pdf

     

    Ville

    (F-Secure R&D)

     

  • NikKNikK Posts: 935 Rock Star

    Same document as I linked to Smiley Wink

     

    @Ville I know there's been an option to opt out of submitting files, as also mentioned in the AV comparatives report a linked to, but I can't find it anymore. Has that changed in the 2015 version?

     

    From the help file I found this:

    "You can submit individual suspicious applications manually when the product prompts you to do so, or you can turn on the automatic upload of suspicious applications in the product settings."

     

    Where is this setting? I can't find it anywhere.

    Or has it changed so the only available option is to participate in the Security Cloud or not, and there's no longer a separate option to opt-out of submitting files? (not good if that's the case)

    Ukko
  • UkkoUkko Posts: 3,198 Superuser

    Hello,

     

    Sorry for my reply about this.


    But current feature just goes to be "dropped". And how I can to understand on current time work next:

     

    -> if you want be a part of Security Cloud - you may be prompted about transfer sample (if it was FIRST time experienced... or if it's needed by Security Cloud response);

     

    -> as default here without "current feature as turned on";

     

    With other meanings.. without any transferring about samples. But.... probably here still can be automatic upload some kind of hash/metadata of suspicious files... and does not matter.. if you not really part of Security Cloud (as allow/check feature). And current one have description with declaration about previous version of F-Secure IS.

     

    And the Help here just have a lot of outdated places (not just current one), which not sure... why not changed. Maybe just planned to be global "changes" for outdated places during one "update" under "known date of that" (like certain timeline for 2015 solutions). Or simply.. it was forget...... but not likely (just because here a not one places... which already should be with another view... under F-Secure IS 2015).

  • I'm glad that someone else is bringing up this topic.

     

    My main question is in regard to Deepguard.

     

    Reading through the technical documentation, I'm still curious as to what type of file information is uploaded?

     

    1) Is deepguard able to upload an entire file to the cloud or just the "meta-data"?

    2) What does meta-deta mean? (hash, size of file, data created, etc?)

    2) Does deepguard upload all files (images, doc files, etc), or only executables??

    3) Is there any way to link a user to a file uploaded (or data uploaded) to the cloud?

     

    You say that you have an opt-out for "Cloud Submission" - and that's great. But Deepguard (by design) connects to the cloud, so this feature is seperate from "cloud submission".

     

    I'm fine with my AV scanning exectuable files but I am not comfortable with it sending data on other file types (documents, emails, images, etc).

     

    Edit: After reading through this PDF it appears that F-secure does not send "files/documents" to the cloud. But, I'm still iffy on this because there appears to be a language barrier in these forums.

  • NikKNikK Posts: 935 Rock Star

    I believe this will answer your 4 questions:

     

    When a new object, such as a file or URL, is encountered on one client, the product communicates with the Security Cloud using the strongly encrypted Object Reputation Service Protocol (ORSP) to query for the object’s reputation details. Anonymous metadata about the object, such as file size and anonymized path, are sent to the Security Cloud. These queries are completely anonymous and the IP address is not stored, maintaining the client’s privacy.

    From deepguard_whitepaper.pdf

     

    Hashes of executable files: Used by the file reputation service to determine if the file is safe or not.

    Metadata: file header information like file version, file origin (including download URL), file signature information and other similar.

    If an unknown suspicious executable file is found: Only if the user selects to submit the file. This option is offered by the suspicious file warning dialog. Every transfer is separately approved by the user. This data is anonymous and can’t be linked to the customer.

    From Data transfer declaration.pdf

     

    On a personal reference I once had an issue where I suspected malware to have added a bad site as  allowed in the admin settings, so I asked for help to view my local F-Secure log files to see if I had ever visited that site. Answer from F-Secure was that my visited sites aren't even logged in my own PC because of the privacy policy :)

    Chrissy
  • VilleVille Posts: 515 F-Secure Employee

     @NikK Oops, how did I miss that you already linked to it. Smiley Embarassed

     

    Regarding the option to automatically submit samples, that was removed in IS2015 and the product will not automatically submit samples. If a sample is required, user is always explicitly asked.

     

    @DaneCo DeepGuard never automatically uploads the whole file, only metadata, like file size, SHA1 and SHA256 hash, download URL (if tracked). If you have opted out from Security Cloud, then only SHA1 hash is uploaded to get reputation for the file. DeepGuard only monitors executables (.exe, .dll, .sys). Any uploaded data is not linked to your license or other personal information.

     

    Ville

    (F-Secure R&D)

     

    NikK
  • NikKNikK Posts: 935 Rock Star

    Thanks @Ville  Great answers :)

     

    I feel I should already know this but I don't. I think the problem here is the lack of release notes to cover all important changes. It's not the first time I mention this but I haven't seen an improvement. All F-Secure software should have release notes or changelogs available IMO. Especially regarding security and privacy related changes.

     

    I've also noted that the Facebook feature to check and improve privacy settings is removed in 2015. It was part of the launchpad but the launchpad is now removed, and I can't find it anywhere else.

     

    Also, the text in the help section seem to be a mix of old and new product versions, so you can't rely on that information.

     

    Could you please forward this to someone who's responsible for these kinds of things. And preferably also give us some feedback on it here. Thanks.

     

    PS. When I posted info in August that 2015 was released I listed the "what's new" info that the upgrade window showed me. That mainly covered cosmetic non-important changes. I would like to see any removed features and modified parts related to privacy in that list as well.

    I feel I misled people with that information, but it's not my fault. And I know my post has been copied to other security related sites because I was the first to report about 2015 Smiley Embarassed

    http://community.f-secure.com/t5/Security/Internet-Security-2015-released/m-p/56825

This discussion has been closed.