Paying a price to use free software: the dark side of Comodo products

Comodo is a popular name in the software business. Comodo provides multiple free, and excellent, products for home users including, but not limited to, the award winning Comodo Firewall (now bundled with Comodo Internet Security). Comodo has also recently become a big name in multiple front-page controversies including the issuance of its SSL security certificates to known malware distributors/scam websites and a row with Softpedia over the inclusion of a third party toolbar in their software. For those that don’t know I will do a quick recap for you:

  • Comodo has been caught selling its popular SSL certificate to malware distributors/scan websites. Now in Comodo’s defense, whenever a malware distributor/scan website which has Comodo’s certificate is brought to their attention, they remove it; furthermore the purpose of the SSL certificate, technically, is not to verify the contents of the website but rather to verify how secure it is to buy from (the irony). However the question of why Comodo is repeatedly selling the certificates to known malware distributors/scam websites (there have been cases where a website with the same exact layout, interface, and “product” except different name has been issued a certificate even though their earlier one was revoked) is still a significant one and still an on going issue.
  • Softpedia, once upon a time, labeled Comodo Internet Security as “malware” because CIS included SafeSurf, an optional third party toolbar considered to be malware by Softpedia. Of course Comodo did not like that, so they tried to get Softpedia to remove the label. Softpedia, standing by their high standards, refused. So in the end the result was (is) Comodo Internet Security was (is) removed from Softpedia’s download database.

Whatever side you are on for the above two issues, this post is not to discuss them; that is for another time. I am creating this post to address another (potentially more important) issue with Comodo products.

Today as I was checking my e-mail, I got an e-mail from a dotTechie informing me of the fact Comodo Backup, a free backup solution provided by Comodo, was recently updated to v2 with major changes and I should check it out (yes – I do read the e-mails I am sent even if I forget to reply… surprise, surprise). So, naturally, I was intrigued and went to download Comodo Backup. While installing Comodo Backup I glanced over its EULA (End User License Agreement) and was shocked by what I saw:

2009-09-23_1520592

I am not legal mind, but to me this says if you install Comodo Backup, Comodo will collect data from your computer such as how you use Comodo Backup. Not only will Comodo collect data, but the data can potentially be personally identifiable: Comodo won’t disclose the data to a third party in a manner which will personally identify you but that means if they are taking a deliberate and conscious action to make sure the data is not personally identifiable when being passed on to a third party, the data is personally identifiable when Comodo themselves have it. Am I understanding it properly or am I being paranoid?

Now it is not just Comodo wanting to collect data from you while you use their software. Many software developers ask you if you want to send anonymous usage statistics to the developer while using their program; however you can always opt out if you do not want to. I looked up, down, left, right, in, and out – no where in Comodo Backup did I see an option to opt out of sending data to Comodo. At best I found an option under settings named “Enable log” which a user can check or uncheck; however there is no clear indication if this “log” refers to the data collection done by Comodo or a different program function. Shame on you Comodo; not only are you collecting questionable data but the user has no clear way to opt out if they find this action less than desirable (bar blocking the program with Firewall of course and/or not installing the program in the first place).

After I got done with Comodo Backup, I was curious to see if other Comodo software do the same thing as Comodo Backup.  I found indeed there are other perpetrators which do the exact same thing…

Comodo System Cleaner

2009-09-23_1539012

Comodo SecureEmail

2009-09-23_1550132

…and other Comodo software which do something similar except explicitly state the information collected will be non-personally identifiable:

Comodo EasyVPN

2009-09-23_1547512

Comodo Internet Security

2009-09-23_2201103

CIS is the bundle which contains Comodo Firewall, AntiVirus, and AntiMalware solutions.

Since EULAs are long, and Comodo did not exactly help by not properly formatting some of the EULAs for some of their software, I may have missed a software or two which act in the same way as Comodo Backup; so if you find another Comodo product which collects data (personally identifiable or not) without an ethical and clear declaration and a user opt-out, please post below and I will be sure to update this post.

Furthermore, I visited the privacy policy link you see provided in CIS’s EULA. The description on how user personal data is used is vague at best:

2009-09-23_220032

So who exactly are Comodo’s affiliates and what are their privacy policies? Farther down the page Comodo does state more explicitly its partners and affiliates have “similar” privacy policies…

2009-09-23_221419

…but I am not really impressed in the first place by Comodo so I don’t know what to think.

To make matters even more confusing, it turns out there is another privacy policy currently linked to Comodo’s website (this one was last updated in July as opposed to April for the other one). This one is a little bit more definitive about exactly what Comodo does:

2009-09-23_220500

2009-09-23_221724

Of course Comodo states the affiliates and/or partners have “similar privacy standards” but I am not particularly impressed by Comodo’s “standards” when it collects data related to its programs without obvious user consent and/or clear opt-out option.

So what do you guys think. Am I being a daft, paranoid idiot or is Comodo pulling a fast one over all of us? Please, dotTechies, lawyers, Comodo reps, and everyone else: post your thoughts below. As it stands, I don’t know about everyone else, but Comodo has lost at least one potential customer: me.

***Update***

Let me make this clear: If potential data collection is not a concern for you, by all means use Comodo products (I have stated time and time again, at face value, Comodo programs are great). However me, and many others, deplore this practice of data collection without clear notification and/or opt-out option and will probably never use Comodo products again.

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

85 comments

  1. click This

    You’re so awesome! I don’t believe I’ve truly read through a single thing like that before. So nice to find someone with original thoughts on this issue. Seriously.. many thanks for starting this up. This website is one thing that is required on the internet, someone with a bit of originality!

  2. fdsjkfsd

    “but rather to verify how secure it is to buy from (the irony)”

    Wrong
    Wrong
    Wrong

    The purpose of a SSL Cert is to verify that the host you are connecting to is in fact that host you think it is. No more, no less.

    It has nothing to do with purchases at all.

  3. Giovanni

    Well even GOOGLE collect a great deal of data from us without anyone knowing…

    Have a look at here:

    http://www.criminaljusticeusa.com/blog/2009/25-surprising-things-that-google-knows-about-you/

    So what should we do? Never again use GOOGLE while surfing the web?? LOL!

    That being said, I believe COMODO products are not bad at all…

    Their freeware FIREWALL is probably the BEST one available in the market right now and, in my view, can even outclass lots of professional Firewalls out there, such us ZONE ALARM for instance.

    And their last FREE Security Suite is very effective as well…

    http://www.softpedia.com/get/Security/Security-Related/COMODO-Internet-Security.shtml

    By the way…if I were in your shoes, Ashraf, I would add the above “COMODO Internet Security Premium” program among the BEST FREE Protection apps you listed in that great article you wrote here a few months ago.

  4. 123

    @MikeR: hmm, comodo FW installer uninstalls existing version before installing new version. perhaps the uninstall is good, perhaps you can kill the installer before it begins installing new version?

    there are also install monitors…

  5. 123

    @Michael W: “If you go to sooo many sites you’ll find trackers in those sites such as Google analytics, google blablabla, Quantcast, and such and such. They are named trackers because they collect information from visitors”
    noscript, tor, httpseverywhere, proxomitron, opendns, HOSTS, … in some kind of rotation?
    i don’t know really, but I’m gradually adding methods.

  6. 123

    I agree that the public misperception of ‘security certificates’ is a big problem. Certs should be renamed to ‘encryption certificates’. And maybe dialogs in net apps should prominently link to explanatory info. Most new users are naturally apprehensive about PC use, and should feel motivated to click the link to info (in a help file, usually)

  7. 123

    Sloppiness may explain the different wording of the sensitive portions of eula’s. Notice: some comodo ware that’s potentially dependent upon comodo site, appear to have less offensive eula, while some ware that shouldn’t have site interaction have eula phrasing that would require spying to fulfill.

    I use only the FW. Versions 2.6,3,4,5
    Have any critics sniffed all ports for packets to comodo IP? (or ‘unattributable’ IPs, therefore perhaps proxy IPs?)
    I have not, so it’s possible Comodo’s FW is designed to not indicate and disobey any user rules that happen to ban comodo IPs.
    IIRC, I use a “ask” “any other” rule as final rule for all apps. I’ve rather tediously discovered that microsoft has numerous update IPs :-D
    Also, svchost is a PITB

  8. 123

    @Jontek9000: [diy batch backup]
    uh. cobian backup has many options. interval full, incremental, differential. encrypt, password the ui or service. compression choices. run as service. cl options (i run task files in batch). before & after commands per task, filename rules, ftp, email reports, number of archive versions to save (iow, delete older archives). vss option.
    over 5 years of dev by a guy (luis cobian) who knows how to code.
    any 1 hour batch of mine couldn’t come close. :)

  9. Jontek9000

    Dont use backup solutions…

    Why even consider it – if you want great backup solution, you can write it yourself,
    1 hour spend on script tutorial batch/sh – and with few pages of code you have:
    free, personalized, fast, system-light, etc etc. backuping solution…

  10. 123

    I use only the fw. I start with basic setup, then watch the popup requests, then I write rules based on websearch info. of course, I’ve saved the config.
    Tips for csi users
    1. Try drag and drop while holding ctrl key. that”s an easy way to create a rule similar to existing rule.
    2. Copy the destination url from log item dialog (double click line item in log, gives eventvwr type of dialog). then paste into rule.
    3. Cannot have log and rules open same time, but instead, open log window, click “more”, then close log window. now can open rules window. only drawback, is that the “more” log window does not refresh.

  11. Louis

    I’ve not quite trusted the motives of a large certificate company like Comodo giving away a free firewall. Further more listening to the CEO (can’t remember his name or to lazy to go look it up now), he’s banging on about ‘trust’ and of course is affilitated with the ‘trusted computing’ or as I’d prefer to think of it as ‘treacherous computing’ (google it if you’re not familiar on what’s about to hit us).

    These are the guys that are trying to convince you that there’s a terrorist round every corner, and a paedofile under the bed thus getting everyone to agree to the idea of Internet 2 which will completely stamp out free speech and websites like this for that matter, turning the whole thing into a glorified sheeping mall. (yes I did mean ‘sheeping’). I2 will also be the perfect surveylance network when your only form of expression will be via Gmail, facebook or myspace and a few helpful laws brought in on the next ‘terrorist’ event.

    Frankly paranoid or not I wouldn’t touch software from someone like that. It’s a bit like accepting a piece of free software from Bill Gates and thinking ‘ what a nice man he is, he must really care’.

    I think I know which terrorists I’d rather keep away from me.

  12. Ken

    I installed Comodo Time Machine in late January.  I uninstalled it yesterday because the backups were filling up my disk.
    On reboot ALL my data from after January 27 was GONE.
    DO NOT USE THIS PRODUCT.

  13. Mat

    I cannot believe what a bad company they are. They release a program without the opt-out for the so-called anonymous usage statistics. At first it didn’t bother me. After that, the program began to “think” it was Administrator. It Destroyed my new copy of Windows 7. I had to reinstall it! I am just really ticked off about this.

  14. vhick

    Sorry, I know that the article is old. But I want to comment. Because I’m new here (although I read the article of sir Ashraf especially GAOTD review). I’m enjoying reading article here so I subscribe.

    About the EULA of Comodo. I’ve been shock too. Because I use my home PC in some office documents so privacy is a big concern to me. I used one of their product; Comodo Time Machine. Comodo Products is great at unbeatable price (free). But I have no choice because other product with the same function as Comodo Time Machine is a shareware. I can’ afford to buy one because I only have $238 (converted from Philippine Peso) per month salary. So how I can afford to buy a good software. Maybe this is one of the factor why other third world country is using prirated software because they can afford great software for their needs. Even Microsoft OS and Office came from a gift, other giveaways, and freeware.

    Right now I was thinking about it if I stay in Comodo or not.

    Thanks Ashraf for a great article.

  15. Disgruntledkiwi

    Seriously people, consider for a moment what we are debating and where we are debating it. This is the Internet. The Internet is full of humans and humans are essentially flawed.

    Some of the people here are genuinely aggrieved.
    Some of us are whining because we do not understand our software.
    Some of us are whining because we do not understand the environment in which we choose to whine.
    Some of us are whining because the seats at the top of the bandwagon are the most comfortable available today.

    All web sites gather information and in most cases, store that information for some length of time on servers. From your PC, to your ISP, to the regular forums and software vendors, daily news casts, blog spots, social networks, MMORPG’s, google desktop “value added” utilities, torrent clients (despite assurances to the contrary) all of them, collating information for various individuals, companies, advertising agencies, corporations and lo – even the mighty black hat that is Microsoft itself. If your Operating System was designed by men who are now in court arguing anti-trust allegations, why would you expect your firewall technology to be any more authentic? It is my opinion that EULA’s exist to warrant backdoor tragedies.

    So shuddup and take it like a consumer!

  16. BJ

    Try to make you look bad? Please, I think you have done that quite well all by yourself without any help from me. I will bet that you currently have no idea why EULA’s have those personal information sections. Large hint: Show me any software that has updates, or something else that connects user systems to remote servers, with an EULA that does not contain that personal information section and I will show you a company that you can gleefully sue in the US. It is that simple/awful.

    As for adware & malware being equal in some manner or confusing them, well.. good luck with that.

    This fool is gone. :)

  17. Ashraf
    Author/Mr. Boss

    @BJ: You may be right; it might have been adware and not malware – I don’t remember for sure. Regardless, thought, both are bad in my eyes.

    And you are dead wrong: Softpedia never “quietly changed it”. Comodo issued a “cease and desist” to Softpedia so Softpedia just removed Comodo Internet Security from their downloads. Try looking tfor CIS at Softpedia and you won’t find it now even though CIS does not have the Ask Toolbar anymore.

    Lastly, I agree with you: other companies may do the same thing; however most do not. Please post a EULA to prove me otherwise.

    @BJ: Please, instead of trying to make me look bad, you are just making yourself look like a fool. Anyone that actually read the post by Softpedia knows the part I quoted was an “update” by Softpedia; a means of their last words before they stop posting about it. It was their last comment on why they are right and Comodo is wrong.

    The article has been unpublished on Softpedia since so I will just quote the the original article part quoted by Gizmo at the very link you posted:

    “… if you had searched Softpedia for Comodo in the past week, you would have surely noticed that the company’s [i.e. Comodo’s] flagship programs were no longer listed on Softpedia. This was not our decision, of course, but let’s start with the beginning.

    On April, 15th, Softpedia received an official cease and desist letter from the Comodo legal team requesting us to “discontinue all references on Softpedia identifying CIS as adware” within seven days, because Comodo Internet Security is not adware.

    The first thing we did was, of course, to double-check the license, but, as we’ve tried explaining to the Comodo team, CIS is indeed adware. Why? Well, for starters, because the installer attempts to change both the browser’s homepage and search engine. As if that wasn’t a good enough reason, the setup also offers to install SafeSurf. Here’s what the official Comodo letter states: “SafeSurf is optional and does not display unsolicited advertisements on a user’s computer, nor does it hijack browser settings or perform search overriding or home page changing without the user’s consent.”

    Aside from the fact that SafeSurf is a component that the program (CIS) does not require to fully function, therefore it alone would be a good reason to mark CIS as adware, this utility also installs Ask Toolbar without asking for the user’s permission. This type of behavior is clearly not the one described in the Comodo email and could be easily classified as spyware (since adware would imply prior user consent).”

  18. BJ

    Just ran into this..

    #12 Submitted by Ashraf on Thu, 04/30/2009 – 03:44.

    I am not sure if I would call CIS adware but I found this to be hilarious (it is an “Update” to the Softpedia article):

    As a final note regarding the Ask toolbar, feel free to install Comodo with all three checkboxes unselected and then download the Ask toolbar separately. When the download process is over, Comodo will detect the Ask toolbar as Unclassified Malware@8305287 and require confirmation for copying it to your download folder. Any other comments on this matter would be redundant.

    Not sure how true it is (don’t have CIS nor do I plan on downloading it) but it makes me lol.

    So, there you go then, it seems that Softpedia didn’t exactly label Comodo as malware then (that would be Comodo themselves apparently). Irresponsible, forgetful or something else? Pick your poison, that’s the dark side for you.

    “A lie gets halfway around the world before the truth has a chance to get its pants on.” – Winston Churchill.

  19. BJ

    Softpedia never labeled Comodo Internet Security as “malware”, they labeled it as “adware” and then had to quietly change it because they were wrong. Anyway, huge difference between “malware” and “adware” in my book.

    EULA: Perhaps the author should have done a little research first or even read a few more EULA’s that would have been good. ROFL. Priceless.

    FUD is the only dark side I see here.

  20. Matt

    @J. L.:

    Actually there’s an even easier way to maintain Comodo’s Firewall Defense and not Disable the Defense Plus. After it’s installed just right click on the firewall symbol. Set both Firewall Security Level and Defense+ Security Level to Training Mode. You won’t have to worry about pop-ups again.

    Also as paranoid as people are getting. Remember Comodo is one of the biggest sites to offer security for enterprises, only Verisign is bigger. You honestly think Verisign would give you a Firewall like Comodo’s for free?

    I don’t read EULA’s it’s more about trust in a company. Them selling SSL to malware companies doesn’t mean their selling data to malware companies. I do think it’s wrong they don’t make it clear or give u the option to opt out of giving away data, but again it doesn’t mean they are giving it to anyone other than keeping it themselves to make their product better.

    I see so many people make less of a deal about Digsby’s malware installer and collecting data while u sleep than from Comodo. I’m sorry I’d trust Comodo with my data than I would Digsby whom has shown users don’t matter at all to them and only change when forced to.

    Hell you see less of a deal made about Spyware Terminator which used to be known as a rogue site. People just started blindly trusting them with their software and were talking a site that used to be ROGUE. One day they could go back to their Rogue ways, no one know it and they have malware install on your PC and give your info to Malware sites. Again I’d trust Comodo over Spyware Terminator.

    If your using Window 7 x64 then your options are quit limited when it comes to free firewalls. Outpost Free x64 isn’t completely compatible yet, Online Armor Free isn’t compatible yet. PC Tools Firewall works but has caused internet connection problems with Windows 7 x64. ZoneAlarm Free offers almost no protection. So from a Firewall standpoint the only secure Firewall for Windows 7 x64 users with the least problems is Comodo Firewall right now.

  21. MikeR

    Sincere thanks to Ashraf for his work here.

    Though some posters may feel this is a fuss about nothing — and they’re entitled to their views — there would seem to be cause for concern over a company whose corporate motto is Creating Trust Online, because once you drape yourself in that particular flag, you’d sure as heck better live up to it.

    Flogging off user info to affiliates over whose privacy policies you have absolutely no control (as Comodo readily acknowledges in Ashraf’s screen shots, but fails entirely to mention in its contribution to this comment section) is so precise and exact the opposite of Creating Trust Online, as to render its meaning nonsensical, and its usage wilfully inappropriate.

    Bigun:

    I’m running Comodo 3.12 and haven’t yet attempted an uninstall.

    In view of your posts, I’d be especially interested to hear from others here who have successfully uninstalled the Comodo firewall, bearing in mind the discussion on this particular thread which seems to have been running for nigh on three years:

    http://forums.comodo.com/help_for_v2/how_to_uninstall_comodo_firewall-t1184.0.html

    and which having begun with v2 problems seems now to embrace later versions.

  22. Ashraf
    Author/Mr. Boss

    @Nickname and @Michael W: Josh took the words right out of my mouth. The discussion between information collection while on the web is a completely different issue than information collection done via program locally on your computer.

    Unfortunately the web, by definition, is flawed in the area of privacy. Any website you visit can collect data like IP, what you do on the website, etc. You should know that before you use the Internet. If you are very concerned about that, you may use services like Tor, so any data collected will not be personal (unless you voluntarily give up personal information) and you can still make full use of any website. Of course none of this gives all companies the green light to collect all kinds of data, but lack of privacy on the internet is something which is to be expected.

    Using a program locally is not like surfing a website. A user expects, and rightly deserves, privacy while using an offline program; in fact often times I prefer an offline program vs an online service which do the same thing because it is offline and more private. Now as I stated in my post many developers do like to collect program usage data. However the transparent and trustworthy developers clearly state they are collecting data (i.e. they give you an opt-out option) and often times they clearly state any data collected will not be personally identifiable. On both counts Comodo fails (although on some they do state they will only collect non-personally identifiable information).

    Furthermore, to compare Google to Comodo is a joke in of itself. Have you read Google’s privacy policy? It is hell lot more detailed than Comodo’s.

    Lastly, I again agree with Josh. If potential data collection is not a concern for you, by all means use Comodo products (I have stated time and time at face value, Comodo programs are great). However me, and many others, deplore this practice and will probably never use Comodo products again.

  23. Josh

    The fact that Google and other sites track your web activity, is irrelevant. It requires a separate debate with different issues involved. Just two examples of these issues:

    1. They record web searches/trends and your IP address. They cannot LEGALLY COMPELL you to allow potential mining of information stored on your computer by way of a blanket EULA.

    2. Sites that dig into private data on your machine or install unwanted code, do so illegally, unless you specifically grant them the right to do so.

    3. .. etc., etc.

    What is at issue here, is the fact that well known and trusted entities are, in essence, trying to sneak unpopular features onto your computer. Although they do refer to it in their EULAs, the issue is so contentious and emotional that most authors/distributors allow you to opt out, without affecting the use of the software or trying to downplay it. It is because of the heightened awareness about this matter that many state it clearly and make available an opt out feature.

    Users who have a yielding or carefree attitude about disturbing issues, are free to walk away from it, but it remains important to pursue it if you want to prevent it from becoming even worse, which is what will happen, for sure!

    The mere fact that this discussion is taking place, is proof of the degree to which this practice has already degenerated.

  24. Adrian

    @Bigun:

    It’s not malware. Most security programs dive themselves DEEP into your registry and machine, so that viruses and other spyware can’t remove them. Those registry entries cannot be deleted because they’re associated with an actively running process, so maybe the only way to remove is with AppRemover, a great tool that specializes in removing security applications.

    http://billmullins.wordpress.com/2009/09/23/appremover-2-1-remove-security-applications-easily/

    Adrian
    P.S. Comodo’s software is clean, but it maybe steals your information, so it’s up to you to choose whether to continue using them.

  25. Bigun

    @John Smith:

    John, are you sure that your uninstall got rid of everything related to Comodo?

    After running uninstalls on Comodo firewall program using several uninstallation programs, including “Revo uninstall”, I manually counted approximately 210 Comodo registry entries remaining. After backing up my registry, I used several registry cleaning programs to see if they would remove the Comodo entries. I was able to watch the details flying by while several of the registry cleanup programs were analyzing registry. During the analysis, I noticed that Comodo entries were frequently being flagged.

    When I allowed the registry cleanup programs to remove the errors that they said they found I recounted the number of Comodo entries still in the registry. Every cleanup program left approximately 200 Comodo registry entries even though I all many entries being flagged.

    I have to think that maleware was installed by the Comodo firewall installation program and that this maleware kept registry entries from being deleted.

  26. Michael W

    I have been using COMODO Internet security(CIS) suite since when I had been using XP and now Vista x64.

    It’s great I feel secured though I’m aware it’s the internet no one firewall protects against ALL.

    Anyway I really like Comodo’s CIS and with regard to it potentially gathering data well people do you not use google everyday?
    Every time you type something into google that keyword is stored even perhaps with your personal identification such as IP and such and such.

    If you go to sooo many sites you’ll find trackers in those sites such as Google analytics, google blablabla, Quantcast, and such and such. They are named trackers because they collect information from visitors.

    I just think if you are really concern about your privacy you should worry about google and such companies instead of COMODO. Google doesn’t give you anything in return while COMODO does. Right now I’ll stick with CIS.

  27. Bud

    Listen to all of the sissys uninstalling their Comodo software because of this non-issue (which is old news by the way. I recall there being a fuss about this a year or two ago.) At worst, their eulas are vague and inconsistent but in the end the’re about the same as any of the security vendors. FUD indeed.

  28. Trel

    I suggest you look at the EULA for other security product vendors. You may be surprised to see almost this exact section in many of the more popular ones, which include for example, Norton.

    This is FUD against Comodo, nothing more.

  29. Ashraf
    Author/Mr. Boss

    What disappointments me the most is the fact that Comodo really does make great products (albeit not everyone is happy, in general Comodo products = quality). The sneaky data collection just kills what otherwise is a good thing.

  30. Josh

    Comodo appears to couch their EULA (and their response to your article) in corporate “hype”. I get the impression that they are deliberately doing this to keep the backdoor (as well as two side doors) open, because they are uncertain about the ethics/morality of what they are doing.

    By referring to an “industry standard”, they are perpetuating a dubious “standard” that the majority of consumers do not want and which is detrimental to the industry as a whole. Also, this is not “the” standard, but, in fact, an “alternative” standard, as many software authors/distributors do not subscribe to it. And most of those who do, do not go about it in the manner that they seem to prefer.

    Anyway, I think it’s stupid to defend themselves by hiding behind the “bigger” sins of others. It’s like saying someone is innocent if he robs you with a knife, rather than with a gun.

    It’s also a bad idea to defend themselves by attacking a popular website like yours – It’s not going to win them any friends. Pity, because Comodo is generally considered a nice product. Maybe they should revamp their management/marketing approach. This would never have happened if they had been more upfront and clear about the subject.

  31. Booger

    There is an easy workaround for most apps like this. With a good properly functioning firewall, no app can tell anyone anything about you or your usage statistics without your permission. If you like Comodo Backup, but hate the spying, simply create a rule to forbid it from communicating with the outside world.

  32. Samuel

    Thanks, Ashraf. That was one LAME “response” from Comodo. Maybe they would think we wouldn’t actually follow their links and read them? To claim their policy is ‘tamer” than those others is just flat-out wrong. For me, it just makes them seem even MORE deceptive!

  33. Kev93

    @Comodo Security Solutions/Everyone: I do not use any products that collect info from you (whether or not it’s anonymous) UNLESS I opt in . I do send Microsoft usage info for 1 computer, I do send some opensource developers usage info… but I WILL NOT USE ANY SOFTWARE THAT USES MY INFO WITHOUT ASKING ME. PERIOD. How anonymous is anonymous? A certain 3RD party collected ‘non identifiable info’ on a relative of mine. How do I know that? It was on the internet with their name next to it. Because of the way the EULA was written, it was 100% LEGAL. :-C *angry face* Also, I saw a company giving out ‘anonymous’ info including usernames and email addresses. Not bad unless your username is KevinP and your email address is kparker@-ISP- . That, my IP address, and usage information could give people almost all my info INCLUDING my REAL ADDRESS.

    Maybe I should stop my rant and cool down.

    OH well.

    God bless,
    Kev93

  34. Bigun

    All this information about Comodo is very interesting but I am afraid it comes too late after the fact for me. For the past 3 weeks or so I have been trying to uninstall the Comodo firewall using Revo Uninstall, Glary Utilities, and the Windows XP built-in uninstaller program.

    I cannot find any uninstall program that shows Comodo to have files remaining on my computer. However the Windows security panel shows that the Comodo firewall is operational. Apparently some aspect of Comodo is active because is it is blocking file transfers to GOTO server.

    I have not manually gone through the registry looking for a Comodo entry because I feel that Comodo has a sister program, using another name, that is keeping the Comodo firewall program active. The Comodo firewall continues to start each time that I boot Windows and yet I can find no entry for it in any of my startup editor programs. I have been having a like problem with some Google applications (sister applications opening and keeping alive Google files that I have killed using taskmaster. I have even had Yahoo do the same. I am moving away from ever using gift horse files made available for free or attached to an offer from a big portal company that is too good to be true.

  35. Roy Smith

    Hi Ashraf

    I was just about to download the new version of Frostwire v4.18.3 and i thought I’d use the EULAlyzer to check it over and interestingly enough this has come up:

    By clicking on the “Next” or “Install” button below, you agree that OpenCandy may collect and use certain information obtained in connection with this software installation in accordance with the policies and practices set forth in OpenCandy’s Privacy Policy, which can be read at http://www.opencandy.com/privacy-policy.

    I visited the URL/website and there I read this:

    We (OpenCandy, Inc.) know that you care about how your personal information is used and shared, and we take your privacy seriously. By visiting our website at http://www.OpenCandy.com (”OpenCandy.com”), or using any of our services or products, including the OpenCandy recommendation network, you acknowledge that you accept the practices and policies outlined in this Privacy Policy.

    They then go on to say that by visiting the site they’ve already installed a cookie for them to track my pc and also downloaded information from my browser and a good deal more.

    Now forgive me if I’m wrong here but I never gave them any permission to do any of this and yet they’ve already done it by me just checking them out and trying to clarify what their EULA is stating about their privacy policy. So in effect their privacy policy has already overridden my right to my privacy by me just visiting their website!

  36. Jeanjean

    I used exclusively Comodo Firewall without Defense + (and the “normal” user that I am was satisfied), but I admit that this clause of the EULA and its consequences escapes me.
    I fully approve of the need for an option allowing the user to choose whether or not the disclosure of private data.
    I immediately searched for an alternative and opted for PC Tools Firewall (using ThreatFire already) on the basis of these results: http://www.matousec.com/projects/proactive-security-challenge/results.php
    In any case thank you for drawing our attention to this problem.

  37. twoeye

    Dear Ashraf,
    I am a steady read, and want you to know how well appreciated you and your information are. Cudos.
    On your issuance of info on Comodos’ EULAs’, I fully agree with the ethics (or, lack of) you have pointed out.
    However, I have been using most Comodo products,especially the Firewall, for a couple of years now on more than 1 computer. Once I learned how to control the program by telling it what I want it to do for me, and how, it is very responsive and stable on both XP Pro and Vista Ultimate, both 32bit.
    I have never noticed any rise in spam mail in any of my boxes from any source.
    In a nutshell, I take into complete consideration the EULA concern you have opened for us, however, considering the fact that I have been successfully using Comodo software for a couple of years, with no complications, problems, and having received no spam mails as a result of Comodos’ EULA….all I find is an excellent working software that I will continue to use until such time as it becomes defunct. Personally, I give it 2 thumbs up!

    Thank you again Ashraf for all the honesty you put out there for us everyday (and I love your sense of humor.)
    twoeye

  38. Ashraf
    Author/Mr. Boss

    @Comodo Security Solutions: First let me say apologies for not moderating your comment through earlier. It was marked as spam because of how many links you included and I just checked my spam box.

    Now on to the topic at hand.

    First of all, the defense of “they are doing it so we can also” is weak and unacceptable.

    Secondly, you say your privacy statement is more “tame” than the other statements you linked. I say your’s is more vague. All the statements you linked are a lot more specific in my opinion. As a consumer, I appreciate companies being upfront about exactly what they are collecting and what they are doing with my information.

    Thirdly, your privacy statement is not the main issue discussed in this post. You totally dodged answering any questions related to what is the main issue of this post: the fact that you collect data (potentially personally identifiable data) from users who install some (if not all) of your programs. Please address this issue and expand on it.

    Fourthly, I am going to assume you are joking about http://dottech.org/yell-at-ashraf. Anyone using that form is opting in to e-mail me and thus including that information; it is pretty clear to them (or should be if it isn’t) which information they are sharing with me. That is no where like automatically collecting user data after they install your software.

    Fifthly, thanks for reminding me. I should write in huge big black letters “I DO NOT PURPOSEFULLY COLLECT ANY PERSONALLY IDENTIFIABLE INFORMATION. ANY PERSONALLY IDENTIFIABLE INFORMATION SENT TO ME IS ON YOUR OWN ACCORD, SUCH AS WHEN YOU E-MAIL ME. HOWEVER DO NOT WORRY. I DON’T CARE FOR YOUR INFORMATION AND I DO NOTHING WITH IT EXCEPT REPLY TO YOUR E-MAIL.” dotTech Privacy Statement coming soon to a theater near you!

    Lastly, thanks for finally giving a little bit more discrete information on exactly what data you are collecting. It is understandable if you are collecting e-mail address and IP information from customers who provide it willingly such as register on your website or for a service from you. However you need to be more open about if that is only what you are collecting or if you are collecting more because your EULAs and privacy statements are still vague at best. Considering the fact you have a legal team on hand at all times… I am sure you can come up with better EULAs and privacy statements.

  39. Roy Smith

    My personal thought is that ‘IF’ you read the EULA and install or ‘IF’ you don’t read the EULA but agree as if you had and then install then you have given consent for them to collect the information.

    BUT it is sneaky in the way that they do NOT give an opt out so I would wonder a lot and wouldn’t be happy with anything they collected being safe especially with them being linked so strongly with malware/spam sites etc over their certificates so I’ll give them a wide berth and any one linked to them too!

    Thanks Ashraf you do come up with some valuable stuff to know and I’m certainly recommending your site to friends whenever I can

  40. Jon

    I’ve been using the Firewall portion for a year or two on a couple computers I have & have no problems with it learning the programs to allow or reject from the internet. I do generally turn off the Defense+ part of the program though. Main reason I use it is that it’s the only free one I’ve found so far that doesn’t kill my internet connection after a day or so of using bit torrent software. I’ve tried PCtools firewall & Zone alarm that kill my internet after a day or so of uTorrent running. If anyone has a viable alternative that works correctly with bit torrent let me know. Thanks.

  41. J. L.

    @Everyone who finds Comodo intrusive: It’s not that bad now, the later versions have improved, but you still need to configure it properly for maximum efficiency.

    Take a look at my article for example: http://www.techsupportalert.com/content/how-tame-comodo-defense-without-disabling-it.htm

    Most of the problem is caused by Defense+, which is a rather comprehensive HIPS. You can disable it, or untick it at installation.

    P.S. I’m not telling you to change your current working security product, but just don’t disapprove it entirely. It’s still a great security software, I would daresay the best free suite.

  42. Comodo Security Solutions

    J.L., as a representative of Comodo, we are glad that our products work with your 64-bit system.

    For people who are concerned about Comodo’s EULA, I have discussed it with Comodo’s legal department and they pointed out that Comodo’s EULA comports with industry standards, as most software EULAs contain similar language. In fact, ours is tamer than others.

    If you’re interested, links to others privacy policies and EULAs:
    http://www.symantec.com/about/profile/policies/privacy.jsp
    http://www.symantec.com/content/en/us/about/media/N360_3_EULA.pdf

    http://www.mcafee.com/us/about/privacy.html
    http://us.mcafee.com/root/aboutUs.asp?id=eula

    http://us.trendmicro.com/us/about/company/privacystatement/
    https://trial.securecloud.com/wfbs-emea/SMB-ENTERPRISE%20EULA%20MAY%202008.pdf

    EULAs and privacy policies exist to protect both the website owner and the website user. For example, this web site, dottech.org, collects ender user’s name, email and IP addresses – personally identifiably information http://dottech.org/yell-at-ashraf. However, we fail to see a privacy policy posted on this site to tell us how they use and store such information, or whether the data is being sold or given to third parties.

    Finally, yes – after obtaining consent, Comodo does use information, such as email addresses and IP addresses which is necessary to provide Comodo products and services to its end-users. Without an IP address, how would Comodo deliver and support its software services? Comodo does not transfer this information to third parties as explained in the privacy policy.

    Thanks and best wishes from Comodo.

  43. Darthyoda

    I also don’t like Comodo (and I like the nickname, it fits). I installed the Antivirus & Firewall on a family member’s computer a couple of years ago, ’cause I figured they should have some protection and didn’t have the money for a commercial product. Like someone said, it didn’t seem to learn, constantly asking about allowing a program when I kept telling it to allow the program. Within a couple of days the computer went fine with no internet garbage, to constant popups to the point that they couldn’t use the computer anymore. Before I installed they’re products the computer was clean, and after wiping the hd and re-installing Windows the computer stayed clean, so that was the first & last time I installed Comodo products.

  44. tejas

    Comodo already had my seal of disapproval. Having tried their firewall on 2 separate occasions, on 2 different machine, and both times causing me headaches. And getting no real help with the problems on their forum. This is just more proof that I want nothing to do with Comodo.

    @David Roper:
    I can’t stop pronouncing it ‘commode-o’ in my head now. ;)

  45. gmon

    I guess any company offering free software and using user stats to update and improve their software would offer the argument that to keep their products free, they have to make money, and selling user information is one way to do that.

    I stopped using Commodo products a while ago, having found that the firewall and AV don’t seem to learn anything and become more intrusive than protective, but that was just my experience.

  46. Ed

    When in doubt… look elsewhere. One of two things: either they are trying to get away with something, or their lawyers are inept. And the last thing we want to do is endorse inept practices and/or software. Good catch.

  47. J. L.

    This is disturbing, but unverified.
    The problem is that Comodo Internet Security is a vital security product on my 64-bit OS, being one of the few to support it natively.

    Therefore, unless they are truely up to something, I’ll have to keep it.

  48. Mags

    Thx for this review. This just adds to my reasons for not using Comodo anymore.

    When I realize that the original free Agnitum Outpost firewall didn’t work with Windows XP, I went looking for another free one. I checked out a few and decided upon Comodo 2.x. I found it a bit buggy, but better than the others I had checked out, and was satisfied with it.

    When Vista came out I discovered that 2.x didn’t work, so waited for 3.x. Needless to say I was very disappointed with it! Won’t go into details as most of my frustrations with it are the same as yours. Except to add that the more they updated, the worse the firewall became.

    After my experience with Comodo 3.X I decided that it is one company I will stay away from.

    I guess they chose to go the way they have to increase their revenue using these underhanded methods.

  49. Aviator

    Damn, I removed Back up right now after reading this news. I am so shocked. I never expected Comodo to do such a thing. DO u think its wise to remove comodo and use online armor? I never read any EULAs …have to now… thanks..

  50. Anonymous Lawyer

    Half paranoid. In the first paragraph when it says

    “…in a form that could personally identify you…”
    (I read the paragraph, I just don’t bother to type it out)

    It doesn’t mean that the information it collects is personally identifiable, but rather that it won’t give it out to third parties. It only means that~!

    Don’t be afraid with Comodo’s products, we use it at our offices and it’s been alright without a significant increase in spam.

  51. etim

    @Michael N Hart: Regarding spam in a Gmail account–I think it would be hard to determine any real changes in the amount of spam getting into one’s Gmail account–

    I’ve had a Gmail account from back when it was still invitation only. I have NEVER used it to send or receive email or have I ever given it out to anyone. And I still average about 200 spam emails a month.

  52. Mobius

    I think Ashraf is right. This behavior by Comodo has turned me off to Comodo. Not only will I not buy or use any Comodo product anymore (I have something Comodo installed somewhere, so I need to go find it and uninstall it), I will make a conscious effort to inform my circle of friends about this dishonest practice of Comodo. Since privacy is such a hot topic, and this practice by Comodo clearly violates at least the sense of privacy one should have (even on the internet), this makes Comodo dishonest by not making their policy an upfront item. Further, the type of products Comodo creates are fully in the arena of privacy, which makes this privacy violation all the more distasteful.