Paying a price to use free software: the dark side of Comodo products
September 23, 2009 84
Email article | Print article 
Comodo is a popular name in the software business. Comodo provides multiple free, and excellent, products for home users including, but not limited to, the award winning Comodo Firewall (now bundled with Comodo Internet Security). Comodo has also recently become a big name in multiple front-page controversies including the issuance of its SSL security certificates to known malware distributors/scam websites and a row with Softpedia over the inclusion of a third party toolbar in their software. For those that don’t know I will do a quick recap for you:
- Comodo has been caught selling its popular SSL certificate to malware distributors/scan websites. Now in Comodo’s defense, whenever a malware distributor/scan website which has Comodo’s certificate is brought to their attention, they remove it; furthermore the purpose of the SSL certificate, technically, is not to verify the contents of the website but rather to verify how secure it is to buy from (the irony). However the question of why Comodo is repeatedly selling the certificates to known malware distributors/scam websites (there have been cases where a website with the same exact layout, interface, and “product” except different name has been issued a certificate even though their earlier one was revoked) is still a significant one and still an on going issue.
- Softpedia, once upon a time, labeled Comodo Internet Security as “malware” because CIS included SafeSurf, an optional third party toolbar considered to be malware by Softpedia. Of course Comodo did not like that, so they tried to get Softpedia to remove the label. Softpedia, standing by their high standards, refused. So in the end the result was (is) Comodo Internet Security was (is) removed from Softpedia’s download database.
Whatever side you are on for the above two issues, this post is not to discuss them; that is for another time. I am creating this post to address another (potentially more important) issue with Comodo products.
Today as I was checking my e-mail, I got an e-mail from a dotTechie informing me of the fact Comodo Backup, a free backup solution provided by Comodo, was recently updated to v2 with major changes and I should check it out (yes – I do read the e-mails I am sent even if I forget to reply… surprise, surprise). So, naturally, I was intrigued and went to download Comodo Backup. While installing Comodo Backup I glanced over its EULA (End User License Agreement) and was shocked by what I saw:
I am not legal mind, but to me this says if you install Comodo Backup, Comodo will collect data from your computer such as how you use Comodo Backup. Not only will Comodo collect data, but the data can potentially be personally identifiable: Comodo won’t disclose the data to a third party in a manner which will personally identify you but that means if they are taking a deliberate and conscious action to make sure the data is not personally identifiable when being passed on to a third party, the data is personally identifiable when Comodo themselves have it. Am I understanding it properly or am I being paranoid?
Now it is not just Comodo wanting to collect data from you while you use their software. Many software developers ask you if you want to send anonymous usage statistics to the developer while using their program; however you can always opt out if you do not want to. I looked up, down, left, right, in, and out – no where in Comodo Backup did I see an option to opt out of sending data to Comodo. At best I found an option under settings named “Enable log” which a user can check or uncheck; however there is no clear indication if this “log” refers to the data collection done by Comodo or a different program function. Shame on you Comodo; not only are you collecting questionable data but the user has no clear way to opt out if they find this action less than desirable (bar blocking the program with Firewall of course and/or not installing the program in the first place).
After I got done with Comodo Backup, I was curious to see if other Comodo software do the same thing as Comodo Backup. I found indeed there are other perpetrators which do the exact same thing…
Comodo System Cleaner
Comodo SecureEmail
…and other Comodo software which do something similar except explicitly state the information collected will be non-personally identifiable:
Comodo EasyVPN
Comodo Internet Security
CIS is the bundle which contains Comodo Firewall, AntiVirus, and AntiMalware solutions.
Since EULAs are long, and Comodo did not exactly help by not properly formatting some of the EULAs for some of their software, I may have missed a software or two which act in the same way as Comodo Backup; so if you find another Comodo product which collects data (personally identifiable or not) without an ethical and clear declaration and a user opt-out, please post below and I will be sure to update this post.
Furthermore, I visited the privacy policy link you see provided in CIS’s EULA. The description on how user personal data is used is vague at best:
So who exactly are Comodo’s affiliates and what are their privacy policies? Farther down the page Comodo does state more explicitly its partners and affiliates have “similar” privacy policies…
…but I am not really impressed in the first place by Comodo so I don’t know what to think.
To make matters even more confusing, it turns out there is another privacy policy currently linked to Comodo’s website (this one was last updated in July as opposed to April for the other one). This one is a little bit more definitive about exactly what Comodo does:
Of course Comodo states the affiliates and/or partners have “similar privacy standards” but I am not particularly impressed by Comodo’s “standards” when it collects data related to its programs without obvious user consent and/or clear opt-out option.
So what do you guys think. Am I being a daft, paranoid idiot or is Comodo pulling a fast one over all of us? Please, dotTechies, lawyers, Comodo reps, and everyone else: post your thoughts below. As it stands, I don’t know about everyone else, but Comodo has lost at least one potential customer: me.
***Update***
Let me make this clear: If potential data collection is not a concern for you, by all means use Comodo products (I have stated time and time again, at face value, Comodo programs are great). However me, and many others, deplore this practice of data collection without clear notification and/or opt-out option and will probably never use Comodo products again.
@Jontek9000: [diy batch backup]
uh. cobian backup has many options. interval full, incremental, differential. encrypt, password the ui or service. compression choices. run as service. cl options (i run task files in batch). before & after commands per task, filename rules, ftp, email reports, number of archive versions to save (iow, delete older archives). vss option.
over 5 years of dev by a guy (luis cobian) who knows how to code.
any 1 hour batch of mine couldn’t come close. :)
Sloppiness may explain the different wording of the sensitive portions of eula’s. Notice: some comodo ware that’s potentially dependent upon comodo site, appear to have less offensive eula, while some ware that shouldn’t have site interaction have eula phrasing that would require spying to fulfill.
I use only the FW. Versions 2.6,3,4,5
Have any critics sniffed all ports for packets to comodo IP? (or ‘unattributable’ IPs, therefore perhaps proxy IPs?)
I have not, so it’s possible Comodo’s FW is designed to not indicate and disobey any user rules that happen to ban comodo IPs.
IIRC, I use a “ask” “any other” rule as final rule for all apps. I’ve rather tediously discovered that microsoft has numerous update IPs :-D
Also, svchost is a PITB
I agree that the public misperception of ‘security certificates’ is a big problem. Certs should be renamed to ‘encryption certificates’. And maybe dialogs in net apps should prominently link to explanatory info. Most new users are naturally apprehensive about PC use, and should feel motivated to click the link to info (in a help file, usually)
@Michael W: “If you go to sooo many sites you’ll find trackers in those sites such as Google analytics, google blablabla, Quantcast, and such and such. They are named trackers because they collect information from visitors”
noscript, tor, httpseverywhere, proxomitron, opendns, HOSTS, … in some kind of rotation?
i don’t know really, but I’m gradually adding methods.
@MikeR: hmm, comodo FW installer uninstalls existing version before installing new version. perhaps the uninstall is good, perhaps you can kill the installer before it begins installing new version?
there are also install monitors…
Well even GOOGLE collect a great deal of data from us without anyone knowing…
Have a look at here:
http://www.criminaljusticeusa.com/blog/2009/25-surprising-things-that-google-knows-about-you/
So what should we do? Never again use GOOGLE while surfing the web?? LOL!
That being said, I believe COMODO products are not bad at all…
Their freeware FIREWALL is probably the BEST one available in the market right now and, in my view, can even outclass lots of professional Firewalls out there, such us ZONE ALARM for instance.
And their last FREE Security Suite is very effective as well…
http://www.softpedia.com/get/Security/Security-Related/COMODO-Internet-Security.shtml
By the way…if I were in your shoes, Ashraf, I would add the above “COMODO Internet Security Premium” program among the BEST FREE Protection apps you listed in that great article you wrote here a few months ago.
“but rather to verify how secure it is to buy from (the irony)”
Wrong
Wrong
Wrong
The purpose of a SSL Cert is to verify that the host you are connecting to is in fact that host you think it is. No more, no less.
It has nothing to do with purchases at all.
You’re so awesome! I don’t believe I’ve truly read through a single thing like that before. So nice to find someone with original thoughts on this issue. Seriously.. many thanks for starting this up. This website is one thing that is required on the internet, someone with a bit of originality!
Thanks for the article, I was suspicious, now I’m decided :)