Paying a price to use free software: the dark side of Comodo products
September 23, 2009 84
Email article | Print article 
Comodo is a popular name in the software business. Comodo provides multiple free, and excellent, products for home users including, but not limited to, the award winning Comodo Firewall (now bundled with Comodo Internet Security). Comodo has also recently become a big name in multiple front-page controversies including the issuance of its SSL security certificates to known malware distributors/scam websites and a row with Softpedia over the inclusion of a third party toolbar in their software. For those that don’t know I will do a quick recap for you:
- Comodo has been caught selling its popular SSL certificate to malware distributors/scan websites. Now in Comodo’s defense, whenever a malware distributor/scan website which has Comodo’s certificate is brought to their attention, they remove it; furthermore the purpose of the SSL certificate, technically, is not to verify the contents of the website but rather to verify how secure it is to buy from (the irony). However the question of why Comodo is repeatedly selling the certificates to known malware distributors/scam websites (there have been cases where a website with the same exact layout, interface, and “product” except different name has been issued a certificate even though their earlier one was revoked) is still a significant one and still an on going issue.
- Softpedia, once upon a time, labeled Comodo Internet Security as “malware” because CIS included SafeSurf, an optional third party toolbar considered to be malware by Softpedia. Of course Comodo did not like that, so they tried to get Softpedia to remove the label. Softpedia, standing by their high standards, refused. So in the end the result was (is) Comodo Internet Security was (is) removed from Softpedia’s download database.
Whatever side you are on for the above two issues, this post is not to discuss them; that is for another time. I am creating this post to address another (potentially more important) issue with Comodo products.
Today as I was checking my e-mail, I got an e-mail from a dotTechie informing me of the fact Comodo Backup, a free backup solution provided by Comodo, was recently updated to v2 with major changes and I should check it out (yes – I do read the e-mails I am sent even if I forget to reply… surprise, surprise). So, naturally, I was intrigued and went to download Comodo Backup. While installing Comodo Backup I glanced over its EULA (End User License Agreement) and was shocked by what I saw:
I am not legal mind, but to me this says if you install Comodo Backup, Comodo will collect data from your computer such as how you use Comodo Backup. Not only will Comodo collect data, but the data can potentially be personally identifiable: Comodo won’t disclose the data to a third party in a manner which will personally identify you but that means if they are taking a deliberate and conscious action to make sure the data is not personally identifiable when being passed on to a third party, the data is personally identifiable when Comodo themselves have it. Am I understanding it properly or am I being paranoid?
Now it is not just Comodo wanting to collect data from you while you use their software. Many software developers ask you if you want to send anonymous usage statistics to the developer while using their program; however you can always opt out if you do not want to. I looked up, down, left, right, in, and out – no where in Comodo Backup did I see an option to opt out of sending data to Comodo. At best I found an option under settings named “Enable log” which a user can check or uncheck; however there is no clear indication if this “log” refers to the data collection done by Comodo or a different program function. Shame on you Comodo; not only are you collecting questionable data but the user has no clear way to opt out if they find this action less than desirable (bar blocking the program with Firewall of course and/or not installing the program in the first place).
After I got done with Comodo Backup, I was curious to see if other Comodo software do the same thing as Comodo Backup. I found indeed there are other perpetrators which do the exact same thing…
Comodo System Cleaner
Comodo SecureEmail
…and other Comodo software which do something similar except explicitly state the information collected will be non-personally identifiable:
Comodo EasyVPN
Comodo Internet Security
CIS is the bundle which contains Comodo Firewall, AntiVirus, and AntiMalware solutions.
Since EULAs are long, and Comodo did not exactly help by not properly formatting some of the EULAs for some of their software, I may have missed a software or two which act in the same way as Comodo Backup; so if you find another Comodo product which collects data (personally identifiable or not) without an ethical and clear declaration and a user opt-out, please post below and I will be sure to update this post.
Furthermore, I visited the privacy policy link you see provided in CIS’s EULA. The description on how user personal data is used is vague at best:
So who exactly are Comodo’s affiliates and what are their privacy policies? Farther down the page Comodo does state more explicitly its partners and affiliates have “similar” privacy policies…
…but I am not really impressed in the first place by Comodo so I don’t know what to think.
To make matters even more confusing, it turns out there is another privacy policy currently linked to Comodo’s website (this one was last updated in July as opposed to April for the other one). This one is a little bit more definitive about exactly what Comodo does:
Of course Comodo states the affiliates and/or partners have “similar privacy standards” but I am not particularly impressed by Comodo’s “standards” when it collects data related to its programs without obvious user consent and/or clear opt-out option.
So what do you guys think. Am I being a daft, paranoid idiot or is Comodo pulling a fast one over all of us? Please, dotTechies, lawyers, Comodo reps, and everyone else: post your thoughts below. As it stands, I don’t know about everyone else, but Comodo has lost at least one potential customer: me.
***Update***
Let me make this clear: If potential data collection is not a concern for you, by all means use Comodo products (I have stated time and time again, at face value, Comodo programs are great). However me, and many others, deplore this practice of data collection without clear notification and/or opt-out option and will probably never use Comodo products again.
I think Ashraf is right. This behavior by Comodo has turned me off to Comodo. Not only will I not buy or use any Comodo product anymore (I have something Comodo installed somewhere, so I need to go find it and uninstall it), I will make a conscious effort to inform my circle of friends about this dishonest practice of Comodo. Since privacy is such a hot topic, and this practice by Comodo clearly violates at least the sense of privacy one should have (even on the internet), this makes Comodo dishonest by not making their policy an upfront item. Further, the type of products Comodo creates are fully in the arena of privacy, which makes this privacy violation all the more distasteful.
Hi all. The Hosts News website has also come down hard on Comodo for some time now over its practices (http://msmvps.com/blogs/hostsnews/default.aspx). Nasty business, eh? Thanks for looking into it so thoroughly, Ashraf. Appreciated.
I may be paranoid but i have noticed a sharp rise in spam in my gmail acount, since i installed Comodo system cleaner, perhaps i am wrong but ?
@Michael N Hart: Regarding spam in a Gmail account–I think it would be hard to determine any real changes in the amount of spam getting into one’s Gmail account–
I’ve had a Gmail account from back when it was still invitation only. I have NEVER used it to send or receive email or have I ever given it out to anyone. And I still average about 200 spam emails a month.
Half paranoid. In the first paragraph when it says
“…in a form that could personally identify you…”
(I read the paragraph, I just don’t bother to type it out)
It doesn’t mean that the information it collects is personally identifiable, but rather that it won’t give it out to third parties. It only means that~!
Don’t be afraid with Comodo’s products, we use it at our offices and it’s been alright without a significant increase in spam.
Just joking, the “Anonymous Lawyer” is me.
Damn, I removed Back up right now after reading this news. I am so shocked. I never expected Comodo to do such a thing. DO u think its wise to remove comodo and use online armor? I never read any EULAs …have to now… thanks..
So I get it now, Comodo is “code” for commode. Right? Got it. Thanks Comodo for making so easy for me to remember.
Thx for this review. This just adds to my reasons for not using Comodo anymore.
When I realize that the original free Agnitum Outpost firewall didn’t work with Windows XP, I went looking for another free one. I checked out a few and decided upon Comodo 2.x. I found it a bit buggy, but better than the others I had checked out, and was satisfied with it.
When Vista came out I discovered that 2.x didn’t work, so waited for 3.x. Needless to say I was very disappointed with it! Won’t go into details as most of my frustrations with it are the same as yours. Except to add that the more they updated, the worse the firewall became.
After my experience with Comodo 3.X I decided that it is one company I will stay away from.
I guess they chose to go the way they have to increase their revenue using these underhanded methods.
This is disturbing, but unverified.
The problem is that Comodo Internet Security is a vital security product on my 64-bit OS, being one of the few to support it natively.
Therefore, unless they are truely up to something, I’ll have to keep it.
When in doubt… look elsewhere. One of two things: either they are trying to get away with something, or their lawyers are inept. And the last thing we want to do is endorse inept practices and/or software. Good catch.
I guess any company offering free software and using user stats to update and improve their software would offer the argument that to keep their products free, they have to make money, and selling user information is one way to do that.
I stopped using Commodo products a while ago, having found that the firewall and AV don’t seem to learn anything and become more intrusive than protective, but that was just my experience.
Comodo already had my seal of disapproval. Having tried their firewall on 2 separate occasions, on 2 different machine, and both times causing me headaches. And getting no real help with the problems on their forum. This is just more proof that I want nothing to do with Comodo.
@David Roper:
I can’t stop pronouncing it ‘commode-o’ in my head now. ;)
I also don’t like Comodo (and I like the nickname, it fits). I installed the Antivirus & Firewall on a family member’s computer a couple of years ago, ’cause I figured they should have some protection and didn’t have the money for a commercial product. Like someone said, it didn’t seem to learn, constantly asking about allowing a program when I kept telling it to allow the program. Within a couple of days the computer went fine with no internet garbage, to constant popups to the point that they couldn’t use the computer anymore. Before I installed they’re products the computer was clean, and after wiping the hd and re-installing Windows the computer stayed clean, so that was the first & last time I installed Comodo products.
J.L., as a representative of Comodo, we are glad that our products work with your 64-bit system.
For people who are concerned about Comodo’s EULA, I have discussed it with Comodo’s legal department and they pointed out that Comodo’s EULA comports with industry standards, as most software EULAs contain similar language. In fact, ours is tamer than others.
If you’re interested, links to others privacy policies and EULAs:
http://www.symantec.com/about/profile/policies/privacy.jsp
http://www.symantec.com/content/en/us/about/media/N360_3_EULA.pdf
http://www.mcafee.com/us/about/privacy.html
http://us.mcafee.com/root/aboutUs.asp?id=eula
http://us.trendmicro.com/us/about/company/privacystatement/
https://trial.securecloud.com/wfbs-emea/SMB-ENTERPRISE%20EULA%20MAY%202008.pdf
EULAs and privacy policies exist to protect both the website owner and the website user. For example, this web site, dottech.org, collects ender user’s name, email and IP addresses – personally identifiably information http://dottech.org/yell-at-ashraf. However, we fail to see a privacy policy posted on this site to tell us how they use and store such information, or whether the data is being sold or given to third parties.
Finally, yes – after obtaining consent, Comodo does use information, such as email addresses and IP addresses which is necessary to provide Comodo products and services to its end-users. Without an IP address, how would Comodo deliver and support its software services? Comodo does not transfer this information to third parties as explained in the privacy policy.
Thanks and best wishes from Comodo.
wow, sneaky…..but what do ya expect from these companies? anyways, I’ve never been a fan of their firewall. it was kinda annoying with the constant pop up notifications
Then what firewall do you use? I installed Comodo because I was told Zone Alarm wasn’t any good anymore.
@Everyone who finds Comodo intrusive: It’s not that bad now, the later versions have improved, but you still need to configure it properly for maximum efficiency.
Take a look at my article for example: http://www.techsupportalert.com/content/how-tame-comodo-defense-without-disabling-it.htm
Most of the problem is caused by Defense+, which is a rather comprehensive HIPS. You can disable it, or untick it at installation.
P.S. I’m not telling you to change your current working security product, but just don’t disapprove it entirely. It’s still a great security software, I would daresay the best free suite.
I’ve been using the Firewall portion for a year or two on a couple computers I have & have no problems with it learning the programs to allow or reject from the internet. I do generally turn off the Defense+ part of the program though. Main reason I use it is that it’s the only free one I’ve found so far that doesn’t kill my internet connection after a day or so of using bit torrent software. I’ve tried PCtools firewall & Zone alarm that kill my internet after a day or so of uTorrent running. If anyone has a viable alternative that works correctly with bit torrent let me know. Thanks.
My personal thought is that ‘IF’ you read the EULA and install or ‘IF’ you don’t read the EULA but agree as if you had and then install then you have given consent for them to collect the information.
BUT it is sneaky in the way that they do NOT give an opt out so I would wonder a lot and wouldn’t be happy with anything they collected being safe especially with them being linked so strongly with malware/spam sites etc over their certificates so I’ll give them a wide berth and any one linked to them too!
Thanks Ashraf you do come up with some valuable stuff to know and I’m certainly recommending your site to friends whenever I can
@Comodo Security Solutions: First let me say apologies for not moderating your comment through earlier. It was marked as spam because of how many links you included and I just checked my spam box.
Now on to the topic at hand.
First of all, the defense of “they are doing it so we can also” is weak and unacceptable.
Secondly, you say your privacy statement is more “tame” than the other statements you linked. I say your’s is more vague. All the statements you linked are a lot more specific in my opinion. As a consumer, I appreciate companies being upfront about exactly what they are collecting and what they are doing with my information.
Thirdly, your privacy statement is not the main issue discussed in this post. You totally dodged answering any questions related to what is the main issue of this post: the fact that you collect data (potentially personally identifiable data) from users who install some (if not all) of your programs. Please address this issue and expand on it.
Fourthly, I am going to assume you are joking about http://dottech.org/yell-at-ashraf. Anyone using that form is opting in to e-mail me and thus including that information; it is pretty clear to them (or should be if it isn’t) which information they are sharing with me. That is no where like automatically collecting user data after they install your software.
Fifthly, thanks for reminding me. I should write in huge big black letters “I DO NOT PURPOSEFULLY COLLECT ANY PERSONALLY IDENTIFIABLE INFORMATION. ANY PERSONALLY IDENTIFIABLE INFORMATION SENT TO ME IS ON YOUR OWN ACCORD, SUCH AS WHEN YOU E-MAIL ME. HOWEVER DO NOT WORRY. I DON’T CARE FOR YOUR INFORMATION AND I DO NOTHING WITH IT EXCEPT REPLY TO YOUR E-MAIL.” dotTech Privacy Statement coming soon to a theater near you!
Lastly, thanks for finally giving a little bit more discrete information on exactly what data you are collecting. It is understandable if you are collecting e-mail address and IP information from customers who provide it willingly such as register on your website or for a service from you. However you need to be more open about if that is only what you are collecting or if you are collecting more because your EULAs and privacy statements are still vague at best. Considering the fact you have a legal team on hand at all times… I am sure you can come up with better EULAs and privacy statements.
I have tried Comodo stuff a few times and never been impressed. I too have had problems. Now I use Avira and Online Armor by tall emu.
Would recommend them both
bye bye COMODO
Dear Ashraf,
I am a steady read, and want you to know how well appreciated you and your information are. Cudos.
On your issuance of info on Comodos’ EULAs’, I fully agree with the ethics (or, lack of) you have pointed out.
However, I have been using most Comodo products,especially the Firewall, for a couple of years now on more than 1 computer. Once I learned how to control the program by telling it what I want it to do for me, and how, it is very responsive and stable on both XP Pro and Vista Ultimate, both 32bit.
I have never noticed any rise in spam mail in any of my boxes from any source.
In a nutshell, I take into complete consideration the EULA concern you have opened for us, however, considering the fact that I have been successfully using Comodo software for a couple of years, with no complications, problems, and having received no spam mails as a result of Comodos’ EULA….all I find is an excellent working software that I will continue to use until such time as it becomes defunct. Personally, I give it 2 thumbs up!
Thank you again Ashraf for all the honesty you put out there for us everyday (and I love your sense of humor.)
twoeye
I used exclusively Comodo Firewall without Defense + (and the “normal” user that I am was satisfied), but I admit that this clause of the EULA and its consequences escapes me.
I fully approve of the need for an option allowing the user to choose whether or not the disclosure of private data.
I immediately searched for an alternative and opted for PC Tools Firewall (using ThreatFire already) on the basis of these results: http://www.matousec.com/projects/proactive-security-challenge/results.php
In any case thank you for drawing our attention to this problem.