Comodo is a popular name in the software business. Comodo provides multiple free, and excellent, products for home users including, but not limited to, the award winning Comodo Firewall (now bundled with Comodo Internet Security). Comodo has also recently become a big name in multiple front-page controversies including the issuance of its SSL security certificates to known malware distributors/scam websites and a row with Softpedia over the inclusion of a third party toolbar in their software. For those that don't know I will do a quick recap for you:
- Comodo has been caught selling its popular SSL certificate to malware distributors/scan websites. Now in Comodo's defense, whenever a malware distributor/scan website which has Comodo's certificate is brought to their attention, they remove it; furthermore the purpose of the SSL certificate, technically, is not to verify the contents of the website but rather to verify how secure it is to buy from (the irony). However the question of why Comodo is repeatedly selling the certificates to known malware distributors/scam websites (there have been cases where a website with the same exact layout, interface, and "product" except different name has been issued a certificate even though their earlier one was revoked) is still a significant one and still an on going issue.
- Softpedia, once upon a time, labeled Comodo Internet Security as "malware" because CIS included SafeSurf, an optional third party toolbar considered to be malware by Softpedia. Of course Comodo did not like that, so they tried to get Softpedia to remove the label. Softpedia, standing by their high standards, refused. So in the end the result was (is) Comodo Internet Security was (is) removed from Softpedia's download database.
Whatever side you are on for the above two issues, this post is not to discuss them; that is for another time. I am creating this post to address another (potentially more important) issue with Comodo products.
Today as I was checking my e-mail, I got an e-mail from a dotTechie informing me of the fact Comodo Backup, a free backup solution provided by Comodo, was recently updated to v2 with major changes and I should check it out (yes - I do read the e-mails I am sent even if I forget to reply... surprise, surprise). So, naturally, I was intrigued and went to download Comodo Backup. While installing Comodo Backup I glanced over its EULA (End User License Agreement) and was shocked by what I saw:
I am not legal mind, but to me this says if you install Comodo Backup, Comodo will collect data from your computer such as how you use Comodo Backup. Not only will Comodo collect data, but the data can potentially be personally identifiable: Comodo won't disclose the data to a third party in a manner which will personally identify you but that means if they are taking a deliberate and conscious action to make sure the data is not personally identifiable when being passed on to a third party, the data is personally identifiable when Comodo themselves have it. Am I understanding it properly or am I being paranoid?
Now it is not just Comodo wanting to collect data from you while you use their software. Many software developers ask you if you want to send anonymous usage statistics to the developer while using their program; however you can always opt out if you do not want to. I looked up, down, left, right, in, and out - no where in Comodo Backup did I see an option to opt out of sending data to Comodo. At best I found an option under settings named "Enable log" which a user can check or uncheck; however there is no clear indication if this "log" refers to the data collection done by Comodo or a different program function. Shame on you Comodo; not only are you collecting questionable data but the user has no clear way to opt out if they find this action less than desirable (bar blocking the program with Firewall of course and/or not installing the program in the first place).
After I got done with Comodo Backup, I was curious to see if other Comodo software do the same thing as Comodo Backup. I found indeed there are other perpetrators which do the exact same thing...
Comodo System Cleaner
Comodo SecureEmail
...and other Comodo software which do something similar except explicitly state the information collected will be non-personally identifiable:
Comodo EasyVPN
Comodo Internet Security
CIS is the bundle which contains Comodo Firewall, AntiVirus, and AntiMalware solutions.
Since EULAs are long, and Comodo did not exactly help by not properly formatting some of the EULAs for some of their software, I may have missed a software or two which act in the same way as Comodo Backup; so if you find another Comodo product which collects data (personally identifiable or not) without an ethical and clear declaration and a user opt-out, please post below and I will be sure to update this post.
Furthermore, I visited the privacy policy link you see provided in CIS's EULA. The description on how user personal data is used is vague at best:
So who exactly are Comodo's affiliates and what are their privacy policies? Farther down the page Comodo does state more explicitly its partners and affiliates have "similar" privacy policies...
...but I am not really impressed in the first place by Comodo so I don't know what to think.
To make matters even more confusing, it turns out there is another privacy policy currently linked to Comodo's website (this one was last updated in July as opposed to April for the other one). This one is a little bit more definitive about exactly what Comodo does:
Of course Comodo states the affiliates and/or partners have "similar privacy standards" but I am not particularly impressed by Comodo's "standards" when it collects data related to its programs without obvious user consent and/or clear opt-out option.
So what do you guys think. Am I being a daft, paranoid idiot or is Comodo pulling a fast one over all of us? Please, dotTechies, lawyers, Comodo reps, and everyone else: post your thoughts below. As it stands, I don't know about everyone else, but Comodo has lost at least one potential customer: me.
***Update***
Let me make this clear: If potential data collection is not a concern for you, by all means use Comodo products (I have stated time and time again, at face value, Comodo programs are great). However me, and many others, deplore this practice of data collection without clear notification and/or opt-out option and will probably never use Comodo products again.
Matt
@J. L.:
Actually there’s an even easier way to maintain Comodo’s Firewall Defense and not Disable the Defense Plus. After it’s installed just right click on the firewall symbol. Set both Firewall Security Level and Defense+ Security Level to Training Mode. You won’t have to worry about pop-ups again.
Also as paranoid as people are getting. Remember Comodo is one of the biggest sites to offer security for enterprises, only Verisign is bigger. You honestly think Verisign would give you a Firewall like Comodo’s for free?
I don’t read EULA’s it’s more about trust in a company. Them selling SSL to malware companies doesn’t mean their selling data to malware companies. I do think it’s wrong they don’t make it clear or give u the option to opt out of giving away data, but again it doesn’t mean they are giving it to anyone other than keeping it themselves to make their product better.
I see so many people make less of a deal about Digsby’s malware installer and collecting data while u sleep than from Comodo. I’m sorry I’d trust Comodo with my data than I would Digsby whom has shown users don’t matter at all to them and only change when forced to.
Hell you see less of a deal made about Spyware Terminator which used to be known as a rogue site. People just started blindly trusting them with their software and were talking a site that used to be ROGUE. One day they could go back to their Rogue ways, no one know it and they have malware install on your PC and give your info to Malware sites. Again I’d trust Comodo over Spyware Terminator.
If your using Window 7 x64 then your options are quit limited when it comes to free firewalls. Outpost Free x64 isn’t completely compatible yet, Online Armor Free isn’t compatible yet. PC Tools Firewall works but has caused internet connection problems with Windows 7 x64. ZoneAlarm Free offers almost no protection. So from a Firewall standpoint the only secure Firewall for Windows 7 x64 users with the least problems is Comodo Firewall right now.
J.L.
@Matt: You forgot to mention that you’ll have to change the security level later. If you don’t do that, then it’s useless.
Also, setting it to training mode immediately isn’t wise unless your computer is 100% clean.
Speaking of 100%, here are the new Matousec results: http://www.matousec.com/projects/proactive-security-challenge/results.php
BJ
Softpedia never labeled Comodo Internet Security as “malware”, they labeled it as “adware” and then had to quietly change it because they were wrong. Anyway, huge difference between “malware” and “adware” in my book.
EULA: Perhaps the author should have done a little research first or even read a few more EULA’s that would have been good. ROFL. Priceless.
FUD is the only dark side I see here.
BJ
Just ran into this..
So, there you go then, it seems that Softpedia didn’t exactly label Comodo as malware then (that would be Comodo themselves apparently). Irresponsible, forgetful or something else? Pick your poison, that’s the dark side for you.
“A lie gets halfway around the world before the truth has a chance to get its pants on.” – Winston Churchill.
Ashraf
@BJ: You may be right; it might have been adware and not malware – I don’t remember for sure. Regardless, thought, both are bad in my eyes.
And you are dead wrong: Softpedia never “quietly changed it”. Comodo issued a “cease and desist” to Softpedia so Softpedia just removed Comodo Internet Security from their downloads. Try looking tfor CIS at Softpedia and you won’t find it now even though CIS does not have the Ask Toolbar anymore.
Lastly, I agree with you: other companies may do the same thing; however most do not. Please post a EULA to prove me otherwise.
@BJ: Please, instead of trying to make me look bad, you are just making yourself look like a fool. Anyone that actually read the post by Softpedia knows the part I quoted was an “update” by Softpedia; a means of their last words before they stop posting about it. It was their last comment on why they are right and Comodo is wrong.
The article has been unpublished on Softpedia since so I will just quote the the original article part quoted by Gizmo at the very link you posted:
BJ
Try to make you look bad? Please, I think you have done that quite well all by yourself without any help from me. I will bet that you currently have no idea why EULA’s have those personal information sections. Large hint: Show me any software that has updates, or something else that connects user systems to remote servers, with an EULA that does not contain that personal information section and I will show you a company that you can gleefully sue in the US. It is that simple/awful.
As for adware & malware being equal in some manner or confusing them, well.. good luck with that.
This fool is gone. :)
Disgruntledkiwi
Seriously people, consider for a moment what we are debating and where we are debating it. This is the Internet. The Internet is full of humans and humans are essentially flawed.
Some of the people here are genuinely aggrieved.
Some of us are whining because we do not understand our software.
Some of us are whining because we do not understand the environment in which we choose to whine.
Some of us are whining because the seats at the top of the bandwagon are the most comfortable available today.
All web sites gather information and in most cases, store that information for some length of time on servers. From your PC, to your ISP, to the regular forums and software vendors, daily news casts, blog spots, social networks, MMORPG’s, google desktop “value added” utilities, torrent clients (despite assurances to the contrary) all of them, collating information for various individuals, companies, advertising agencies, corporations and lo – even the mighty black hat that is Microsoft itself. If your Operating System was designed by men who are now in court arguing anti-trust allegations, why would you expect your firewall technology to be any more authentic? It is my opinion that EULA’s exist to warrant backdoor tragedies.
So shuddup and take it like a consumer!
etim
“So shuddup and take it like a consumer!”
Haha! So, in other words, “Break out the KY and smile” , eh?
MikeR
I think I was sort of following the contribution until I reached this bit:
It is my opinion that EULA’s exist to warrant backdoor tragedies
Falling down the steps or something?
Kei
@BJ: Stop being an idiot.
I for one, wouldn’t like being made a fool of by anyone, especially if he’s a trusted friend – this is what comodo is secretly doing behind our back.
calebstein
@BJ: The only person who looks bad here is you.
I never liked Comodo software and now I will never install anything with Comodo in the name. I stopped using Google for the same reason.
vhick
Sorry, I know that the article is old. But I want to comment. Because I’m new here (although I read the article of sir Ashraf especially GAOTD review). I’m enjoying reading article here so I subscribe.
About the EULA of Comodo. I’ve been shock too. Because I use my home PC in some office documents so privacy is a big concern to me. I used one of their product; Comodo Time Machine. Comodo Products is great at unbeatable price (free). But I have no choice because other product with the same function as Comodo Time Machine is a shareware. I can’ afford to buy one because I only have $238 (converted from Philippine Peso) per month salary. So how I can afford to buy a good software. Maybe this is one of the factor why other third world country is using prirated software because they can afford great software for their needs. Even Microsoft OS and Office came from a gift, other giveaways, and freeware.
Right now I was thinking about it if I stay in Comodo or not.
Thanks Ashraf for a great article.
ojoj
“So shuddup and take it like a consumer!”
Haha! So, in other words, “Break out the KY and smile” , eh?
Mat
I cannot believe what a bad company they are. They release a program without the opt-out for the so-called anonymous usage statistics. At first it didn’t bother me. After that, the program began to “think” it was Administrator. It Destroyed my new copy of Windows 7. I had to reinstall it! I am just really ticked off about this.
Claude Curtis
Would you send me an email. I have info on Comodo I will send via email.
Ashraf
@Claude Curtis: You can e-mail me the info.
Me
Can’t trust anyone one nowadays, now can you?
Ken
I installed Comodo Time Machine in late January. I uninstalled it yesterday because the backups were filling up my disk.
On reboot ALL my data from after January 27 was GONE.
DO NOT USE THIS PRODUCT.