11-29-2011 04:17 AM
I considered using Sophos Anti-Virus for Mac Home Edition many months ago, but decided against using Sophos, as I did, again, today, when I read:
"7.1 You acknowledge and agree that we may and the Licensed Product may, directly and remotely communicate with your computer for the purposes of, without limitation, verifying your credentials, issuing reports and alerts."
The wording of 7.1 is far too imprecise(ambiguous) and makes me feel very uncomfortable about what the Sophos software may do on my computer after I have been obliged to give it administrator level privileges in order to install it. Wording in 7.1, such as "without limitation", is very troubling to me and, similarly, "verifying credentials" could be legally interpreted to mean, literally, any credentials, even for other software on my computer, especially since 7.1 does not, specifically, refer to Sophos credentials. In fact, "Credentials", because of the wording in 7.1, could mean any of my credentials, including my occupation or driving credentials.
I reviewed the EULA of a few other products, some including antivirus and some that I am currently running, and they do not contain such "scary" wording in their EULAs.
Ultimately, I feel that such vague EULA wording is not by accident when it comes from a company of the caliber of Sophos.
I also find it very peculiar that http://www.sophos.com/legal/ contains a http://www.sophos.com/legal/eula.html at the very top of the page that is easy to mistake for the only Sophos Eula, unless you read further and find the 2nd Sophos Eula, which is the one with the "scary" wording in 7.1.
I find myself asking why there are two EULAs and, even if there is good reason for two EULAs, why are they not listed one above the other, or directly adjacent to one another, on the "Legal Details" page.
Obviously, I have wanted to try Sophos Anti-Virus for Mac Home Edition for some time, but I think I will continue to resist that temptation for the time being.
12-01-2011 07:39 AM
Thanks for the feedback. I can explain what the software does. I'm not sure this is what you are really looking for, but since I'm in the engineering group rather than legal, I will avoid trying to explain what's going on with the EULA. However I will raise it with them to see what I can learn on your behalf, and will report back on this thread.
Every person or computer who uses Sophos software will have that software updated automatically. Updates are downloaded in the background and most of the time you won't notice it happening. Most days this is updates to the detection logic that identifies malcious files. These "identities" are published several times a day, or more frequently when there is a spate of new stuff identitified. The anti-virus engine in our product has very fancy code to apply these identities very rapidly to check whether a given file contains something malicious. About once per month, we also publish a full product update. This update will fix bugs or add minor features, and usually includes an updated anti-virus engine too.
The credentials mentioned in the EULA are used to uniquely identify each install. For enterprise customers, we track this information back to their license, to insure we should keep giving them updates. We don't associate home user licenses with the actual person (we don't know who you are) but instead use it for tracking continued use. It also would help us in case of abuse (we could theoretically block downloads by an abusive computer or computers that were attempting to DDOS our update servers).
There are no other "reports" to Sophos made by the software today. That won't always be true. Our Windows software will report back to SophosLabs when it discovers malicious or suspicious files when scanning. These reports (by the Windows software) are encrypted and do not contain personal information about the computer's owner. This feature is referred to as "Live Protection" (you can read about it on our website). This feedback can be turned off, if you prefer. We appreciate having it because it helps us react more quickly to new and interesting strains of malware. It also helps us measure the "usefulness" of the software. This feature will be coming to the Mac in 2012.
Our software does not read any other "credential" information or any other personal information from your computer. It definitely does not attempt to access passwords or certificates stored in your keychain or in application caches. In fact we classify applications that do that as "spyware" and we do not make software like that.
12-03-2011 08:29 AM
Thanks for replying.
In my opinion, section 7.1 should be more specific, at least, to the extent that I attempted to explain in my initial post. Because section 7.1 is not specific, and compared to the few other EULAs of software I use, it "stands out" in that, legally, it appears to give Sophos a lot more rights to contact and interact with my computer than I am comfortable agreeing to.
I very much appreciate your technical explanation of what the software does, as it correlates to the EULA. If section 7.1 were specific in a manner similar to your explanation, then, I would probably not be concerned.
Thankyou again for replying.
12-05-2011 01:34 PM
So our legal folks were helpful enough to explain that this language is contained in all of our EULAs (not just the home edition) and their intent is to be both legally correct and broad enough to cover multiple products. We are not extracting personal or confidential information, that is not our business. They will look to improve the language in future revisions.
Our legal department maintains separate "Data Sharing Documents" for each of our products, available upon request (the EULA itself contains contact information). The document for Sophos Anti-Virus for Mac is very thin, it states we don't collect any information from your computer. We do record (as well as validate) the credentials presented by the software when updating, but if you were to disable updates then there is no further contact between your computer and Sophos.
Hope that helps.