A couple of days ago, I received version 9 of Sophos Antivirus through the auto-update. I only knew this because my firewall notified me that a new process, SophosWebIntelligence.bundle, was trying to connect to various Internet addresses. Eventually I figured out that a new feature had been added, Web Protection, and that it had been enabled and was intercepting all my web connections. I don't feel comfortable sending my browsing history (I don't use Live Protection either), so I turned it off. Problem solved, and no harm done.
I think Sophos is a good company, and I'm grateful for the free SAV home edition. The Web Protection is a valuable and useful new feature for most people. I understand the URL and other information collected isn't associated with a specific user or machine by Sophos. I'm not saying that Sophos is tracking users' browsing habits or anything like that, and I know that it's only analysed to improve the product and the protection that people get. Personally I prefer to keep it turned off, but I don't really think it's something people need to worry about. There's a good post from Bob Cook, explaining what data is sent and how it's used, here: http://openforum.sophos.com/t5/Sophos-Anti-Virus-for-Mac-Home/Home-version-for-Mac-sending-out-data/td-p/14057/highlight/true/page/2
However, a "devil's advocate" might look at it this way: Sophos silently installed new software onto my computer, without my knowledge or agreement, that records every URL I visit (for example my webmail page) and sends it to their servers, along with my IP number. That's enough to produce a large set of "personally identifiable" data, including my real name and address, and my complete web browsing history. The data is retained by Sophos for an unspecified time, for analysis.
So it seems to me that the implications of how this upgrade was done were perhaps not fully thought through in terms of privacy issues. Again I'm not suggesting in any way that Sophos is doing anything nefarious. But in this day and age of increasing digital surveillance by both government and commercial interests, backlash against Google and Facebook, and headlines of companies facing heavy criticism for things like uploading customers' contact lists without informing them and so on, Sophos might do well to consider some simple steps such as:
- informing customers in some way that their software has been upgraded to a new version.
- explaining new data-collecting features plainly up front so that people can make an informed decision about whether to use them.
- disabling such features by default and making them opt-in.
Thanks for your consideration, and thanks for SAV! I hope this is helpful in some way.
This thread was automatically locked due to age.