Trend Micro backtracks on browser history collection after its apps are removed from mac App Store
It recently came to light that a number of apps in the mac App Store were collecting data about users' browsing histories and uploading them to a remote server. Included in this list were several apps from security firm Trend Micro.
Apple responded by kicking the offending apps out of the App Store, and Trend Micro started an investigation into the privacy concerns raised about Dr Cleaner, Dr Cleaner Pro, Dr Antivirus, Dr Unarchiver, Dr Battery and Duplicate Finder. Confirming that these apps did in fact collect and upload browser data, the company at first defended the activity, but then went on to cease data collection.
- Mac app Adware Doctor caught stealing users' browsing histories
- Apple boots Alex Jones and Infowars out of the App Store
Trend Micro's initial investigation confirmed data collection by a number of its apps, but the company tried to play down the significance of this. In a blog post, the company said that the apps "collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation". It goes on to try to suggest that this was nothing to worry about as it "was a one-time data collection, done for security purposes", offering the justification that it was "to analyze whether a user had recently encountered adware or other threats, and thus to improve the product and service".
Trend Micro also points out that "the potential collection and use of browser history data was explicitly disclosed in the applicable EULAs and data collection disclosures accepted by users for each product at installation" and that "the browser history data was uploaded to a US-based server hosted by AWS and managed/controlled by Trend Micro".
But in an update to its original post about the matter, Trend Micro offers an apology to users and says that it has now ceased data collection:
We apologize to our community for concern they might have felt and can reassure all that their data is safe and at no point was compromised.
We have taken action and have 3 updates to share with all of you.
First, we have completed the removal of browser collection features across our consumer products in question. Second, we have permanently dumped all legacy logs, which were stored on US-based AWS servers. This includes the one-time 24 hour log of browser history held for 3 months and permitted by users upon install. Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.