Malwarebytes is a antivirus/antimalware application that uses tracking of user interactions.
Transparency of this tracking is mediocre. There is no explicit information during installation, but the user is able to opt-out in Malwarebytes’ Settings. The help describes the collected data insufficiently:
“If you check this box, you will be sending us information that helps us do our jobs. We like to know what countries Malwarebytes is being used in, and the breakdown of subscriptions, Premium Trial versions, and Free versions. Our Research organization likes to keep track of what malware we are detecting and how often. We can learn that from what you send us, and that allows us to serve you more effectively. For a full list of information that is collected, please see our Privacy Policy. We hope that’s fine with you as well.”
Contrary to this general information, many clicks within the software are transmitted, including installation and machine identification numbers.
Their Privacy Policy is at least pointing out behaviour tracking, though the full list is missing:
“You may opt out of usage and threat statistics collection in certain Malwarebytes products within the settings. Threat statistics collection includes detection samples and their corresponding statistics. Usage statistics includes behavior usage tracking.”
This immunizer was for Malwarebytes for Windows. Malwarebytes for MacOS shares this information with third party Crashlytics.
Is it spyware?
We use the ASCs definition of Tracking Software and Spyware:
- Tracking software
- Software that monitors user behavior, or gathers information about the user, sometimes including personally identifiable or other sensitive information, through an executable program.”
- Spyware
- In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user.”
Since the term adequate is not well defined in the ASCs context, we use both the European GDPR and compare Information, Consent and Control to what is standard for Windows itself.
- Information
- No sufficient information during installation. Can later be found in settings if looking for it. Privacy policy only has limited information on tracked data.
- Consent
- No consent requested during installation.
- Control
- No control during installation. Can be disabled in settings, but is tied to good threat analysis telemetry. Setting partially gets ignored in MacOS version.