Trusteer Rapport new EULA

[ubuysa]

I had a pop-up from Trusteer Rapport last night requiring me to accept new terms and conditions (a new EULA) to allow my continued use of the Rapport security product. I've been running Rapport for years, ever since my bank (NatWest) first offered it. I will confess that I didn't read the original T&Cs but I have read the new ones required by IBM. Most of the terms relatinmg to their use of my personal information are fairly straightforward; they can access the websites that I visit, my browser logs, program usage patters, etc. and I have no problem with any of that (the new EULA makes it clear near the end that they agree to be bound by the EU laws on the use of personal information, for example).

What I do have a problem with is this:

2. In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise's data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction. IBM does not use the Program to target collection of Your personal information. Nevertheless, the information collected could contain personally identifiable information that has been obtained by the malware without Your permission or is relevant to identifying malicious activity or addressing general Program malfunction. IBM will delete any collected information, including personal information of which we become aware, that is not relevant for the purposes described above and will retain other information only for the duration of the relevant analysis. To avoid accidentally retaining data longer than necessary, IBM reviews all retained files for relevance once every three months.

Note the use of the words "any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity" (my underlining). That means that by accepting this EULA I'm giving IBM, and their subcontractors worldwide, permission to access anything on my computer that they think they might like to see. That's a non-no for me.

I've just reconfigured Rapport in my firewall to allow Rapport to communicate only outbound and to block all unsolicited inbound connections. I may even lock it down further and allow only access to my bank's website and no other IP address. I don't want to uninstall it because it's useful but I'm not prepared to give IBM unfettered access to anything on my computer they take a fancy to.

What does the team think?

 

[SpyderTracks]

Blimey! That's giving them a very wide berth and totally unnecessarily imho! In any other product if a file is requested to be sent to the security experts it asks per file if the user wants to send it and I think that is the only way to do it. Giving any company all out permissions over your files just seems ridiculous to me.

 

[mantadog]

I don't use that software despite being badgered by my bank 50 times a week about it, but that EULA is pretty brutal.

Effectively saying " we can take any file and all we need to do is think it's dodgy" without asking the user permission on a file by file basis is just bad. Though you will probably find it was in the original terms and conditions and they have been able to do it for ages.

Not everyone is as savvy as you and will know how to enable one only way communication though. That's what they rely on and I'm sure nothing too sinister is going on, someone could find a way to abuse it even if they company isn't planning to.

 

[ubuysa]

I don't use that software despite being badgered by my bank 50 times a week about it, but that EULA is pretty brutal.

Effectively saying " we can take any file and all we need to do is think it's dodgy" without asking the user permission on a file by file basis is just bad. Though you will probably find it was in the original terms and conditions and they have been able to do it for ages.

Not everyone is as savvy as you and will know how to enable one only way communication though. That's what they rely on and I'm sure nothing too sinister is going on, someone could find a way to abuse it even if they company isn't planning to.

Actually Rapport is quite useful, which is why I don't want to get rid of it. The anti-malware stuff in there is unnecessary for me (because I'm already well defended against malware) but the anti-phishing stuff is moderately useful. What is really useful, and the only reason that I use it, is that it establishes a very secure connection between your browser and the bank's server and completely eliminates any possibility of man-in-the-middle attacks. Conventional firewall/anti-virus/software defence tools cannot protect you against this type of attack, Rapport can.