*Updated Oct. 4; please scroll down for latest information.
Reports that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false.
Trend Micro has completed an initial investigation of a privacy concern related to some of its macOS consumer products. The results confirm that Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). The potential collection and use of browser history data was explicitly disclosed in the applicable EULAs and data collection disclosures accepted by users for each product at installation (see, for example, the Dr. Cleaner data collection disclosure here: https://esupport.trendmicro.com/en-us/home/pages/technical-support/1119854.aspx). The browser history data was uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro.
Trend Micro is taking customer concerns seriously and has decided to remove this browser history collection capability from the products at issue.
Update as of September 10
We apologize to our community for concern they might have felt and can reassure all that their data is safe and at no point was compromised.
We have taken action and have 3 updates to share with all of you.
First, we have completed the removal of browser collection features across our consumer products in question. Second, we have permanently dumped all legacy logs, which were stored on US-based AWS servers. This includes the one-time 24 hour log of browser history held for 3 months and permitted by users upon install. Third, we believe we identified a core issue which is humbly the result of the use of common code libraries. We have learned that browser collection functionality was designed in common across a few of our applications and then deployed the same way for both security-oriented as well as the non-security oriented apps such as the ones in discussion. This has been corrected.
Update as of September 11
We can confirm this situation is contained to the consumer apps in question. None of the other Trend Micro products, including consumer, small business or enterprise, are known to have ever utilized the browser data collection module or behavior leveraged in these consumer apps.
We’ve always aimed for full transparency concerning our collection and use of customer data and this incident has highlighted an opportunity for further improvement in some areas. To that end, we are currently reviewing and re-verifying the user disclosure, consent processes and posted materials for all Trend Micro products.
All of our apps are currently unavailable on the App Store. Thank you for the patience as we address this.
Update as of September 12
Please note that ‘Open Any Files’ app leverages the same module in question. Henceforth, we will no longer publish or support this product.
We have updated our consumer apps in question to fully comply with Apple’s requirements and are in the process of resubmitting them to Apple. We are aware that our other apps have been suspended as well and we are working to resolve this as soon as possible, but thus far the basis for these suspensions is unclear. We are actively pursuing the chance to engage with Apple to understand their decision further and address any issues.
As we read through your questions, we realized that there is some confusion between Trend Micro consumer products and one from another vendor. Several of our apps have been grouped together with a completely unrelated vendor in media articles. To be clear – Adware Doctor is not a Trend Micro product.
Question | Answer |
---|---|
Which of your apps were collecting 24hours worth of browser history previous to the app installation? | The specific macOS consumer apps are Dr. Cleaner, Dr. Cleaner Pro, Dr. Antivirus, Dr. Unarchiver, Dr. Battery, and Duplicate Finder. |
What information did these apps collect and why? | They collected and uploaded a small snapshot of the browser history on a one-time basis, covering the 24 hours prior to installation. This was a one-time data collection, done for security purposes (to analyze whether a user had recently encountered adware or other threats, and thus to improve the product & service). |
What actions have you taken to date? | We have removed the browser collection module from the consumer products listed above and disabled the backend API that enabled the collection for older versions. In addition, we have permanently deleted all legacy logs that contained the one-time 24 hour log of browser history held for 3 months and permitted by users upon install. We have also updated the one app, which did not include a clear pop-up window during installation, Dr. Unarchiver, with links to our EULA, privacy policy, and data collection notice. |
Is Open Any Files a Trend Micro app? | Yes, but we have decided to no longer publish or support this product. |
What kind of information do these apps acquire? | A complete and transparent overview on what data our apps were collecting is available in our Data Collection Notice:https://success.trendmicro.com/data-collection-disclosure |
Do these apps obtain the consent from users about data acquisition? | Yes. During installation the user accepts a EULA with links to the detailed Data Collection Notice for the applicable product. Please note that the EULA pop up was not active in the GUI for one of our apps, Dr. Unarchiver, but was available from the download page on the App Store. We have rectified that and it will be reflected once this app is available on the App Store again. |
Media reports claim that browser information was sent to a server in China. Is that true? | No. Any reports saying that Trend Micro is “stealing user data” and sending them to an unidentified server in China are absolutely false. The browser history data was uploaded to a server hosted by AWS and managed/controlled by Trend Micro, physically located in the U.S. |
Why were your apps removed from Mac App Store? | Apple has suspended our apps and we are working with Apple via their formal dispute process. We have updated our consumer apps in question to fully comply with Apple’s requirements and are in the process of resubmitting them to Apple. We are aware that our other apps have been suspended as well and we are working to resolve this as soon as possible, but thus far the basis for these suspensions has not been clearly articulated to us. We are actively pursuing the chance to engage with Apple to understand their decision further and address any issues. |
Update as of October 4
Over the past few days and weeks, we have been in communication with Apple regarding the status of some Trend Micro apps on their App Store, an issue we are addressing with great care and attention. Due to the progress being made and our improved understanding of the issues, we wanted to provide an update and summary of the events to date.
As of September 10, Apple had suspended a number of our applications from the App Store due to data privacy and disclosure concerns specifically around the collection of browser history by six of our macOS apps. It’s important to re-state that the apps in question performed a one-time upload of a snapshot of browser history covering the 24 hours prior to installation to identify and block the latest threats. Identifying new infection vectors is a legitimate security activity that protects users and helps to arrest the further spread of malware and adware. The browser history data files were securely uploaded to a U.S.-based server hosted by AWS and managed/controlled by Trend Micro, with anonymized naming and storage to prevent association with individual users, and automatically deleted after three months per our GDPR policy. The data was never shared with any third party, monetized for ad revenue, or otherwise used for any purpose other than the security of customers.
Although we believe that our data collection and usage practices have always met GDPR and other privacy requirements, we did find a couple of issues in our initial review that we immediately corrected in our updated submissions: the common code module issue leading to browser history collection by three apps that were not security related, and the lack of a secondary opt-in consent for anonymized user data collection in a paid app. We apologize for those issues and again wish to assure our customers that their data was never compromised or used for non-security related purposes.
Actions we have taken to date
In light of the rapidly growing public concern around browser history data, we decided to immediately disable the history collection process in our backend and delete all such data from AWS, in addition to removing the collection module from the apps at issue. We also added an opt-in consent process for collection of anonymized usage data where applicable across our App Store offerings, and resubmitted all of the updated apps to Apple within days after the initial suspension. Although we have not yet been able to make those updated apps available due to their suspended status, we believe that we’re now making good progress and anticipate a positive resolution with select apps available again soon.
Since the suspension of our apps, we were able to confirm that all of the suspensions arose from the browser history issue with the six apps that contained that module, and have been working via Apple’s formal appeal process to reinstate our apps in the App Store., even as we work in parallel to implement further improvements in clarity and transparency across all of our App Store offerings.
Moving forward
As a security company, we take privacy and compliance very seriously, and have always sought to place our customers first. We support Apple’s effort to blaze a trail in consumer privacy protection and will use the learnings from this experience to further improve our own practices, elevating our focus on user trust and experience around privacy in addition to maintaining a strong legal compliance program.
To further improve user trust and experience, we are committed to taking further steps, including:
- Implementation of an enhanced internal privacy review process for all apps prior to submission
- Review and optimization of our data collection practices across our product portfolio to best deliver value to our customers while meeting their evolving privacy expectations
- Improved data collection notice and consent processes for new or revised App Store offerings to further increase transparency, such as secondary opt-in consents for collection of anonymized usage data – even for our free apps.
The app review and update process takes time and we appreciate your patience and support. We are confident that we have reached an improved understanding of the updates needed to meet — and hopefully exceed –the expectations of Apple and our customers across the world.