CCleaner Is Silently Updating Users Who Turned Off Automatic Updates

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/


That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/


--
Stan Brown, Oak Road Systems, Tompkins County, New York, USA
http://BrownMath.com/
http://OakRoadSystems.com/
Shikata ga nai...

On 2018-09-19, Stan Brown wrote:
That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/

Do the warnings pertain to the portable version of ccleaner? As far as
I can tell that doesn't install anything, it's just a standalone
executable.

--
-----------------------------------------------------------------------------
Roger Blake (Posts from Google Groups killfiled due to excess spam.)

NSA sedition and treason -- http://www.DeathToNSAthugs.com
Don't talk to cops! -- http://www.DontTalkToCops.com
Badges don't grant extra rights -- http://www.CopBlock.org
-----------------------------------------------------------------------------

Roger Blake wrote:
On 2018-09-19, Stan Brown wrote:
That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/

Do the warnings pertain to the portable version of ccleaner? As far as
I can tell that doesn't install anything, it's just a standalone
executable.

I'd like to know too. So far, mine is the same. Maybe I will need to
block all network accesses to CCLeaner for now on?

--
Quote of the Week: "Still we live meanly, like ants;... like pygmies we
fight with cranes;... Our life is frittered away by detail. Simplify...
simplify..." --Henry Thoreau
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\Ant(Dude) @ http://antfarm.home.dhs.org / http://antfarm.ma.cx
/ /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit-
| |o o| | ing, then please kindly use Ant nickname and URL/link.
\ _ /
( )

Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/

That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/

My CC 5.10.5373 does not call home.

Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/

That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/

Sure glad I stuck with (actually went back to) version 5.40. No changes
in later versions are needed on Windows 7 and I certainly don't want
Avast's adware platform or regenerated tracking cookie.

By the way, the EU's GPDR legislation is ****ing over a lot of software
authors. One of the latest Windows 7 updates has only do to with
changes mandated to be complaint with GPDR.

https://redmondmag.com/articles/2018...nce-tools.aspx

The EU are idiots: the whole GPDR stupidity is having just the opposite
effect. The result is to NOT protect privacy. Software authors can now
implement even more data collection which requires users to discover the
change to then opt-out from new default settings that divulged them
more. Or send an e-mail that notifies of GPDR changes requiring the
user to make config changes in their account. Uh huh, like that'll have
a 100% correction effect by users.

https://www.infosecurity-magazine.co...-improve-data/

https://www.theregister.co.uk/2018/06/25/gdpr_fails/
Yeah, just lock out the EU visitors from your site. That'll really help
promote GPDR, uh huh. Sorry, your EU ****ed you over, so goodbye.

https://digiday.com/media/everyone-b...falling-short/

On 19/09/2018 07:46, VanguardLH wrote:

By the way, the EU's GPDR legislation is ****ing over a lot of software
authors. One of the latest Windows 7 updates has only do to with
changes mandated to be complaint with GPDR.

https://redmondmag.com/articles/2018...nce-tools.aspx

Seemingly a Microsoft front-window, nothing useful there supporting your
rant.

The EU are idiots: the whole GPDR stupidity is having just the opposite
effect. The result is to NOT protect privacy.

None of the links you give below claim this, and in fact they mostly say
the opposite, though there is no shortage of statements that the
legislation needs to go further.

Software authors can now
implement even more data collection which requires users to discover the
change to then opt-out from new default settings that divulged them
more. Or send an e-mail that notifies of GPDR changes requiring the
user to make config changes in their account. Uh huh, like that'll have
a 100% correction effect by users.

That's not my reading of those links, though they do make it plain that
at least some companies are not really trying, and rather than beginning
with the spirit of the law and working through their system accordingly,
they're trying to obfuscate their present practices sufficiently to make
them seem compliant. We don't know how that will pan out for them
if/until they start to get fined, and by how much.

The purport of the act seems to be similar to one that has already
existed in the UK for some time, the Data Protection Act. I have
already used (the threat of invoking) this successfully to:

* Refuse a corporate parking fine of questionable legality
* Force my school to remove me from their begging lists
* Forcibly prevent a firm from sending letters to my house
addressed to its previous owners.
* Force Readers' Digest to remove me from their mailing
lists

The last must be considered the greatest victory of all - somehow they
had tracked me past several house moves across the south of England for
at least a decade after I had stopped subscribing.

https://www.infosecurity-magazine.co...-improve-data/

https://www.theregister.co.uk/2018/06/25/gdpr_fails/
Yeah, just lock out the EU visitors from your site. That'll really help
promote GPDR, uh huh. Sorry, your EU ****ed you over, so goodbye.

It's much more likely that any demotion in people's minds will be of
such sites rather than of GPDR. What they're effectively saying is: "We
don't care sh*t about your privacy!" ... Hardly a selling point.

https://digiday.com/media/everyone-b...falling-short/

In many ways the best link.

In summary, I'm sure the GDPR isn't perfect, but, over recent decades,
the economic power of the EU has tended to ensure that its safety and
similar legislation that has become the norm worldwide, so GDPR or
something very like it, hopefully an improvement on it, is likely to
become a template for other such legislation across the world. Might as
well stop ranting and get used to it.

"VanguardLH" wrote

| By the way, the EU's GPDR legislation is ****ing over a lot of software
| authors. One of the latest Windows 7 updates has only do to with
| changes mandated to be complaint with GPDR.
|

|
https://redmondmag.com/articles/2018...nce-tools.aspx

I don't get how it's a problem for software authors.
If you don't spy on your customers and store the data
then you don't have to worry. If MS were not collecting
data that's none of their business then they wouldn't
have to worry. Your link explains that they have to worry
with Win10 because they're the "data controller" who's
collecting surveillance data from customers. So the law
says they have to protect that data, they can be fined if
they don't, and customers have a right to demand that
the data be erased. Isn't that good?

And if you read the Register article you'll see the
sites blocking EU are American companies. Why should
Dick's Sporting Goods or Pottery Barn get involved if
they don't have enough EU customers to justify it?
That doesn't make the law bad. It just highlights our
lack of protection in the US.

What's worse is sites that say, "Hi! Happy to see you...
as long as you agree to this thing that signs away your
rights."

I'm periodically getting a page at npr.org that tells
me to choose between a page with a handful of
links to plain-text stories or giving them permission
to spy on me. A non-profit news outlet! Yet they
demand the right to spy. And this is an American visiting
a US site. I don't know what I'd see if I allowed
javascript. As it stands now, I only see that
page about once per week. (And of course I can't
agree, even if I wanted to, without javascript.)
The rest of the time the site works. So I'm guessing
that they're experimenting with options.

Another increasing problem is sites that put their
content in javascript, so that their pages just won't
work at all unless you allow them to use all the spy
tool javascript provides. Script, as it's used today,
fundamentally changes the nature of a webpage.
A passive publication becomes dynamic software.

(Anyone who doesn't know about that... try visiting
this site with js enabled and without:
https://panopticlick.eff.org/)

The GPDR does seem to be unnecessarily complicated,
but it provides important things like requirements to
implement good anonymization of data.

What's really needed is two things:

1) Fully opt-in for any data collection, without penalty
for opt-out.

2) Outlaw cross-site spying, like Google Tag Manager,
which allows fully ID-ing and tracking people online
and goes against the original spirit of the Internet.
(Cookies were supposed to be restricted to the site
visited.) Any effort to share surveillance of visitors
with other companies, even an advertising company,
should be illegal. Let them collect data the old-
fashioned way, by offering some kind of reward for
completing a survey.

Here's one example of only one of many ways that
Google spies on people who aren't visiting their domains:

https://www.lunametrics.com/blog/201...ng-real-users/

There needs to be public recognition that corporate
spying on people in civil society is not allowed. Period.

When and if that kind of law might happen? It
certainly doesn't look good. Wired has a very interesting
article, published recently, about how tech companies
are trying to hijack California's already modest,
proposed law:

https://www.wired.com/story/why-cali...ook-or-google/

Mayayana wrote:

I don't get how [GPDR] a problem for software authors.

It's a nuisance to them. It is a problem for the users. Authors have
to push a new version to be GDPR compliant. Users get a new version
with the defaults set to divulge their information with opt-out
settings. The GPDR does not mandate the authors default to opt-in, so
some can add more options or change old ones that require the user to
opt-out to increase their privacy.

For example, Microsoft, Avast, and many other software programs have
logistics collection sometimes called community reporting or some other
euphemism. It lets the authors know how their programs or services are
being used. Yep, you could opt-out but you were initially and covertly
opted in by default. GPDR doesn't stop authors/owners from adding even
more collection methods but it states the user must opt-in, not have to
sometime later upon discovery to opt-out.

Alas, GPDR does not require opt-in when the user has already consented.
When you open an account at a site or establish any business or
interaction with a site, you're supposed to have already read their TOS
and privacy terms. Establishing a relationship means you grant them to
contact you, which opens the door to them spamming you. There's a whole
mess going on regarding spam and GPDR. Of course, that only affects EU
citizens since the US and other countries are not part of the EU.

What's worse is sites that say, "Hi! Happy to see you...
as long as you agree to this thing that signs away your
rights."

Yep, their property (the web site), so they can dictate anything that
remains contractionally legal for them. GPDR only mandates the user be
informed although the information can be buried where most users cannot
find it or won't bother to look.

The GPDR does not ban any author (software or web) from collecting
information on you whether it be generic (they're not identifying you
but instead just collecting statistics) or specific. GPDR only requires
the user/visitor be informed. Silent or covert opt-in is not allowed by
GPDR.

I'm periodically getting a page at npr.org that tells me to choose
between a page with a handful of links to plain-text stories or
giving them permission to spy on me.

They aren't spying. They are collecting metrics on how you are using
THEIR property. They aren't spying on YOU. They are seeing how their
property is getting used. A car rental agency checking the mileage on
THEIR car upon you returning it to them is not them spying on you. It's
them checking how their property got used.

I visited npr.org with Javascript disabled (which is presumably why they
present you with non-dynamic content). As I recall, you have Javascript
disabled by default. With Javascript disabled, http://npr.org won't
take you to their https://npr.org site. In uBlock Origin, the only
domain allowed to deliver content was npr.org. In uMatrix, I block all
3rd-party content but allow all 1st party content except scripting by
default. Couldn't get the popup you mentioned.

Most sites have a Terms of Service or separate Privacy Policy page and
that makes them GPDR compliant. That users don't bother to read those
pages is their choice for not being active in protecting their privacy.

Sounds like NPR is GPDR complaint if they are showing you popups to
their text-only site. They are informing you and letting you opt-out
rather than covertly opting you in. Since they, like many sites, have
TOS or privacy policy pages, that may be all they need to be GPDR
compliant. However, you think web surfing would be convenient if every
site upon visiting them first redirected you to the TOS or Privacy
Policy page as their home page?

Of course, there is https://text.npr.org/. Have fun there. GPDR is
only protecting its EU citizenry. International web sites (those that
have a regional presence, not just that some user can reach them across
the oceans) are now creating different content based on region. For
example:

USA Today
EU site
Size: 500KB
javascript: 0
US site:
Size: 5.2MB
javascript: 124 scripts

Remember when it was a bitch visiting sites because they rendered
differently depending on which web browser you used to visit the sites
(by the way, Google is becoming the new Internet Explorer for just that
reason)? Now we're getting into the same mess with GPDR. NPR went
hardcore and has their text-only site (text.npr.org) to be GPDR
compliant; however, did you find that site as easy to navigate or read?

Not sure how you are setup to get NPR to issue prompts about using their
text-only site. If you give some clues, I can try to simulate.

Like those good old days of having to decide which web browser to use
when visiting a site depending on how you want it rendered, now we're
getting differentiation between EU and non-EU sites. Oh joy. The
Chinese already know that joy: the Great Firewall Of China.

Another increasing problem is sites that put their content in
javascript, so that their pages just won't work at all unless you
allow them to use all the spy tool javascript provides. Script, as
it's used today, fundamentally changes the nature of a webpage. A
passive publication becomes dynamic software.

Yep, their content so they decide what, if anything, you can view of
theirs. Old-timers think they are entitled to free content because
that's the way it was long ago (by the way, I'm an old-timer, too).
They can block based on IP address of the visitor. BBC has been using
that for a long time to keep non-UK visitors from seeing some content at
their site. Many sites won't present all of their content unless you
create an account with them.

None of that has anything to do with GPDR. You are complaining that
content is becoming more dynamic over an electronic venue rather than
remaining static, like books printed on paper. Nothing to do with
privacy. Just you reminiscing about the good old days of static
content.

The GPDR does seem to be unnecessarily complicated,

Actually the biggest complaint I've seen so far by site owners is that
it is too vague. That's how law works: it cannot be written for every
conceivable case but gets modified over time to adapt to what actually
happens. However, these type of "laws" or regulations often stay static
for decades.

Here's one example of only one of many ways that
Google spies on people who aren't visiting their domains:

https://www.lunametrics.com/blog/201...ng-real-users/

Ever notice how many sites no longer produce their own specialty fonts,
don't use a limited set of fonts that most of their visitors are likely
to have already available in their OS, and are using Google's fonts?
The redirection to Google's fonts lets Google track who used their
fonts, at which site, using which web browser, and when.

Programmers are taught not to rebuild the same code if they can use a
pre-built library. Same for fonts. While the fonts could be embedded
(copied) to the site, that requires further management of the server's
resources, so web devs just link to Google's fonts to get them from
there. Google isn't the only one providing fonts to sites through
redirection, so other font houses can also just as easily track who is
using their fonts from where and when; however, they are the huge data
collector of Google.

https://developers.google.com/fonts/faq

So even with you disabling Javascript and using various ad/content
blockers, you can still get tracked when a site uses someone else's font
library. Well, actually when a site utilizes anyone's resource external
to the site to which the client must connect.

I've seen this in practice. Some fonts are graphics, like arrows or
special images. Sites will use them rather than design their own image,
save in a file, and deliver from their server. Instead they use Google
Fonts to pick a charset with the cutsy image-like characters. My
pharmacy is one of those. When you visit their login page, and if
external font loading is blocked, you see weird characters and don't
know what to do on that page. With external font resources unblocked,
the goofy chars turn into arrows or other chars that make the page
understandable. This became apparent when I configured uBlock Origin to
block remote fonts. All of a sudden a lot of web pages were hard or
impossible to figure out how to use.

https://github.com/gorhill/uBlock/wi...o-remote-fonts

So just who is supposed to inform a visitor per GPDR requirements that
they may be tracked by fonts? Is the site going to interrupt your visit
with a prompt saying a 3rd party (perhaps Google if the site is using
their fonts or someone else if using other external fonts) /might/
collect information about the visitor at that site or can they not
bother at all because the one doing the actual tracking is not the site
but whomever is providing the font library used by the site?

It's not just fonts as external resources used by a site that could be
used to track. Anyone providing resources commonly employed at many
sites can do similar tracking; however, mostly likely that is them doing
metrics measuring of how their property is getting used but there is the
potential for tracking of users.

Would you bother [re]visiting a site that prompted you on every external
resource they use at their site that the external resource might collect
metrics which could possibly be used to track you? How many dozens or
hundreds of prompts would you have to get through before you could view
the site? And do that on every visit to the site?

Sites just don't realize how all those external resource they employ
could be used to track their users. Protonmail (outside US and EU
jurisdiction) uses web fonts at their site (in this case, Google's). Of
course, ProtonMail service is only to protect the content of your
e-mails, not from getting tracked by them, Google, or anyone else when
using ProtonMail's web site which is outside the scope regarding the
content of your e-mails or to whom they are delivered.

VanguardLH wrote:
Mayayana wrote:

I don't get how [GPDR] a problem for software authors.

It's a nuisance to them. It is a problem for the users. Authors have
to push a new version to be GDPR compliant.

Nope. They only have to inform the user if they were/are collecting
*personal* information (i.e. things like name, e-mail address, address,
phone number, age, sex, etc.,etc.). *If* they've been collecting such
information, it most likely includes the user's e-mail address, so they
can just send e-mail, no need for a new version of the software.

And that's exactly what's happening. I've received many such e-mails.

[...]

For example, Microsoft, Avast, and many other software programs have
logistics collection sometimes called community reporting or some other
euphemism. It lets the authors know how their programs or services are
being used. Yep, you could opt-out but you were initially and covertly
opted in by default. GPDR doesn't stop authors/owners from adding even
more collection methods but it states the user must opt-in, not have to
sometime later upon discovery to opt-out.

The GPDR is about *personal* information, not about anonymous/
anonymized statistical/usage data.

Alas, GPDR does not require opt-in when the user has already consented.

Nonsense.

When you open an account at a site or establish any business or
interaction with a site, you're supposed to have already read their TOS
and privacy terms. Establishing a relationship means you grant them to
contact you, which opens the door to them spamming you. There's a whole
mess going on regarding spam and GPDR. Of course, that only affects EU
citizens since the US and other countries are not part of the EU.

Allowing a 'relation' to *contact* you is a seperate issue. It does
*not* mean that you've implicitly given consent to their past TOS, etc..
Actually the GDPR *mandates* that - as of May 25, 2018 - the relation
must explicitly ask *again* for any and all consent. And, as I've said
above, that's exactly what they're doing. Before and after May 25,
I/everybody got many, many of such requests-for-consent.

What's worse is sites that say, "Hi! Happy to see you...
as long as you agree to this thing that signs away your
rights."

Yep, their property (the web site), so they can dictate anything that
remains contractionally legal for them. GPDR only mandates the user be
informed although the information can be buried where most users cannot
find it or won't bother to look.

Nope, the information can *not* be "buried".

The GPDR does not ban any author (software or web) from collecting
information on you whether it be generic (they're not identifying you
but instead just collecting statistics) or specific. GPDR only requires
the user/visitor be informed. Silent or covert opt-in is not allowed by
GPDR.

Correct, so why do you say/imply otherwise in your earlier text?

[Non GDPR stuff deleted.]

On 09/18/2018 08:36 PM, Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/


That links to "Here's What You Should Use Instead of CCleaner" at

https://www.howtogeek.com/361112/her...d-use-instead-
of-ccleaner/


I like the built in Windows 10 cleaner they have now, but it's just not
comprehensive like CC. I like to flush my browsers and a few other
things now and then. And yes to keep the old version.

On Tue, 18 Sep 2018 20:36:00 -0400, Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/

No silent updates on my end...

--
s|b

On 09/20/2018 04:14 PM, s|b wrote:
On Tue, 18 Sep 2018 20:36:00 -0400, Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/

No silent updates on my end...

What version are you?

On Thu, 20 Sep 2018 16:57:26 -0400, Big Al wrote:

What version are you?

5.46 portable. I used Privatefirewall to block it though.

Anyway, funny thing just happened when I turned on my PC. CCleaner
apparently crashed and then Windows warned me my antivirus wasn't
active. No panic, it happens sometimes.I use Avast Free Antivirus, so I
clicked on the icon and got an option to restart the service. Didn't get
to activate it until I noticed the (broken) icon of CCleaner in systray.
I hovered over it with my mouse pointer, it disappeared and suddenly I
was able to restart Avast... And yet, somehow I don't feel that safe
anymore... :-o

--
s|b

FredW wrote:
On Thu, 20 Sep 2018 22:14:38 +0200, "s|b" wrote:
On Tue, 18 Sep 2018 20:36:00 -0400, Stan Brown wrote:

I'm sure this How-to Geek article won't change the minds of CCleaner
lovers, but here it is:

https://www.howtogeek.com/fyi/cclean...pdating-users-
who-turned-off-automatic-updates/

No silent updates on my end...


My 5.40 portable (!) tried to phone home (never done before).
It showed in my firewall (asking permission) and I blocked.
End of CCleaner for me.

Yeah, mine phoned home too.
--
Quote of the Week: "Still we live meanly, like ants;... like pygmies we
fight with cranes;... Our life is frittered away by detail. Simplify...
simplify..." --Henry Thoreau
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\Ant(Dude) @ http://antfarm.home.dhs.org / http://antfarm.ma.cx
/ /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit-
| |o o| | ing, then please kindly use Ant nickname and URL/link.
\ _ /
( )

Stan Brown

https://www.howtogeek.com/fyi/cclean...matic-updates/
That links to "Here's What You Should Use Instead of CCleaner" at
https://www.howtogeek.com/361112/her...d-of-ccleaner/

I'm late to the party, so I read this first:
https://www.howtogeek.com/fyi/ccleaner-is-silently-updating-users-who-turned-off-automatic-updates/
Which said:
- Even if users opt out of automatic updates, they're happening anyway
- Piriform is "gathering anonymized information about the user"
- The way to tell is to check the version number
- I just checked mine, which is not portable, which is "v5.39.6399"
- The article says it happens at and after version 5.46
- Privacy settings revert to the default, which sends usage data

The original forum thread discusses earlier versions having the problem,
but the summary article fixes the problem at 5.46 and above.