Maxthon CEO answered to some questions about Exatel's report about collection of users data via UEIP

  • If you want to understand what's happening and what we're talking here, you have to know something about Maxthon Browser, Exatel report and official Maxthon reaction at least. If you need more information, you can find links to original English and Polish articles in Russian publications here.

Jeff Chen, Maxthon CEO, answered some questions about Exatel report


What's up, guys? I have good news for you! Not so good as you want, but not so bad as we have last months. Jeff Chen, CEO and founder of Maxthon, reply topic about Opera Sync users passwords. I don't agree with the fact that Opera really "lost" third party sites passwords, they told about some Opera Sync users passwords, they immediatelyreset these passwords and thay wrote about this. That's why I think Opera acted decently. I wrote it to Jeff and ask: "If I write why your comment about privacy is not so combined with Exatel report and your stories how Maxthon keeps user data, will you answer?". He said he will be happy to answer all questions. And... He really answered, he really answered after a few hours. It was fast: after Exatel report he took almost a week to write a an official response. So this is the reason to think that this is quite honest answers.

1. UEIP and too much users data


UEIP is usual practice. For exemple, developers have to know what settings did I change to make default settings more friendly for new users. It's OK, but:
  • It must be voluntarily / freely. But users had (or still have) no choose. Is it OK?
  • Maxthon collected too much users data from 2007. And they did not notice this?
By the way, Maxthon knew that your browser collect data of all your users (UEIP choose does not matter) since at least January 2016:
There are two types of User Experience Improvement Program data:
  • Data collected when the user choose to participate in UEIP.
  • Data collected regardless of whether users chose to participate in UEIP or not: here, when users choose not to join UEIP, then we will not collect sensitive data. We will only collect some basic data such as browser start condition and not the data that involves the user's privacy.
If I voluntarily participate in Maxthon's UEIP, MX will collect all information about me. But if I do not participate in UEIP, MX will collect only information that other companies collect on UEIP. Is this fair to Maxthon users?

Jeff's reply:
We already admit it's cased by a hidden bug. but, a bug existed in 2007 does not mean it's triggered all the time. If it's trigged all the time, it will be fixed a long time ago. it's only triggered under certain situation, like some software configuration or network configuration. Since we don't have the machine expal used for the test, we cannot do deeper test. What we did was fixing the bug, disabled UEIP for the time being. 
But:
Exatel wrote about three computers in their network. This is one network, but this is three different computers with different configuration. And I don't that Exatel security experts used the same computers to test Maxthon without UEIP. So does it mean that Exatel very lucky guys if they were able to catch the "hidden bug"?

2. UEIP and "bug 2007"?


MX3 was released in 2010, MX4 was released in 2012. When Exatel published their report, Jeff Chen said that this is because of "bug in your 2007 code library". 2007? Is this MX2 of still MX? MX had this "bug" and developers did not notice it? How it's possible?

OK. But just imagine: you need some information (how your users use your browser) and you start UEIP. You use it 9 years. And all these years you don't notice that this is not the information what you need. How it's possible? You either know about this (and all you comments is just attempt to hide your true intentions) or you don't need this information. So why do you collecn it?

Jeff's reply:
As above.

3. UEIP and list of my soft


Why do Maxthon Team need the list of my soft? Almost all of your users can not understand it today, but I can, because I read Maxthon's official answer (not about Exatel report, before all this scandals):
User Experience Improvement Program (UEIP)
Users who choose to participate will send the following data to us:
  • System Information: Hardware and OS information, etc.
  • Product Usage: Which button is clicked most and what feature is used most, etc.
  • Product Settings: Provide information to improve default settings
  • Error and Crash Data: What error has happened and how many times this error has happened, etc.
The UEIP only collects information about Maxthon products and services. But since some other software might also affect the usage of our products and services (software conflict, security flaw, etc.), we might also collect information about them.
Might... May... But Maxthon collected this information regularly and very often (users wrote about 7 times in 20 minutes). Once again, Maxthon knew about this since at least January 2016. Is it OK? If someone answer "Yes. All browsers do it. Because all browsers have to know reasons of crashes", think about this: other browsers collect this informations after crashes only! Is my soft so important for MX developers? Is this fair to MX users? I can belive that MX really need list of my soft to fix some problems. But even if MX did not want anything bad, they have chosen the wrong path. MX can collect specific information about my system, but only if I have problems with you browser. Not every several minutes!

Jeff's reply:
Believe me, we do not need it to be sent so often which will cause a DDOS attack to our servers. it's caused by the bug, not by design.
But:
I thought about this. Under new Russian law all providers and operators must keep records about all calls and all messages for six months. And they no can do this. But a little Chinese company can! It sounds strange...

4. Browsing history can not be "cloud secure work"


Exatel wrote that MX send my browsing history on you server in China. Jeff Chen replied: "They found list of visited websites, because of cloud security scanner module". So I can olny two questions about this:
  • Why does MX check not every website everytime, but all websites from time to time? How does "cloud secure" work? Because this is really miracle! I open one website once and browser have to check it immediately. But Maxthon don't do it, Maxthon checks many websites every few minutse. Do MX know what website I will open after 5 minutes? Or MX check opened websites after 5 minutes and this "secure" is useless?
  • If this is really Cloud Secury, why is this information located in UEIP data?

Jeff's reply:
It does not need to check everytime, if you know about CACHE. It's not part of UEIP data, it's just send together to save some bandwidth.
But:
OK. I wanted to say "But Exatel wrote about list. Does it mean that they opened these sites for the first time, if MX sent this data in the list?". But, yes: Exatel used clear Maxthon. So they really opened these sites in this browser the first time. Does it mean that if you use Maxthon for a few days MX will not send all you history? I don't know. Someone have to test it! But Exatel wrote about list! OK, after a few days browser will remember visited websites and will not check it. But how does this "cloud secure" work the first time? Was this the list of old visited sites (and Cloud Secure is useless) or new sites, which I will open after a few ninutes (and MX can know the future)?

5. Browsing history in UEIP data can not be cloud sync


This is not Maxthon representative words, this is what Maxthon users think: "MX send data in China, because of sync. It's OK". But it can not be true. Exatel wrote about UEIP only. UEIP and Sync are totally different things. Sync can not work via UEIP. So all informaton in UEIP data is UEIP issues only!

It can not be cloud sync, because Exatel wrote about three computers. But:
  • As Karl Mattson wrote, "MX encryptes all users data, then this encrypted data cryptographically ‘hashed’ and distributed to different servers".
  • As Jeff Chen wrote after Exatel report, "We are a truly international company with servers located in the U.S., EU, and Asia".
  • As Jeff Chen told to PCWorld, "Maxthon was originally a Chinese company, and incorporated in Beijing. But the company is now based in San Francisco, with a San Francisco-based server, and your data does not enter China".
So how this is possible? Maxthon forgot about one server in China and 3 of 3 random Exatel's computers in Ponald divided users data into many pieces and send these pieces on random MX servers. And it was one server in Chine, about which MX have forgotten. Fantastic coincidence!

So browing history in UEIP data can not be cloud sync and can not be cloud secure. What is this if this is not spying?

Jeff's reply:
  • We do use a sever located in China to receive UEIP data for easier access from technical team. I don't think it's anything wrong with it.
  • Exatel talked about UEIP, but not all data they talked about is UEIP related, some belong to UEIP, some are not. We have our own way to organize/encrypt the data. 
But:
In your interview about MX5 for PCWorld you told that "MX servers are located in San Francisco" and "user data does not enter China". Now you tell that you have server in China and use it for UEIP. If you think that "anything wrong with it"... OK. But you are wrong!

6. This is not the first scandal around Maxthon


Do you remember scandal because of cheating with HTML5 test? That time Maxthon said that this is developers mistake: they are not finished, but the code was already in released version. Do you remember rumors of a permanent connection with Baidu (confirmed rumors)? Maxthon said that this is because of bug of Quick Access. Too often Maxthon tell us about cool browser, how less problems we have with your browser and how little leaks did they make. But all time when MX have "problems", MX call it just a "bug". It's not developers fault, it's a bug. But why that did not see and why they did not fix this "bug" before someone wrote about it?! Do we have any reason to trust the developer who can not find and can not fix so serious bug so many years, who can not do or just hide it?

Jeff's reply:
Tell me which company can fix 'All bugs" before third party found them? It's all about how you look at all the issues. If you look at history of Google, Facebook, IBM, Microsoft or any company with long history, they have much more serious issues. But, they are good at making it looks good, that's why the PR service is expensive. All people in our team is just normal people, they are not perfect, people do make mistakes. We do need to learn how to handle mistakes in a better way.

And the last...

7. What about Search.mxaddon?


What is this? Where is any official answer? Not just "we need it to fix some problems with Google". Because it does not sound like the truth.

MX added Search.mxaddon with no explanations. What did MX users think about this? Undelete build-in extension with that you can not change default search engine is virus! And what about MX partners as Yandex? Were thay happy when MX broke the ability to use their search as default? I talk about earlier versions of Search.mxaddon. It was in MX 4.4.x times.

Than MX added ability to remove build-in extensions. Cool. But where is this ability now? In MX5 we can not delete Search.mxaddon, we still can only turn it off or just hide it from extensions pages. And we still don't know what is this, what this extensions does and why MX need it. I said "MX" because MX users don't belive that we need it anymore.

Jeff's reply:
Search.mxaddon is used to correct some issues with search engine (especially google CSE), like fine tuning page layout when it serves too much ADs. We cannot talk to much about it because of the agreement we have with Google.  We could make it silently but wanted to give user a choice, that's why we used an addon to do it.
But:
This is not answer. This is just a statement of the problem and "we can not talk about this".


It's enough... Maybe later we will continue.
We really like your browser. But now you're doing all us to leave you.

Jeff's reply:
Back to the topic of this thread. Opera does leaked millions of passwords to hackers which caused REAL damage to its user. They have good PR to handle it.  Maxthon has some bugs and caused NONE damage to its users, for 13 years. and a bad PR. Which one do you prefer?

That's all...
Share vie AddThis или Shareaholic
Translate via GoogleYandexBing or Promt

Комментарии

Популярные сообщения