Analyzed Software

The CCleaner installer collects 21 SMBIOS hardware identifiers, system specs, and behavioral telemetry. A Shepherd configuration request containing tracking identifiers fires before the user consents. All data goes to analytics.avcdn.net. No Google Analytics or third-party sharing, but the hardware fingerprinting is aggressive — reading serial numbers from motherboard, CPU, RAM, disks, battery, and power supply.

The Avast installer is significantly more aggressive than CCleaner (same parent). It integrates Google Analytics with a hardcoded API secret in plaintext, performs IP geolocation before consent, fires 5+ pre-consent network requests, and once installed deploys kernel-level DNS-over-HTTPS interception and deep packet inspection across 17 protocol handlers. The FTC fined Avast $16.5M in 2024 for selling 8+ petabytes of browsing data through its Jumpshot subsidiary.

Articulate Storyline 360 is a desktop eLearning authoring tool used by approximately 120,000 customers worldwide. Our binary analysis of 83 .NET assemblies reveals significant privacy concerns: the application globally bypasses SSL/TLS certificate validation (returning true for all certificates), enabling man-in-the-middle interception of all HTTPS traffic. Analytics data is sent to Raygun and Gainsight using hardcoded API keys with no user consent mechanism found in the code. A universal PBKDF2 salt hardcoded across all installations means LRS (Learning Record Store) credentials — which protect learner PII including names, scores, and completion records — are decryptable by anyone with access to the encrypted file. OAuth refresh tokens are exposed to embedded JavaScript via the CefSharp browser, and the AI panel can be redirected via a registry key to exfiltrate all course content, quiz answers, and authentication tokens. No in-application privacy policy or data collection disclosure was found.