Recently, a joint investigation by PCMag and Motherboard revealed something deeply concerning about Avast, a free antivirus used by hundreds of millions of people. A report released on Monday revealed that the company has been selling sensitive browsing data to several large corporations. The report cites company documents, leaked user data, and contracts to expose highly sensitive data sales that in most cases were supposed to remain confidential.
The sales originate from a subsidiary of Avast known as Jumpshot. Documents obtained by PCMag and Motherboard show the process which the user’s data goes through, from being collected by the antivirus program, to being sold to various different companies. The program collects many different kinds of data from the user’s computer, ranging from location to browsing history and other various kinds of data. Jumpshot then takes that data and sells it in different “packages” to other companies. Clients of Jumpshot have included big names such as Google, Microsoft, TurboTax, Pepsi, Home Depot, and many others. The most concerning of the “packages” is known as “All Clicks Feed,” an incredibly detailed data set which tracks all clicks, movement across websites, and user behaviour, which clients of Jumpshot have paid millions for. The data being sold doesn’t include personal data, however, it includes alarmingly specific browsing data which could theoretically be used to de-anonymize users.
Although users do technically have to give consent for this collection, many users reported they were not aware that this data was being collected, raising concerns about how informed users are about what they are granting consent to. An anonymous source placed emphasis on just how specific the collected data is, claiming it shows devices and timestamps for all the information provided.
In October, a security researcher known as Wladimir Palant published a blog post detailing how Avast used it’s browser extension to harvest data from users. Soon after, many large browsers removed Avast’s extenstion. Avast then released a statement in which they claimed to have stopped sending data which was harvested by their extension to Jumpshot.
However, newly obtained documents, as well as the anonymous source indicate that Avast didn’t stop data collection. Instead of using the browser extension, they began using the downloaded software, which is used by millions of people worldwide.
Avast has defended themselves, releasing this statement: “Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software. Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020.”
Since the investigation report was released, Avast announced on Thursday that they will be stopping all Jumpshot data collection effective immediately. This is yet to be verified.