Avast Is Selling Your Data

When we install an antivirus software, we do so to protect our personal computers and the data on them. Now imagine a situation where this exact software is the culprit. You don’t have to use your imagination much more because according to a Motherboard and PCMag investigation, a free antivirus repackages and sells sensitive browsing data through a subsidiary.

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR. 

Examples of personal data

• a name and surname;
• a home address;
• an email address such as name.surname@company.com;
• an identification card number;
• location data (for example the location data function on a mobile phone)*;
• an Internet Protocol (IP) address;
• a cookie ID*;
• the advertising identifier of your phone;
• data held by a hospital or doctor could be a symbol that uniquely identifies a person.

What is Avast?

Avast, a free antivirus software provider with millions of users worldwide, reportedly sells highly sensitive data through a subsidiary company called Jumpshot. The antivirus allegedly tracks users’ clicks and movements across the web. It also collects data on things such as Google searches, Google Maps, visits to LinkedIn pages, and YouTube videos. This collected data is then sold by Jumpshot to the likes of Google, Yelp, Microsoft, Pepsi, Home Depot and many other widely recognizable names.

According to their own claims, Avast has over 435 million active users per month. It collects data from these users and provides that to Jumpshot, which reportedly has data from around 100 million devices. Although this process is opt-in, multiple Avast users have told Motherboard they were unaware of these data collection and selling practices by the antivirus software provider.

Based on this revelation, officials in the Czech Republic have launched an investigation into Avast. Although the company is based in the Czech Republic, it is also widely used worldwide. Ivana Janu, president of the Czech office for protection stated: “There is a suspicion of a serious and extensive breach of the protection of users’ personal data”.

A spokeswoman for Avast said the company does not provide Jumpshot with “personal identification information” including name, email addresses and contact details.

Avast Responds to Concerns About Selling User Data

De-anonymizing that data would be difficult, experts said, but not impossible. Jumpshot is said to offer multiple feeds, with an "All Clicks Feed" offering detailed information about the websites Avast users visited, when they visited them and on what device they viewed them. Companies could use these detailed records alongside their own datasets to identify supposedly anonymous individuals. 

However, in a statement sent to Tom's Hardware, an Avast spokesperson insisted that Jumpshot doesn't gather "personal identification information, including name, email address or contact details."

"Users always could opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," the spokesperson continued.

"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."

The Avast rep also told us that as of December, Avast is "compliant with browser extension requirements for our online security extensions" and doesn't use any data from browser extensions "for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot."

Yet, the practice hasn't been perfectly transparent. The amount of information gathered by Avast for Jumpshot was previously unknown, as was the list of companies looking to purchase that much data about consumers. 

Avast did start offering more information about the data it collects when people install its antivirus solution recently, though. A dialogue box says, "If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history to enable Jumpshot to analyze markets and business trends and gather other valuable insights."

But it's not hard to imagine people agreeing to that request without understanding what it means. Who hasn't clicked "OK" or "Yes" in response to a dialogue box they haven't read or don't fully understand? We suspect many people don't correlate "a stripped and de-identified data set derived from your browsing history" with the "search term they entered into the porn site and which specific video they watched."

Mere days after the investigation, Avast bought back 35 percent stake in Jumpshot worth $61 million and shut down the subsidiary.

Such practices do not align with our values at VPN Surf and you should be happy to know that due to our strict no-log policy, we do not collect any browsing information of our users.