When we install an antivirus software, we do so to protect our personal computers and the data on them. Now imagine a situation where this exact software is the culprit. You don’t have to use your imagination much more because according to a Motherboard and PCMag investigation, a free antivirus repackages and sells sensitive browsing data through a subsidiary.
What is Avast?
Avast, a free antivirus software provider with millions of users worldwide, reportedly sells highly sensitive data through a subsidiary company called Jumpshot. The antivirus allegedly tracks users’ clicks and movements across the web. It also collects data on things such as Google searches, Google Maps, visits to LinkedIn pages, and YouTube videos. This collected data is then sold by Jumpshot to the likes of Google, Yelp, Microsoft, Pepsi, Home Depot and many other widely recognizable names.
According to their own claims, Avast has over 435 million active users per month. It collects data from these users and provides that to Jumpshot, which reportedly has data from around 100 million devices. Although this process is opt-in, multiple Avast users have told Motherboard they were unaware of these data collection and selling practices by the antivirus software provider.
Based on this revelation, officials in the Czech Republic have launched an investigation into Avast. Although the company is based in the Czech Republic, it is also widely used worldwide. Ivana Janu, president of the Czech office for protection stated: “There is a suspicion of a serious and extensive breach of the protection of users’ personal data”.
A spokeswoman for Avast said the company does not provide Jumpshot with “personal identification information” including name, email addresses and contact details.
Avast Responds to Concerns About Selling User Data
De-anonymizing that data would be difficult, experts said, but not impossible. Jumpshot is said to offer multiple feeds, with an "All Clicks Feed" offering detailed information about the websites Avast users visited, when they visited them and on what device they viewed them. Companies could use these detailed records alongside their own datasets to identify supposedly anonymous individuals.
However, in a statement sent to Tom's Hardware, an Avast spokesperson insisted that Jumpshot doesn't gather "personal identification information, including name, email address or contact details."
"Users always could opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," the spokesperson continued.
"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."
The Avast rep also told us that as of December, Avast is "compliant with browser extension requirements for our online security extensions" and doesn't use any data from browser extensions "for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot."
Yet, the practice hasn't been perfectly transparent. The amount of information gathered by Avast for Jumpshot was previously unknown, as was the list of companies looking to purchase that much data about consumers.
Avast did start offering more information about the data it collects when people install its antivirus solution recently, though. A dialogue box says, "If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history to enable Jumpshot to analyze markets and business trends and gather other valuable insights."
But it's not hard to imagine people agreeing to that request without understanding what it means. Who hasn't clicked "OK" or "Yes" in response to a dialogue box they haven't read or don't fully understand? We suspect many people don't correlate "a stripped and de-identified data set derived from your browsing history" with the "search term they entered into the porn site and which specific video they watched."
Mere days after the investigation, Avast bought back 35 percent stake in Jumpshot worth $61 million and shut down the subsidiary.
Such practices do not align with our values at VPN Surf and you should be happy to know that due to our strict no-log policy, we do not collect any browsing information of our users.
Do you value your privacy online?
Use VPN Surf and surf safely and securely in the open waters of the internet.