Avast Responds to Concerns About Selling User Data

(Image credit: Chursina Viktoriia/Shutterstock)

Avast is well-known for its free-to-use antivirus software. Yesterday, reports from Motherboard and PCMag provided more details on something the vendor is less known for: selling browsing data of its antivirus' users via a subsidiary called Jumpshot.

The reports indicated that Jumpshot sold information about Avast users to a number of companies, including IBM, Intuit, L'Oréal and Home Depot; however, several of those companies, along with others named in documents shared with Motherboard and PCMag, denied working with Jumpshot. 

According to Motherboard, the shared information included "Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos and people visiting porn websites."

"It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched," Motherboard said. 

The information was said to have been stripped of personally identifiable information, such as users' names, but experts fear certain activities could be de-anonymized by combining the data sold by Jumpshot with other datasets. This could violate the privacy of people who might not have realized their data was being sold.

De-anonymizing that data would be difficult, experts said, but not impossible. Jumpshot is said to offer multiple feeds, with an "All Clicks Feed" offering detailed information about the websites Avast users visited, when they visited them and on what device they viewed them. Companies could potentially use these detailed records alongside their own datasets to identify supposedly anonymous individuals.

However, in a statement sent to Tom's Hardware, an Avast spokesperson insisted that Jumpshot doesn't gather "personal identification information, including name, email address or contact details."

"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," the spokesperson the spokesperson continued.

"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."

This data collection wasn't exactly hidden from Avast users, however, because the company disclosed the fact that its Jumpshot subsidiary uses some of its user data in a 2015 blog post.  

The Avast rep also told us that as of December, Avast is "compliant with browser extension requirements for our online security extensions" and doesn't use any data from browser extensions "for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot."

Yet, the practice hasn't been perfectly transparent. The amount of information gathered by Avast for Jumpshot was previously unknown, for example, as was the list of companies looking to purchase that much data about consumers.

Avast did start offering more information about the data it collects when people install its antivirus solution recently, though. A dialogue box currently says that "If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purposes of enabling Jumpshot to analyze markets and business trends and gather other valuable insights."

But it's not hard to imagine people agreeing to that request without understanding what it means. Who hasn't clicked "OK" or "Yes" in response to a dialogue box they haven't read or don't fully understand? We suspect many people don't correlate "a stripped and de-identified data set derived from your browsing history" with the "search term they entered into the porn site and which specific video they watched."

And this opt-in data sharing isn't the only way Avast provided information to Jumpshot. The company saw criticism in October 2019 for collecting user data via browser extensions; those extensions were removed from the add-on stores operated by Google, Mozilla and Opera for their respective browsers in response.

More than 435 million people a month reportedly use Avast's antivirus software, and Jumpshot claims to have access to information from 100 million devices, according to Motherboard. 

The problem here wasn't the lack of disclosure on Avast's parts, with the exception of the data collected by its browser extensions, because it did say in 2015 that it would collect that data. It also informed users their information could be collected, and gave them a chance to opt out. The problem is that many people looking for a free antivirus solution probably don't understand exactly what they're sharing. 

This criticism applies to many companies. People have become increasingly aware of the tech industry's reliance on near-constant surveillance of their users, but it's still a subject about which few people are adequately educated. Avast isn't much different from many other companies--but does that mean the status quo is acceptable? Or that a blog post from half a decade ago and some corporate speak is enough info?

That's something people will have to decide for themselves. In the meantime, Avast users should double-check their settings in the interim.

Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

  • Dark Lord of Tech
    cmYw6vLeIYUView: https://www.youtube.com/watch?v=cmYw6vLeIYU
  • 13thmonkey
    I would swear profusely, but i'd have to ban myself... Haven't used avast for a decade though.
  • NightHawkRMX
    In some cases, a security breach may have a smaller amount of data compromised than things like this.
  • JamesSneed
    I'm glad I never used their products and now I know that i never will.
  • And I bet they all do it
  • JamesSneed
    Mandark said:
    And I bet they all do it

    I would guess the free virus scanners you are probably right but then nothing is free so it's expected. With the paid subscriptions I would bet it's rare. Symantec for example states they do not sell any personal information.
  • 13thmonkey
    Thinking about it (and having just gone through my 4th GDPR course in 2 years), I think that they are on very dodgy ground, unless you actively agree to the usage of data for named purposes they can't use it, they would have to ask do you agree to us selling your browsing history, I don't think that they can bury it in T&C's. You should be able to ask for a DSAR and request the data that they hold on, anonymisation is not enough if it can be reconstructed, and the penalty is a maximum fine of 4% of turnover. Breaches are normally thought of in terms of data exposure but this also qualifies.
  • Math Geek
    always remember if it's free, then you are the product!!

    but even the paid services also collect and sell the same info. they love to state "we do not collect and sell personal info" but look at what they consider "personal info" if they even bother to define it at all.

    they play the word game and say personal info is your name and email. but everything else since it is supposed to be anonymous is fair game. so you pay them and then they still collect and sell your usage data for the extra cash anyway.....

    the EU has a good start on laws governing this hidden word play collection but in the end it's still doing very little to stop these games
  • kenjitamura
    Math Geek said:
    always remember if it's free, then you are the product!!

    This statement is false as open source software rarely implements data collection practices with the obvious exception being Chromium as Google has spent a massive amount of time burying tracking code into the source that's difficult to identify and remove.
  • NightHawkRMX
    kenjitamura said:
    open source software rarely implements data collection practices
    Maybe not as common, but definitely there are some instances of data collection in open-source software.