Avast is well-known for its free-to-use antivirus software. Yesterday, reports from Motherboard and PCMag provided more details on something the vendor is less known for: selling browsing data of its antivirus' users via a subsidiary called Jumpshot.
The reports indicated that Jumpshot sold information about Avast users to a number of companies, including IBM, Intuit, L'Oréal and Home Depot; however, several of those companies, along with others named in documents shared with Motherboard and PCMag, denied working with Jumpshot.
According to Motherboard, the shared information included "Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos and people visiting porn websites."
"It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched," Motherboard said.
The information was said to have been stripped of personally identifiable information, such as users' names, but experts fear certain activities could be de-anonymized by combining the data sold by Jumpshot with other datasets. This could violate the privacy of people who might not have realized their data was being sold.
De-anonymizing that data would be difficult, experts said, but not impossible. Jumpshot is said to offer multiple feeds, with an "All Clicks Feed" offering detailed information about the websites Avast users visited, when they visited them and on what device they viewed them. Companies could potentially use these detailed records alongside their own datasets to identify supposedly anonymous individuals.
However, in a statement sent to Tom's Hardware, an Avast spokesperson insisted that Jumpshot doesn't gather "personal identification information, including name, email address or contact details."
"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," the spokesperson the spokesperson continued.
"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."
This data collection wasn't exactly hidden from Avast users, however, because the company disclosed the fact that its Jumpshot subsidiary uses some of its user data in a 2015 blog post.
The Avast rep also told us that as of December, Avast is "compliant with browser extension requirements for our online security extensions" and doesn't use any data from browser extensions "for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot."
Yet, the practice hasn't been perfectly transparent. The amount of information gathered by Avast for Jumpshot was previously unknown, for example, as was the list of companies looking to purchase that much data about consumers.
Avast did start offering more information about the data it collects when people install its antivirus solution recently, though. A dialogue box currently says that "If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purposes of enabling Jumpshot to analyze markets and business trends and gather other valuable insights."
But it's not hard to imagine people agreeing to that request without understanding what it means. Who hasn't clicked "OK" or "Yes" in response to a dialogue box they haven't read or don't fully understand? We suspect many people don't correlate "a stripped and de-identified data set derived from your browsing history" with the "search term they entered into the porn site and which specific video they watched."
And this opt-in data sharing isn't the only way Avast provided information to Jumpshot. The company saw criticism in October 2019 for collecting user data via browser extensions; those extensions were removed from the add-on stores operated by Google, Mozilla and Opera for their respective browsers in response.
More than 435 million people a month reportedly use Avast's antivirus software, and Jumpshot claims to have access to information from 100 million devices, according to Motherboard.
The problem here wasn't the lack of disclosure on Avast's parts, with the exception of the data collected by its browser extensions, because it did say in 2015 that it would collect that data. It also informed users their information could be collected, and gave them a chance to opt out. The problem is that many people looking for a free antivirus solution probably don't understand exactly what they're sharing.
This criticism applies to many companies. People have become increasingly aware of the tech industry's reliance on near-constant surveillance of their users, but it's still a subject about which few people are adequately educated. Avast isn't much different from many other companies--but does that mean the status quo is acceptable? Or that a blog post from half a decade ago and some corporate speak is enough info?
That's something people will have to decide for themselves. In the meantime, Avast users should double-check their settings in the interim.