Your antivirus software may or may not protect you as much as you’d expect, but they are slowly becoming a threat to your privacy for sure. A recent investigative report by Motherboard and PCMag has blown the cover on Avast’s unethical data harvesting practices.
The report reveals that a subsidiary of the company, Jumpshot, sells extensive data packages to various clients including Google, Microsoft, IBM, Pepsi, Home Depot, and more.
The data is collected from devices that have the Avast Antivirus program and related services installed in them, including the Avast Secure Browser. This data is highly specific, including one’s browser searches, website visits, map locations, the specific time stamp of visit, and even one’s activities on adult websites, sometimes including the specific keywords they searched for and the videos they watched.
The raw data is then sold to companies for high prices on contract basis in “packages”. Jumpshot seems to provide several packages consisting of different kinds and combinations of data to suit their client’s needs. One such package that caught the attention of the investigators is the All Clicks Feed.
The All Clicks Feed is a package that gives the client a list of all the clicks made by users on a given domain, e.g., Amazon.com. Along with a list of clicks on a website, the inferred age and gender of each individual are provided, along with all the URLs they visited on said domain.
Opting into the Jumpshot Panel
While the collection of such vast user data is a cause for concern in and of itself, Avast claims to have done things according to protocol. And on the surface, it might even seem true.
Avast claims that users have always been free to disable data sharing, or “opt-out” of it, so to speak. However, this claim must be taken with a grain of salt as it seems many users weren’t aware of their data being collected to such a degree in the first place.
When questioned, Avast also added that the permission to collect data has explicitly been obtained from all new users as of July 2019, where they are given a slightly more transparent picture of the matter, based on which they can then revoke or grant permission for their data to be collected. Avast also claims that all older users are also being notified about the permissions and has quoted February 2020 as the deadline for the completion of this process.
Despite these claims, when users of the antivirus were approached by PCMag regarding the same, many were unaware of such a thing happening and couldn’t recall being asked for permission for any sort of data collection.
De-identified data: a hoax?
When one grants Avast permission to track their activity, a unique device id is generated for that particular device. All data collected from that device is then stored under that device’s id in the database and Avast provides the data to Jumpshot after redacting Personal Identification Data (PII).
Here is another loophole in Avast’s adherence to protocol. While the data provided from Avast’s end is anonymous, this anonymity is only superficial, as the identity of the user can be found out through cross-referencing other databases. This is possible due to the high specificity of the data, as mentioned above.
Thus, de-identified data, in the end, doesn’t do much to protect the user’s privacy.
Avast was caught in a similar scandal not too long ago, due to its browser extension. A report in December 2019 criticized it for collecting more data than necessary from a user’s online activities. Many browsers took down the extension from their stores soon after the incident, including Chrome Web Browser.
Avast is a Czech cybersecurity firm with an estimated 435 million users worldwide. Out of these, it is believed that around 100 million were affected by Avast’s data harvesting scheme. To make matters worse, Avast seems to maintain a lukewarm stance on the issue, despite the large-scale breach of user trust.
Incidents of collecting and selling data by large cybersecurity and tech firms have become a burning issue in recent times and have come to be criticized by politicians, advocates for human rights, and citizens alike. Data privacy is considered to be a fundamental right by many jurisdictions, including the EU.