Joint Investigation by Publications Vice motherboard and PCMag, found that Avast antivirus collects user data, which is then resold to giants such as Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many, many others.
Avast's Data Selling Division is a subsidiary of Jumpshot, which offers its customers access to user traffic from 100,000,000 devices, including computers and telephones.
The findings of the researchers are based on an analysis of leaks, contracts, and other company documents. Journalists emphasize that such transactions between companies are usually extremely confidential, and company employees are generally instructed not to speak publicly about Jumpshot relationships.
Customers are willing to pay millions of dollars for user data, and Jumpshot products, such as All Clicks Feed, allow you to track user activity to the point of clicking on a specific domain. For example, Jumpshot data can clearly show how an Avast antivirus user searched for a product on Google, clicked on a link to Amazon, and then maybe added the product to the cart on another site before finally buying it.
Other Jumpshot products, for example, are designed to track which videos users watch on YouTube, Facebook, and Instagram, or to analyze specific e-commerce domains to help marketers understand how users get to them.
One of the companies that used the All Clicks Feed tool is Omnicom Media Group, a New York-based marketing firm. According to Jumpshot documentation, Omnicom paid Jumpshot $ 2,075,000 for data access only in 2019.
Let me remind you that for the first time they talked about privacy issues in Avast products in December last year. Then the Mozilla organization received a warning from AdBlock Plus developer Vladimir Palant. In the fall of 2019, he studied the work of Avast Online Security and AVG Online Security, and found that add-ons for Firefox collect much more data than is necessary for their work, including a detailed browser history. Palant then posted another blog post about the similar behavior of Avast SafePrice and AVG SafePrice. As a result, all extensions were removed from the official extension catalog for Firefox, and soon the developers of Opera and Google followed the example of Mozilla engineers, also excluding Avast and a subsidiary AVG from their directories.
Then Avast representatives assured that the aforementioned Avast Online Security simply needed to collect a history of URLs to provide users with security, because the addon is designed to protect against phishing and malicious sites. It was emphasized that data collection is carried out without user identification, that is, all data is anonymized.
As Vice Motherboard and PCMag now say, the user data collected by Avast is so detailed that customers can even “see” the individual clicks that users make during sessions, accurate to the millisecond. It also collects information about search queries on Google, search for locations and GPS coordinates on Google Maps, data on visits to company pages on LinkedIn and specific videos on YouTube, as well as information about visits to porn sites. For example, you can determine the date and time when the anonymous user visited YouPorn and PornHub, and in some cases, even find out what exactly he searched there and what he looked in the end.
And although the data collected is not really associated with a person’s name, his email address or IP address, that is, they are de jure impersonal, each user is still assigned a unique ID called a device identifier, which remains until the user deletes Avast antivirus product from your device.
Information security experts assure that having such detailed information as Jumpshot provides to their clients, it will be very easy for client companies to compare these exhaustive data with information from other sources, as a result of creating a detailed profile of a specific person. According to experts and journalists, it is unlikely in this case to speak correctly about the anonymity of the data collected.
“Perhaps the data themselves (Jumpshot) do not identify people. Perhaps this is just a list of hashed user IDs and some URLs. But it can always be combined with the data of other marketers, other advertisers, which, in essence, will lead to the real identity of the user, ”says IB specialist Ganes Acar (Gunes Acar).
After last year’s scandal over browser extensions, Avast representatives claimed that they had stopped collecting and transmitting Jumpshot user data, but now journalists say that the collection of information continues. It’s just that now Avast does not collect data using browser add-ons, but using the antivirus itself.
According to internal documents, Avast started asking users of free antivirus solutions permission to collect data last week. The documentation says that if the user gives his consent, his device will become part of the Jumpshot Panel, that is, he will merge information about all the Internet activity of the browser, including data about which URLs were visited from the device, in what order and when exactly.
Vice Motherboard and PCMag turned to Avast for official comment, but they did not answer most of the journalists' questions. The company only emphasized that they comply with the laws and provide users with the opportunity to refuse to collect data in favor of Jumpshot. An official Avast statement also states:
“We guarantee that Jumpshot does not receive personal identification information, including the names, email addresses or contact details of people who use our popular free antivirus software. <...> "We have extensive experience in protecting user devices and data from malware, and we take all the seriousness and responsibility to ensure a balance between user privacy and the necessary use of data."