A joint investigation by Vice Motherboard and PCMag found that Avast antivirus collects and trades user data. Confidential information is resold to giants such as Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit and many, many others.
Jumpshot is a subsidiary of Avast, which offers its customers access to user traffic from 100,000,000 devices, including computers and smaptphones.The findings of the researchers are based on an analysis of leaks, contracts, and other company documents. Journalists emphasize that such transactions between companies are usually extremely confidential, and company employees are generally instructed not to speak publicly about relationships with the Jumpshot.
Customers are willing to pay millions of dollars for user data, and Jumpshot products, such as All Clicks Feed, allow tracking users’ activity to the point of clicking on a specific domain. For example, Jumpshot data can clearly show how an Avast antivirus user searched for a product on Google, clicked on a link to Amazon, and then maybe added the product to the cart on another site before finally buying it”, – say the journalists.
Other Jumpshot products, for example, are designed to track which videos users watch on YouTube, Facebook, and Instagram, or to analyze specific e-commerce domains to help marketers understand how users get to them.
One of the companies that used the All Clicks Feed tool is Omnicom Media Group, a New York-based marketing firm. According to Jumpshot documentation, only in 2019 Omnicom paid Jumpshot $2,075,000 for data access.
For the first time privacy issues in Avast products were discussed in December last year. That time Mozilla received a warning from AdBlock Plus developer Vladimir Palant.
In the fall of 2019, he studied the work of Avast Online Security and AVG Online Security, and found that add-ons for Firefox collect much more data than is necessary for their work, including a detailed browser history. Palant then posted another blog post about the similar behavior of Avast SafePrice and AVG SafePrice. As a result, all extensions were removed from the official extension catalog for Firefox, and soon the developers of Opera and Google followed the example of Mozilla engineers, excluding Avast and a subsidiary AVG from their directories.
Next, Avast representatives assured that the aforementioned Avast Online Security simply needed to collect a history of URLs to provide users with security, because the add-on is designed to protect against phishing and malicious sites. It was emphasized that data collection is carried out without user identification, therefore, all data is anonymized.
As Vice Motherboard and PCMag now say, the user data collected by Avast is so detailed that customers can even “see” the individual clicks that users make during sessions, accurate to the millisecond.
It also collects information about search queries on Google, search for locations and GPS coordinates on Google Maps, data of visits to companies’ pages on LinkedIn and specific videos on YouTube, as well as information about visits to porn sites. For example, you can determine the date and time when the anonymous user visited YouPorn and PornHub, and in some cases, even find out what exactly he searched there and what he looked in the end”, – say on Vice Motherboard and PCMag.
And although the data collected is not really associated with a person’s name, email address or IP address, therefore, it is de jure impersonal, each user is still assigned a unique ID called a device identifier, which remains until the user deletes Avast antivirus product from your device.
Information security experts assure that having such detailed information as Jumpshot provides to their clients, it will be very easy for client companies to compare this data with information from other sources, finally creating a detailed profile of a specific person. According to experts and journalists, it is unlikely in this case to speak correctly about the anonymity of the data collected.
Perhaps Jumpshot does not identify people in its data. Perhaps this is just a list of hashed user IDs and some URLs. But it can always be combined with the data of other marketers, other advertisers, which will lead to the real identity of the user”, – says IS specialist Gunes Acar.
After last year’s scandal over browser extensions, Avast representatives claimed that they have stopped collecting and transmitting user data to Jumpshot, but now journalists say that the collection of information continues. Now Avast does not collect data using browser add-ons, but using the antivirus itself.
According to internal documents, Avast started asking users of free antivirus solutions permission to collect data last week. The documentation says that if the user gives A consent, his device will become part of the Jumpshot Panel, that is, he will merge information about all the Internet activity of the browser, including data about which URLs were visited from the device, in what order and at what exactly time.
Vice Motherboard and PCMag turned to Avast for official comments, but they did not answer most of the journalists’ questions.
We guarantee that Jumpshot does not receive personal identification information, including the names, email addresses or contact details of people who use our popular free antivirus software”, – said Avast representatives.
The company only emphasized that they comply with the laws, take the balance between user privacy and necessary use of data very seriously, and also provide users with the opportunity to refuse from collect data in favor of Jumpshot.
The choice of antivirus should be taken responsibly: the situation with Avast and the recent hacking of Mitsubishi Electric through a vulnerability in the Trend Micro security product confirm this. Appreciate the reputation of antivirus software.