According to an investigative study done by Vice and PC Mag, Avast has been harvesting and selling data to large corporations like Google, Microsoft, Intuit and many more.
The study reveals that “An Avast Subsidiary sells ‘every search, every click, every buy, on every site.’ Its clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey.”
Avast offers a large selection of free and paid-for antivirus and security tools to hundreds of thousands of users each month on Macs, PC’s and mobile devices.
These offerings are meant to keep user data safe from harm, which is what makes this discovery controversial for many.
The investigation further revealed the information collected by Avast included Google searches, location look-ups, GPS coordinates from Google Maps, LinkedIn pages, and YouTube Video Listings.
It even recorded porn site visits that were ‘anonymized’ but offers the date and time the user visited the site as well as the search terms used and viewed.
Even though Avast makes efforts to try and anonymize the data, some experts have claimed that the extremely specific browsing data could be used to figure out identities of the users over time.
Patterns, habits, and similarities could tie the data to users.
Many users claimed that they were not fully aware of the amount of browsing data being collected and sold by Avast.
The subsidiary claims it has data from 100 million devices and the investigation further claims that Jumpshot repackages data from Avast into a number of different package options.
Included in these packages is an “All Clicks Feed” option in which clients are able to track a user’s behavior and movement across websites.
The investigation revealed that these clients paid millions of dollars to be able to track this data with the “All Clicks Feed.”
Clients who used this package include Google, Yelp, Microsoft, and Pepsi.
Until recently, the data was collected using Avast’s browser plugin which provides a warning to the user about suspicious and malicious websites.
Wladimir Palant, security researcher and Adblock Plus creator, revealed in October that the plugin was used to harvest data.
This discovery prompted Mozilla, Opera, and Google to remove access to Avast’s extensions.
In a statement by Avast, they claimed they had stopped providing browsing data collected by the extensions to Jumpshot.
A source close to the investigation along with leaked documents revealed that Avast is in fact still performing harvesting of data, but via the anti-virus software itself, rather than the browser plugins.
Just within the last week, a leaked internal document revealed that Avast is asking users to opt-in to data collection through their free antivirus tool.
A text from the internal handbook states: “If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot.”
The data collected would reveal what URL’s a user visited and in what order.
The harvesting and selling of user data is a very lucrative income stream for Avast.
Documents revealed through the investigation show that one marketing firm paid over $2 million for data access in 2019 alone.
The data provided an “Insight Feed” for 20 domains from 14 countries around the world.
Details included in the data were inferred gender of users, browsing behavior, age, entire URL strings with personally identifiable information removed, and more.
Generally, device ID’s are “hashed” to prevent identification of users buy clients who purchase the data, but as the device ID’s do not change for a user unless they completely reinstalled Avast tools, a large group of data on one user could build up over time leading to possible identification.
Avast responded to the investigation by stating that “because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address, or contact details, from people using our popular free antivirus software.” They also mention that users had the ability to opt out of sharing data, and that it had started “implementing an explicit opt-in choice for all new downloads of our AV” as of July 2019, with all existing free users prompted to make a choice by February 2020.
Avast defended themselves by insisting that they comply with California Consumer Privacy Act and Europe’s GDPR across its entire global user base.
“We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data,” the statement pressed.
Many users are weary of their data being harvested and sold in this way which will surely lead to them looking for other services which could have a very negative impact on this sector of Avast.
Only time will tell what will come of this now that the cat is out of the bag, so to speak.