- Avast is accused of common spyware and user data collection acts through one of its subsidiaries.
- The data was supposedly anonymized, but a persistent product ID makes the identification of the user possible.
- Tech giants and online marketers queued to buy access to this extremely detailed and granular data.
According to the results of a joint investigation conducted by Motherboard and PCMag, Avast was collecting user browsing data and sold it to third-parties such as marketers and advertisers. The antivirus company reportedly exploited its position to make an extra profit from its customers and did so without asking for their specific consent or caring to inform them of the details. In fact, when the first revelations about its browser extension being spyware came to light, the company told the press to relax as all of the collected data was anonymized.
As revealed by the aforementioned investigation, Avast was actually using one of its subsidiaries named “Jumpshot” to sell the collected data. In this company’s service offering, we see promises about “incredibly detailed clickstream data from 100 million global online shoppers”. The data that is collected is so granular, that those who bought access to the trove were able to monitor the shoppers' click by click. As for the question of how anonymous this data is, there are no names, emails, or IP addresses. However, there’s a device ID that is persistent and corresponds to individual Avast AV product installations. To reset this identifier, one would have to re-install the product.
Using this identifier, any platform out there can figure out who is who after purchasing on Amazon or a couple of Google searches. With the anonymity lifted, and because the ID never resets, Avast products basically act as spyware. Some of the companies that bought access to this data include Google, Microsoft, Trip Advisor, Yelp, Pepsi, Conde Nast, The Home Depot, and McKinsey & Company. Besides the browsing data that the above accessed, the investigators claim to have accessed GPS coordinates, points on Google Maps, LinkedIn profile visits, porn website visits, what search terms the user entered there, and which specific video they watched.
Jumpshot was using different products to collect data in different ways. Some specialized in keyword searches, others on sensitive topics, and others on media consumption. In the end, the data harvester managed to track every bit of move the Avast user made. Upon installing Avast Free Antivirus, the user is requested to agree to data collection and sharing, but the terms there clearly state that all data will be de-identified. Another detail which isn’t mentioned is that Jumpshot keeps that data for three years, combines it with other information about you, and won’t stop monitoring your every move.
Avast has stepped into a PR catastrophe with this story, as they have irreversibly lost the trust of their userbase with what they have done. Sure, free anti-virus products are free for a reason, but going on the opposite side of the field by pushing spyware is unacceptable. If you’re looking for a great free antivirus product that you can trust, Bitdefender’s offering is one that stands out from the crowd.