Avast has evidently been harvesting user data through opt-ins that don't tell the complete story to its antivirus users. If you believed your antivirus protected you from malware, turns out it did that at the cost of sharing your entire online existence with the buyers, including the likes of Google, Pepsi, and Home Depot.
A Motherboard and PCMag investigation has revealed that documents from Jumpshot, an Avast subsidiary, "shine new light on the secretive sale and supply chain of peoples' internet browsing histories." Avast antivirus program has been collecting data from its users, which is then repackaged by Jumpshot into different products sold to some of the biggest companies in the world.
Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called "All Clicks Feed," which can track user behavior, clicks, and movement across websites in highly precise detail.
Other clients mentioned in documents include Unilever, Nestle Purina, Kimberly-Clark, IBM, and GfK.
This isn't the first time that Avast has come under fire for its secretive data hoarding and sharing practices. The company was found using its browser extensions to harvest user data. Upon discovery by a security researcher, Mozilla, Opera, and Google removed Avast's and its subsidiary AVG's extensions from their extension stores.
In response, Avast said it will stop sending browsing data collected through these extensions to Jumpshot.
However, it appears the company didn't have to rely on those extensions to keep Jumpshot's business alive. Jumpshot claims to its clients that it has data from 100 million devices. Avast claims to have over 435 million active monthly users.
While Avast says it collects that data through opt-ins, multiple users of its antivirus program were unaware of what they were agreeing to, which begs the question of how open about this practice Avast was to its users. It is unclear when these opt-ins started, but several users noticed receiving these notifications that asked antivirus users to opt back into data collection. This new opt-in message reads:
"If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purpose of enabling Jumpshot to analyze markets and business trends and gather other valuable insights."
Multiple users said they did not know the antivirus maker was selling their browsing data.
"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," an internal product document revealed. The collected data includes, but isn't limited to:
- URLs visited, in what order and when
- Google searches
- Lookups of locations and GPS coordinates on Google Maps
- People visiting companies' LinkedIn pages
- YouTube videos
- Videos users are watching on Facebook and Instagram
- People visiting porn websites
"It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched," Motherboard reported.
While Avast says this data is anonymized and doesn't include personal information, it contains such a wide range of data that experts believe it won't be impossible to deanonymize some of the affected users.
How much Avast is being paid by its clients for this data
In one instance, a marketing firm called Omnicom Media Group paid Jumpshot $2,075,000 for data access in 2019, with contracts revealing payments of $2,225,000 and $2,275,000 for 2020 and 2021, respectively. Avast users from over 14 different countries, including the US, UK, Australia, and Canada, had their data shared with this New York-based company.
In response to this investigation, Avast has sent the following statement (emphasis is ours):
Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software.
Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020.
We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data.
[Update, January 29]: In a statement to Wccftech, a Sephora spokesperson has said that it isn't a client of Avast. As a reminder, the leaked documents also revealed "potential" clients, and Sephora probably falls into that category.
“Sephora is not a client and has not worked with Avast/Jumpshot.”