Avast is in hot water again: subsidiary sells browsing data
The past couple of months have not been good for Avast. The company faced a wave of criticism ever since some of its business practices came to light. Wladimir Palant kicked it all off with a detailed analysis of Avast's browser extensions.
He discovered that the extensions transmitted browsing history information to Avast that that went beyond the data needed to provide the security the product promised. Among the data was the full URL of any page visited, the page title, referer (site the user came from), as well as every link on search result pages.
Palant concluded back then that the over-collecting of data was not an oversight but deliberate. Mozilla and Google removed Avast and AVG extensions from their respective web stores as a consequence. Avast updated its extensions and they are now available again.
A joint investigation by Vice and PC Magazine looked deeper into Avast's business practices surrounding collected user data. According to the info, Avast subsidiary Jumpshot gets data from Avast antivirus installations on user devices, processes it to sell the processed data to companies.
One product, called All Clicks Feed, would provide companies, customers including large corporations such as Google, Microsoft, Pepsi, Home Depot, or McKinsey, with information on user behavior, clicks, and activity across visited websites in great detail.
The data is anonymized according to Avast which means that personally identifiable information such as a user's IP address or email addresses are removed from the data before it is sold.
While that looks good on paper, methods exists to de-anonymize data. A data package may include a device ID which means that it is easy enough to look up the browsing history of a particular device. It includes date and time, and information about the visited site as well.
One option that companies that purchase the data have is to use other data sources to identify individual users. Imagine Google or Amazon using date, time and URL information to cross-check with user activity on their sites.
If the full URL is provided in a data package, it could also be easy to identify users depending on activity. Visits to a personal homepage, Twitter replies, uploads to YouTube, or any other activity that may be linked to accounts would provide third-parties with information on the actual user.
According to the reports by PC Magazine and Vice, Avast stopped using data for "any other purpose than the core security engine". PC Magazine notes that Avast's Jumpshot division can still obtain data through Avast's main antivirus applications (including those by AVG). Both antivirus solutions include a Web Shield component designed to check visited URLs to ensure that they are not a security risk (e.g. phishing sites).Advertisement