Avast has been fined by the FTC for using its privacy software to harvest and sell user data
The U.S. Federal Trade Commission has found Avast guilty for using its privacy apps to harvest and sell user data. The company is also banned from selling or licensing browsing data for advertising purposes.
This isn't the first time Avast has been caught for such an offense. You may recall a similar issue that happened in 2020. Motherboard (Vice) and PCMag began a joint investigation into claims that Avast had been using its subsidiary company, Jumpshot, to spy on users. The report said that Avast's security products tracked user behavior, clicks and their activity across the web. The user data which was collected through this process was then sold to more than 100 third-party companies including Google, Microsoft, Pepsi, Home Depot, McKinsey. This led to Jumpshot being shut down.
The company, based in the U.K. and Czech Republic, offers various digital products and services. Besides its in-house antivirus, Avast also owns AVG, Avira, and Norton. It also owns CCleaner, a browser called Avast Secure Browser, extensions for Firefox, Chrome. It even has multiple VPN services such as Avast SecureLine VPN, and HMA (formerly HideMyAss!).
FTC accuses Avast for failing to anonymize user data
Avast had claimed that it had anonymized the user data to protect their privacy. But, the FTC has accused the company of failing to do so. It says that Avast had unfairly collected user's browsing data through its browser extensions and antivirus software, and stored it indefinitely (on its servers), aka data harvesting. The FTC also complained that Avast had sold the consumer's data without a notice or consent from the user.
The complaint goes on to explain that Avast had promised to protect users' privacy by blocking third party trackers, but had failed to inform the consumer that it would collect, store, and sell the data to third-parties. The anonymization algorithm used by Avast had failed to remove personally identifiable information, which meant that the data had unique identifiers such as the web browser and the device that they used, websites that they visited, precise timestamps, and the city, state and Country where the user was located. The FTC alleged that the software also tracked a user's web searches including their religious beliefs, health concerns, political leanings, location, financial status, etc.
The FTC has proposed an order which prohibits Avast from selling browsing data to third-parties for advertising purposes. The company will also be required to obtain affirmative express consent from consumers, before it can sell or license the data from non-Avast products to other companies. Avast will also need to delete the web browsing data that was transferred to Jumpshot. It will also need to notify users whose browsing data was sold to third-parties without their permission. The FTC wants Avast to implement a comprehensive privacy program that addresses the issues highlighted in the complaint.
Avast has been fined $16.5 million, but that is not a huge amount, as the cybersecurity firm rakes in a couple of hundred million dollars per year as profit. PR Newswire quotes Avast's operating profit in the first half of 2022 at $172.6m. So the fine is merely a slap on the wrist. You can read the FTC's press release here.
Avast's spokesperson, Jess Monney, released a statement to The Verge saying that " We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world. "
It's a shame that Avast has fallen so low, what once used to be a stellar antivirus is now little more than a shiny piece of an advertisement that is masquerading as a security software.
Proprietary software = bad. Who knew? LOL!
The article headline reads, quote: “Avast has been fined by the FTC for using its privacy software to harvest and sell user data”.
So is the FTC going to fine Microsoft next because selling user data is exactly what Microsoft does. The Windows operating system is merely a conduit to harvesting user data to analyze it and subsequently to bombard users with ads. Why is this permited while Avast is taken to the cleaners by the FTC?
Don’t get me wrong, I’m no fan of Avast and I don’t use their security products, but I fail to understand why Microsoft, which is a much larger concern is permitted to exploit users to the best of their ability with virtually no redress by the individuals who use the Windows OS yet the FTC ignores their plight and just goes after much smaller fish. It doesn’t make sense.
FWIW, a lot of this crap can be blocked by using an old laptop (from ebay or whatever) and installing Debian linux and then PiHole on top. Give the laptop a static IP address and then point your computers, TVs, game consoles to use the IP address of your laptop as the dns provider. For example, if your dns is set to automatic (your ISP), change instead to the IP address of your laptop running PiHole). Think of it as a network-wide police officer. It can block a crapton of advertising and also block telemetry for things like the Playstation network. Cheap and easy.
* Get a $5-15 Raspiberry PI Zero and a Micro-USB to Ethernet dongle.
* Install Pi-Hole/Ad Guard on it.
* Hook it up to your router and set that as the main DNS.
* ???
* Profit.
It’s better having nothing to hide inside the computer. Just a brief though in the morning, of course. I only use UblockOrigin in Firefox and Edge, and plain Chrome for official sites when everything fails.
For whom may be interested, a handy tool to easily set/change the OS’s DNS provider (x86 & x64, Windows XP to 11) is ‘DNS Jumper’ [https://www.sordum.org/7952/dns-jumper-v2-3/] which you can also access via a command-line followed by the DNS provider(s) IP(s). Makes it a breeze. I include in DNSCrypt-proxy’s batch files, should I wish to stop or start after stop, a command-line to ‘DNS Jumper’ in order to be sure DNS provider is not incorrectly set (if you use an application which is tied to the DNS provider and vice-versa, and stop that application, DNS provider must follow, of course).
Hope that’s clear enough, lol.
You can check out my review of DNS Jumper here: https://www.ghacks.net/2015/06/28/dns-jumper-2-0-gets-better-automation-options/
Bit dated, but still useful.
@Martin, useful indeed. Latest versions of ‘DNS Jumper’ have brought their lot of improvements but the basis remains the same and GHacks’ article is the way to go to discover the application. You’d be surprised (no flattery, truth only) by the amount of software, software description, software analysis and criticism when applicable, I’ve discovered on Ghacks over the many years (greater than a decade by now). I regularly read, return to the now amazing number of provided articles : it’s becoming a technological encyclopedia :) Ghacks’ Search feature is definitely a power tool.
I am sorry you are used to Avast, I am sure they have enjoyed harvesting your information on the daily. It’s sad really but the best course of action in this case is to remove Avast from your computer and no longer reward them with your data and also payments. They take your money and then sell you out behind your back and make additional money on that data. If that does not paint a grim enough picture for you then I do not know what does.
Essentially they are the virus/trojan funneling your information from your computer whilst pretending to be your friend.
This is extremely poor conduct.
This is not a situation where the term “Better the devil you know” is applicable.
Whilst it is difficult to trust vendors at this point your trust has been broken and you are aware of it and it is in your best interests to react accordingly.
We should not be rewarding this kind of conduct by being complacent.
I used Avast in the past. Everyone makes mistakes. Avast used to be good. If you’re using WIndows 10, or 11 you do not need anything else other than Windows Defender and some basic computer security knowledge.
Seems like every company is under the trance that user data must be collected and sold. This is why I stick to opensource software, they usually are more transparent. if not then I firewall the b*&^% from phoning home.
Ban Google Chrome too, it is closed source and it is collecting data like crazy
Why are our governments doing nothing to stop data sharing? Where are the jail sentences?
p.s. I note I can’t post without agreeing to Ghack’s “privacy” policy…
Cuz they buy the data, like pretty much everybody else.
If you think I’m joking. https://techcrunch.com/2024/01/26/national-security-agency-americans-internet-browsing-records-warrantless/
They let ISPs sell data. Couldn’t be more transparent that the government is in on it too.
Yeah about that… What’s weird is that some companies are allowed to sell user’s data, and some aren’t. I was thinking about just this example (with broadband providers in relation to this particular case) the other day. Not sure why the system works that way.
The real problem is the fine is a pittance compared to what Avast earns in data harvesting/selling. That means the fine will be paid and nothing will substantially/essentially change. Avast will continue violating privacy rights and selling data.
These days it’s best to assume that all closed source software is doing this. Hell, a certain web browser that starts with an E has been caught *three* freaking times in the last year gathering data that it should not be and sending it to the vendor. That just means there are probably five more ways we don’t know about yet.
We protect your privacy except when it comes to us. Collecting and selling personal data seems to have become habitual for these companies. They all claim to protect you, but not really.
“Avast also owns AVG, Avira, and Norton…” – Disturbing.
“sold to more than 100 third-party companies including Google, Microsoft, Pepsi, Home Depot, McKinsey…” – Even more disturbing.
Greed totally took hold and is acting like a drug.
Pepole who buy illegal drugs are also to blame, not only drug dealers.
> “Pepole who buy illegal drugs are also to blame, not only drug dealers.”
Except that when you think you’re buying Virginia tobacco and you find out later it’s Mid-East grass, you’re not to blame.
Yes you are wright… After posting my comment I tought about something like that as users sometimes may agree (even without knowing it) to allow no privacy at all.
Quit smoking 20 years ago by still remember good Virginia tobacco in my pipe ;)
@gtz, pipe smoker as well, but I never betrayed :) Cavendish has always been my favorite, Davidoff’s ‘Royal’ blend as well, though I smoke most of the time cheaper blends ; like wine, the best occasionally, otherwise an everyday honest blend …. :)
I think my favorites circled around Mac Baren’s… I had to stop because age and Aikido don’t go well with tobacco…Now a good wine is always welcome!
I wonder now what kind of ads uBlock will have to block as I had to do a search to help me remember my fav. brand kkk.
Concerning privacy (of course) and overall usage in Linux Firefox 123 as deb is a game changer (with some basic tweaks).
It’s sad to see Avast going this way. I started using it in it’s early beta versions and even got some feedback from Pavel by e-mail! Good old times from the web…
Privacy software that sells the data collected that should be protected with passion. So hilarious that I am expecting some upcoming offers to promote all Avast employees to be future high workers of Google as soon as possible! Just cant stop laughing! So proud of these genious! :D
AVAST seems to be, if not rotten, seriously compromised indeed.
What is dramatic in a way is that if you cannot trust a security application when it splits security and privacy to the point of reversing the latter for their profit, who can you trust?!
I use DNSCrypt-proxy for encrypting dns requests, which includes IP and domain blocklists.
A major DNSCrypt-proxy dedicated domain blocklist is ‘DNSCrypt mybase’ [https://download.dnscrypt.info/blacklists/domains/mybase.txt] which I use with several others.
If you search for occurrences of avast in this only ‘DNSCrypt mybase’ list (updated 2024-02-26-09:44) you’ll find :
avast : 46 matches
avast. : 23 matches
.avast : 23 matches
.avast. : 18 matches
Which is quite relevant of problematic avast servers, for the least. And this concerns only occurrences of ‘avast’, so imagine the list of all Avast servers within other domains …
I’ve never used Avast products, fortunately as it seems. For those who do, I guess they know after reading this article the logical conclusion : close your Avast account and go searching for serious serious security and privacy solutions.
First: This DNSCrypt-proxy blacklists could be a real alternative to some Manifest 3 adblockers unless DNSCrypt-proxy uses Windows host file too.
Second: I suspect that a lot of Antivirus software makers are doing the same thing. Blocking Avast telemetry, even if it requires disabling the self-protection module, should be an alternative to just quitting the product. Everything in life is a tradeoff: security vs convenience/functionality. Internet security is not an exception.
@Boris Faktorovich, relying only on a browser’s defenses (built-in and extension(s) i.e. uBlock Origin) even together with a privacy/security system-wide software, does not fill all that dedicated blacklists can provide, especially if the latter are editable (i.e. DNSCrypt-proxy can include user’s choice of dedicated blacklists available on the Web as its owns).
Also, I’ve read that Windows 10/11 could block the famous Windows’ HOSTS file (or some of its entries) which has been the workaround for many of us to redirect urls to 127.0.0.1
So indeed, IMO, there’s nothing like having a hand on power should it be together with the ‘autopilot’ approach inherent to software protection.
Generally speaking, my feeling based on what I read from “basic” users’ comments on the Web, is that an increasing number of them seem to rely on their browser’s protections as if they thought all of Internet traffic was controlled by the browser. Of course, as mentioned above, system-wide and browser-specific defenses are meant to be complementary.
Be noted : I mentioned DNSCrypt-proxy blacklists but be it clear that these blocklists are intended/written for DNSCrypt-proxy : don’t use them i.e. in a Windows’s HOSTS file :) I know, sounds obvious, but beginners need information to be clear.
I disabled Windows tracking with O&OShutup and DoNotSpy11. I tried pinging addresses in host files, and they are not responding. Addresses in host file also can not be opened in browsers (especially in Edge, which I am still using until Manifest v3). I hope Windows does not have some backdoor for its own telemetry. And off cause like you said I use ad blocker in all browsers for other tracking files. The only weakness in my setup is that I had to disable Avast self-protection module. I rather have additional risk than be tracked by my antivirus.
I am still hesitant to use DNSCrypt-proxy. From ad blocking, I learned the hard way that some tracking addresses need whitelisting to make some popular websites to function properly. I do not see whitelist items in your filters.
Thank you for mentioning that I should not mix host and DNSCrypt-proxy filters.
I see you recommend redirecting host filters to 127.0.0.1. I redirect them to 0.0.0.0. From what I read 0.0.0.0 creates less internal traffic as 127.0.0.1 tent to loop while 0.0.0.0 returns error. I could be wrong.
Also, the most important question. Is DNSCrypt-proxy measurably slowing DNS lookup? I am ok with 10%-20% slowdown in DNS lookup. Also, I read that it can conflict (prevents DNS lookup) with some proxy web servers like Cloudflare.
@boris,
You confirm that using the Windows HOSTS file on new Windows versions (10/11 I guess) is problematic.
DNSCrypt-proxy, besides encrypting DNS requests, has indeed as I mentioned above, a powerful blacklist feature, but not only : a user-input whitelist is provided. Both black and white lists handle domain and IPs.
I haven’t recommended redirecting hosts filters (those in Windows’ HOSTS file, not pertinent to DNSCrypt-proxy) to 127.0.0.1, though that is (was) the most common approach : when it comes to the HOSTS file, indeed as you state it, 0.0.0.0 is faster, better. Concerning DNScrypt-proxy, the user sets (in a configuration file called ‘dnscrypt-proxy.toml’) the IP:port he wishes DNScrypt-proxy to listen to. It handles IPv4 as IPv6, and if you’re using IPv4 then you’ll set — by default, configurable — the ‘listen to’ to 127.0.0.1:53 or 0.0.0.0:53, the latter listening to all IPv4 addresses.
That’s the basis, but there’s much more to it. You really need to read [https://github.com/DNSCrypt/dnscrypt-proxy/wiki]. I’m not a pro as you know, yet I manage to handle DNScrypt-proxy correctly, so it’s not a tough application.
> “Is DNSCrypt-proxy measurably slowing DNS lookup?”.
Not in my experience. Depends of several factors.
1- It’s up to the user to set the DNS resolvers he wishes DNScrypt-proxy to use : server geographical distance interfers, though slightly in my experience. We’re talking about milliseconds and if you choose resolvers at least on the same continent as your device, it can go from 10ms to ~40ms : you don’t notice it! Here in France, if I choose a DNS resolver say in Australia, delay might be ~100ms … so small remains abstract considerations in a way!
2- DNScrypt-proxy handles several encrypting protocols : DNScrypt (its own) and DoH. An option reserved to the DNScrypt protocol is the ‘Anonymized DNS’ feature [https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-DNS] : “prevents servers from learning anything about client IP addresses, by using intermediate relays dedicated to forwarding encrypted DNS data”. I mention this because using this feature via dedicated servers adds of course another few milliseconds but, again, in my experience, not noticeable
To summarize, DNScrypt-proxy encrypts DNS requests, may as well anonymize encrypted DNS requests, and offers lists ; black, white, and several others (see the wikis), it handles IPv4 and IPv6, has per-platform releases. No setup, releases need only to be unziped, the user sets the config, and you’re ready to go.
It’s slightly complex but not complicated : reading the wiki documentation is absolutely required.
I’ve tried to share the basics I know to answer to your remarks/questions. What I can say about my experience is that DNScrypt-proxy is to my OS what uBlock Origin is to my (Firefox) browser : indispensable.
Thanks for the update. Ashame indeed, but it’s time to get rid of Avast completely.
What’s the hest alternative today?
What a shock!!!
Who saw this coming.
Also just a reminder to please discontinue using “I don’t care about cookies” and support other forks such as “I still don’t care about cookies”
CCleaner has not been welcome on my PC a few months before the buyout nor should it be on anyone else’s.
Thanks for the tip Mystique. I’d forgotten that Avast acquired “I still don’t care about cookies” and have just removed it and have installed your recommended version instead.
I for one am flabbergasted. This really took the wind out of my sails. Avast, the most trustworthy and honest company there ever was, the last beacon of honesty, HOW COULD YOU?????!!! Surely there must be some way to blame this on covid or the caucasian homo sapiens heterosexual male?
bahaha yep.
Avast has been a rogue for as long as I can remember.
Surely. There is always a way.
Anybody can post known Avast telemetry hosts? I blocked some in host file but I do not know if they are current.
This is list I have
ncc.avast.com
auth.ff.avast.com
ip-info.ff.avast.com
analytics.ff.avast.com
ping.avast.com
securebrowser.avast.tools.avcdn.net
ccleaner.tools.avcdn.net
gm.tools.avast.com
au.avastbrowser.com
stats.avg.com
ipm-provider.ff.avast.com
mobile-campaigns.avast.com
v7event.stats.avast.com
v7.stats.avast.com
get-avast.com
media.admob.com
p.admob.com
trac.admob.com
data.altbeacon.org
data.flurry.com
dev.flurry.com
analytics.admob.com
analytics.flurry-cdn.com
a.admob.com
a.fortumo.com
ad.flurry.com
adlog.flurry.com
ads.flurry.com
api.flurry.com
api.fortumo.com
app.igodigital.com
ipm-provider.ff.avast.com
shepherd.ff.avast.com
ipm-provider.ff.avast.co
myexternalip.com
an.avast.com
analytics-prod-gcp.ff.avast.com
analytics-stage.ff.avast.com
analytics.ns1.ff.avast.com
ans.avast.com
feed.ff.avast.com
ipmcdn.avast.com
stats.avast.com
su.ff.avast.com
uib.ff.avast.com
Thank you. I also became aware that Avast is deleting some of the addresses from the host file automatically. So I have a choice to be spied on (no anonymizing) by my antivirus that I am used to or disable Avast self-protection module and potentially be hacked. I am pretty sure that all antivirus software do it so switching to another antivirus is questionable too.
Just make your hosts file read only and that’s that.