Avast expands opt-out after data-sharing investigation

Security company will ask all users of its free antivirus if they are willing to let their browsing data be shared with third parties

Avast has been caught up in yet another privacy scandal, with a joint investigation by PC Mag and Motherboard revealing the extent to which the security firm is collecting user browser histories and selling the data on to third parties. 

Last year, Avast browser extensions were spotted collecting browsing data to sell to advertising firms, sparking Chrome, Opera and Firefox to pull the add-ons from their marketplaces, though some have since returned.

Avast said at the time that it removed any identifying information from the browsing history. The PC Mag and Motherboard investigation suggested it's possible to re-identify that data once it's in the hands of marketers. 

The investigation revealed that Avast sells the collected data via its Jumpshot division to third parties such as marketing companies. The browsing history being collected includes every click, keyword search, and entered URLs, harvested not only from browser extensions but also from users of Avast's free antivirus software. 

The collected data is "de-identified" by stripping out personal details, and tagged with an identifying code. However, research casts doubt on whether any large sample of user data can be truly anonymised. Jumpshot's data does not directly identify any specific individual, but when it is combined with other data, it's simple to see who is clicking what, the investigation claims. 

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

For example, if a data harvesting company or marketer bought data from Avast and also from a website you're logged into (for example Amazon), the information provided would make it possible to link the Avast data to your Amazon account, therefore revealing your identity, and tying it to your entire browsing history. The data seen by the investigators includes searches, GPS coordinates on maps, visits to social media accounts, and even what video was watched on a porn site. 

The investigation showed Jumpshot was selling that data to companies that aggregate such information, with customers buying access to that "all clicks feed" for millions of dollars. 

Avast stopped sharing such data collected via extensions after the revelations last year, and in July 2019 started asking users for permission before sharing their browsing data with Jumpshot. It will now also ask all existing users of its free antivirus to opt-in to data sharing in February. 

An Avast spokesperson said the company stopped sharing browser extension data with Jumpshot in December, only using collected information for core security tasks.

"We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details," the spokesperson added.

Avast also noted that users have always had the ability to opt out of such data sharing: "As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020."

The spokesperson added: "We have a long track record of protecting users' devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."

This isn't the first data privacy scandal to hit Avast: in 2018, Avast pulled an update to its CCleaner tool over data collection concerns

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Data: A resource much too valuable to leave unprotected
Whitepaper

Data: A resource much too valuable to leave unprotected

2 Dec 2020
Webhose and Signal Corp boost data breach detection
Security

Webhose and Signal Corp boost data breach detection

7 Oct 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021