Avast expands opt-out after data-sharing investigation

Security company will ask all users of its free antivirus if they are willing to let their browsing data be shared with third parties

Avast has been caught up in yet another privacy scandal, with a joint investigation by PC Mag and Motherboard revealing the extent to which the security firm is collecting user browser histories and selling the data on to third parties. 

Last year, Avast browser extensions were spotted collecting browsing data to sell to advertising firms, sparking Chrome, Opera and Firefox to pull the add-ons from their marketplaces, though some have since returned.

Avast said at the time that it removed any identifying information from the browsing history. The PC Mag and Motherboard investigation suggested it's possible to re-identify that data once it's in the hands of marketers. 

The investigation revealed that Avast sells the collected data via its Jumpshot division to third parties such as marketing companies. The browsing history being collected includes every click, keyword search, and entered URLs, harvested not only from browser extensions but also from users of Avast's free antivirus software. 

The collected data is "de-identified" by stripping out personal details, and tagged with an identifying code. However, research casts doubt on whether any large sample of user data can be truly anonymised. Jumpshot's data does not directly identify any specific individual, but when it is combined with other data, it's simple to see who is clicking what, the investigation claims. 

Related Resource

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

For example, if a data harvesting company or marketer bought data from Avast and also from a website you're logged into (for example Amazon), the information provided would make it possible to link the Avast data to your Amazon account, therefore revealing your identity, and tying it to your entire browsing history. The data seen by the investigators includes searches, GPS coordinates on maps, visits to social media accounts, and even what video was watched on a porn site. 

The investigation showed Jumpshot was selling that data to companies that aggregate such information, with customers buying access to that "all clicks feed" for millions of dollars. 

Avast stopped sharing such data collected via extensions after the revelations last year, and in July 2019 started asking users for permission before sharing their browsing data with Jumpshot. It will now also ask all existing users of its free antivirus to opt-in to data sharing in February. 

An Avast spokesperson said the company stopped sharing browser extension data with Jumpshot in December, only using collected information for core security tasks.

"We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details," the spokesperson added.

Avast also noted that users have always had the ability to opt out of such data sharing: "As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020."

The spokesperson added: "We have a long track record of protecting users' devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products."

This isn't the first data privacy scandal to hit Avast: in 2018, Avast pulled an update to its CCleaner tool over data collection concerns

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021
The definitive guide to IT security
Whitepaper

The definitive guide to IT security

9 Apr 2021
Ubiquiti insider says the company downplayed the severity of a major breach
data breaches

Ubiquiti insider says the company downplayed the severity of a major breach

31 Mar 2021
Forex broker FBS leaves millions of customer records exposed
data breaches

Forex broker FBS leaves millions of customer records exposed

25 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021