1.27.2020 6:02 PM

Cybersecurity

Popular antivirus program is quietly selling millions of users' data

It's not the first time Avast has been likened to spyware.

Shutterstock

An antivirus company that boasts hundreds of millions of users has been siphoning sensitive browsing data and selling it to major companies around the world via a subsidiary program, according to an explosive new joint investigation from PCMag and Motherboard. Jumpshot, a division of Avast, has sold de-identified data to names such as Google, Microsoft, Yelp, Pepsi, and more, largely unbeknownst to its 100 million users.

That includes everything from Google searches and Google Maps coordinates to YouTube videos and visits to porn sites — in some cases down to the very search terms used.

Honestly, what the fuck — Here’s yet another example of a company profiting off services that “protect” users’ online activity while simultaneously engaging in shady practices that could put these same users at risk. If nothing else, it feels extremely invasive. While the data may be de-identified before it’s sold to outside parties, the report points out that in some cases, it isn't all that hard to trace this information back to its owner.

Couple those device IDs with timestamped activity logs and additional data collected from Google, for example, and… well, that information isn’t so anonymous anymore. “Most of the threats posed by de-anonymization — where you are identifying people — comes from the ability to merge the information with other data,” Günes Acar, of the Katholieke Universiteit’s Computer Security and Industrial Cryptography research group, told the publications.

This isn't even the first time Avast has come under fire for its data collection practices. In the past, some have gone as far as to call the program spyware, which is dishearteningly ironic given its purpose.

Opt-in, sell your soul — According to the report, high-paying clients were able to purchase an “All Clicks Feed,” among other products, giving them access to users’ precise internet activity. Avast has made some changes to its data-collection practices in recent years and, while the company recently said it stopped sharing data it had gathered through its browser plugin with Jumpshot, documents viewed by PCMag and Motherboard plus intel from a source familiar with the matter suggest otherwise.

The software itself now prompts users to opt-in to data collection. For those who do, “that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot.” Users who spoke to the publications said that though they did opt-in, they didn’t realize their data would be sold.

Read the fine print — But even that isn’t always enough to know exactly what’s happening with your data, unfortunately. As the report points out, Avast’s pop-up does note that it shares data with Jumpshot, which may then provide its customers “aggregated insights,” but it fails to go into detail beyond that. Ah, how perfectly vague.