Avast has been caught up in yet another privacy scandal, with a joint investigation by PC Mag and Motherboard revealing the extent to which the security firm is collecting user browser histories and selling the data on to third parties.
Last year, Avast browser extensions were spotted collecting browsing data to sell to advertising firms, sparking Chrome, Opera and Firefox to pull the add-ons from their marketplaces, though some have since returned.
Avast said at the time that it removed any identifying information from the browsing history. The PC Mag and Motherboard investigation suggested it’s possible to re-identify that data once it’s in the hands of marketers.
The investigation revealed that Avast sells the collected data via its Jumpshot division to third parties such as marketing companies. The browsing history being collected includes every click, keyword search, and entered URLs, harvested not only from browser extensions but also from users of Avast’s free antivirus software.
The collected data is “de-identified” by stripping out personal details, and tagged with an identifying code. However, research casts doubt on whether any large sample of user data can be truly anonymised. Jumpshot’s data does not directly identify any specific individual, but when it is combined with other data, it’s simple to see who is clicking what, the investigation claims.
For example, if a data harvesting company or marketer bought data from Avast and also from a website you’re logged into (for example Amazon), the information provided would make it possible to link the Avast data to your Amazon account, therefore revealing your identity, and tying it to your entire browsing history. The data seen by the investigators includes searches, GPS coordinates on maps, visits to social media accounts, and even what video was watched on a porn site.
The investigation showed Jumpshot was selling that data to companies that aggregate such information, with customers buying access to that “all clicks feed” for millions of dollars.
Avast stopped sharing such data collected via extensions after the revelations last year, and in July 2019 started asking users for permission before sharing their browsing data with Jumpshot. It will now also ask all existing users of its free antivirus to opt-in to data sharing in February.
An Avast spokesperson said the company stopped sharing browser extension data with Jumpshot in December, only using collected information for core security tasks.
“We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details,” the spokesperson added.
Avast also noted that users have always had the ability to opt out of such data sharing: “As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.”
The spokesperson added: “We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.”
This isn’t the first data privacy scandal to hit Avast: in 2018, Avast pulled an update to its CCleaner tool over data collection concerns.