Pixel Envy

Written by Nick Heer.

Avast Antivirus Software Collects User Browsing History for Sale by Jumpshot Subsidiary

Last month, you may remember, Avast’s web browser extensions were caught collecting every website users were visiting for sale by its Jumpshot subsidiary. Those extensions were pulled and the company insisted that the information had no personal information attached:

As a final assurance, [Avast CEO Ondrej Vlcek] told Forbes he recognizes customers use Avast to protect their information and so it can’t do anything that might “circumvent the security of privacy of the data including targeting by advertisers.”

“So we absolutely do not allow any advertisers or any third party … to get any access through Avast or any data that would allow the third party to target that specific individual,” he adds. […]

Instead of behaving more ethically, Avast decided to turn their free antivirus software into a piece of spyware.

Joseph Cox, Vice:

The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail.

Avast claims to have more than 435 million active users per month, and Jumpshot says it has data from 100 million devices. Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.

Michael Kan, PC Magazine:

The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.

[…]

“Most of the threats posed by de-anonymization — where you are identifying people — comes from the ability to merge the information with other data,” said Gunes Acar, a privacy researcher who studies online tracking.

He points out that major companies such as Amazon, Google, and branded retailers and marketing firms can amass entire activity logs on their users. With Jumpshot’s data, the companies have another way to trace users’ digital footprints across the internet.

According to the Jumpshot privacy policy, granular data like this is shared with LiveRamp, among other companies. On its website, LiveRamp brags about its ability to connect customer-specific data from multiple providers under a single identification number. So, it’s not your name, but it is a name, and it’s specific to you. LiveRamp insists that it implements “privacy by design”, but it’s hard to square that with the company’s stated abilities.

Of course, Avast knows de-anonymization is trivial. That’s why it sells an anti-tracking product that explicitly promises to “disguise your online behavior so that no one can tell it’s you” for just $65 per year. That’s nice of Avast: it will sell your identity, and also sell you a product that promises to prevent companies from selling your identity.

Update: Avast has announced that they are shutting down Jumpshot.