Antivirus company Avast has been selling the browsing history of all its free software users, a joint investigation by Motherboard and PC Mag concluded. Avast has not been dealing directly with interested parties, but has been using a subsidiary called Jumpshot. Clients of this data broker include Google, Microsoft, Home Depot, Pepsi, Unilever and McKinsey.
Highly Sensitive Web Browsing Data Sold Off
“An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies,” the Motherboard and PC Mag joint investigation found. “Every search, every click and every buy, on every site” is sold to anyone who is willing to pay.
Leaked documents show that, besides web browsing history, Avast also collects search histories, GPS coordinates and which videos users have watched on YouTube and on porn sites. In some cases, the time a user visited the site, the specific video they watched and the queries they entered were also logged.
The information sold is not linked to a person, but nonetheless, it is possible to find out a user’s identity. When device ID x using device type y buys product z via a certain company’s website on a specific date and time, not much is known about the identity of the consumer. But the company selling product x could easily trace who bought that product on that day and time. Suddenly that device ID has a name. And whatever other information Avast has got on device ID x is no longer anonymous.
All Clicks Feed
According to reports, Avast has stopped using data for “any other purpose than the core security engine”. But subsidiary Jumpshot can still obtain data through Avast’s main antivirus applications. With this data, Jumpshot has created several “data packages” that it sells to companies. “Some clients paid millions of dollars for products that include a so-called “All Clicks Feed”, which can track user behavior, clicks, and movement across websites in highly precise detail”, Motherboard said.
Data obtained by Motherboard and PC Mag shows that some companies want to keep their purchase of the personal data secret. Employees are instructed not to talk publicly about their company’s relationship with Jumpshot. In a press release Jumpshot previously named Condé Nast, Google, Microsoft, Revlon, Yelp and TripAdvisor as customers. Other possible clients include Bain & Company, Expedia, GfK, Hitwise, Home Depot, Intuit, L’Oréal, McKinsey, Pepsi and vidIQ, among others.
“Motherboard and PC Mag contacted over two dozen companies mentioned in internal documents. Only a handful responded to questions asking what they do with data based on the browsing history of Avast users,” according to Motherboard.
Millions of Users Unknowingly Opt-In
Avast has been making antivirus software for years, some versions of which are offered for free. They have over 435 million active users per month. Data is being collected from a quarter of these users, which equates to approximately 100 million customers. Only a quarter of users are affected because data collection is now only possible if users ‘opt-in’.
Unfortunately, most people still opt-in without reading through the terms and conditions. Even so, while the opt-in option does discuss Jumpshot using the data, it does not explicitly say that his data is then being on sold to other companies. “Many users told Motherboard that they were not aware Avast sold browsing data, raising questions about how informed that consent is,” Motherboard said.
It is not the first time that Avast has been caught collecting private data. A browser plug-in from the antivirus company was recently removed by Mozilla, when it turned out that it was sending an unreasonable amount of private information to the creator.