Avast’s extra money-making practices uncovered: subsidiary harvested user data and sold it to high-profile companies like Microsoft and Google
In the joint effort of PCMag[1] and Motherboard, it was uncovered that anti-virus maker Avast’s subsidiary was collecting user web browsing information and selling it for profit. The report was compiled of contracts, user information, company documents, and other evidence that proved the case to be true. Soon after the publications of several news outlets, Avast announced that it is getting rid of Jumpshot, following user concerns about privacy.
Motherboard said that the data was being sold to giant organizations and companies like Microsoft, Google, Pepsi, Home Depot, Yelp, TripAdvisor, and many others. The report also noted that the data harvested should have been confidential between Avast and its customers:[2]
Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it.
The Czech-based Avast Software is the 5th most popular third-party anti-virus provider running its applications on millions of machines worldwide.[3] Security software is present on more than 435 million users’ computers, and the data gathered by Jumpshot comes from 100 million devices. The news about such practice caused outrage among AV’s users, and the concerns are most certainly justified.
Avast users were unaware that the anonymous data they opt-in to share will be sold
Users who install Avast anti-virus software on their computers have an option to opt-in into anonymous data collection. While this practice is very common among various software makers, customers were not aware that this information is compiled and sold to other organizations for marketing purposes.
The type of collected user browsing information is what caused concerns, as it did not only include typical anonymous data like visited websites and cookies but also details that considered to be private, including the precise location on Google Maps, search queries, viewed YouTube videos, porn sites visited. What makes it worse is that, in some cases, the searches and links clicked on porn and social media sites were also harvested.
Another serious issue is that the collected information is marked by a timestamp and is also linked to a particular device, which could potentially deanonymize users of interest, causing significant privacy issues, and impact their personal lives.
Avast’s CEO response was to wind down Jumpshot’s operations immediately
Jumpshot’s role in the data-selling business was obviously very significant: the data collected through anti-virus software was provided to Jumpshot, which would prepare and repackage it into various products, then selling it to appropriate enterprise clients.
It is evident that Avast was aware of its subsidiary doings; when the story broke out, however, the ramifications were severe for Jumpshot, as it was laid off its duties with an “immediate effect,” costing many people their jobs. Avast’s CEO Ondrej Vlcek, who became one just seven months ago, said in a blog post on Wednesday:[4]
Avast’s core mission is to keep people around the world safe and secure, and I realize the recent news about Jumpshot has hurt the feelings of many of you, and rightfully raised a number of questions – including the fundamental question of trust.
Following the concerns, Vlcek, along with a board of directs, decided to terminate Jumphot’s operations immediately. The move also comes from a perspective that it will help the company to “deliver on its promise of security and privacy.”
Current customers of Jumpshot will continue its operations as usual during this wind-down period, and the transition is expected to be as smooth as possible, as reported in Avast’s press release on Thursday.[5]
Regaining customers’ trust might be difficult
This incident only proves that not an adequate amount of information is provided to users when they are opting into “anonymous” data collection schemes. Additionally, it also highlights the problem of anonymous data collection practices: with enough effort, each device user could be identified, and their most sensitive information, such as their porn site preferences, could be disclosed. Without a doubt, Avast lost the trust of many customers globally.
Users put trust into companies that are meant to protect their data from being stolen or otherwise compromised; in this perspective, Avast’s seemingly drastic measures appear to be justified, although it does not condone the AV maker, as it was a direct link that resulted in data selling practices.