There’s some good news today for users of Avast and AVG antivirus products. Personal search histories, clicks, and details of online purchases will no longer be covertly collected and sold to third parties. Avast, which owns AVG, has announced that it is shutting down its subsidiary, Jumpshot, which was doing just that.
Jumpshot would likely still be fully operational were it not for a joint investigation by Motherboard and PCMag. They obtained leaked data about the activities of Jumpshot, including company documents and contracts showing how Avast and AVG users’ data was being collected, repackaged, and sold on to a wide range of companies including Google, Microsoft, Home Depot, IBM, and Intuit to name but a few.
In addition to protecting users from malware, the antivirus solutions collected browsing data, which included an “all clicks” feed. Users’ movements across the web were also precisely tracked. Motherboard and PCMag also obtained sample data from certain users of the antivirus solutions. The data was highly detailed and included the exact webpages users had visited, the videos they had watched – on YouTube in particular but also porn websites – along with searches on porn sites, online purchases, Google searches, and even Google Maps GPS coordinates. According to the reports from Motherboard and PCMag, Jumpshot collected data from around 100 million devices.
Data was collected by an Avast browser plugin, although that was stopped after security researcher and AdBlock Plus creator Wladimir Palant wrote a blog post explaining the plugin was collecting browser data in addition to blocking access to malicious websites. But the data collection continued through the antivirus app.
The data was stripped of identifiers, so individuals could not be identified, but the highly detailed nature of the data meant it could be possible to re-identify individuals. Data was only collected on individuals who opted in to sharing data with Avast when installing the antivirus solutions or when prompted to do so through pop-ups. However, it is unlikely that users of the AV solutions knew what sharing data with Avast entailed.
It is certainly good news that the practice has stopped, but the worrying that it was happening in the first place. The revelations show how important it is to read T&Cs before opting into data sharing, so you know exactly what it is likely to entail.
“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable,” said Avast CEO Ondrej Vlcek in an open letter posted on the company blog. “For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”