Avast may be harvesting and selling user data

You know that awful feeling you get when something that is initially supposed to protect you ends up harming you instead? Well, users of the popular free antivirus software Avast are about to get a taste of what that feels like as a joint investigation by PC Mag and Vice’s Motherboard alleges that the company has been spying on their users.

Since PC Mag and Motherboard broke the story, and did all the legwork for the piece, I would encourage you to read their full report for the entire story. However, if for whatever reason you don’t have the time to, here’s the gist of the situation.

According to the reports, antivirus company Avast has been harvesting the highly sensitive web browsing data of their over 400 million active users through the antivirus software itself, and selling them to some of the biggest companies on the planet. Reportedly, those companies are buying this information including something that’s called the “All Clicks Feed” from Avast subsidiary Jumpshot. Jumpshot, by the way, says that it has access to data from over 100 million devices. This information is highly detailed, and can track user behaviour, clicks and movement across websites.

Avast says that it’s collecting this data from its customers on an opt-in basis, however several customers have reached out to Motherboard claiming that they had no knowledge of this at all. It is worth noting that Avast has been caught red-handed collecting browsing data from their customers through a browser extension, a move that had their plugin banned across browser makers Mozilla, Opera, and Google.

In a tweet meant to “entice new clients” Jumpshot bragged that it collects “Every search. Every click. Every buy. On every site”, which in itself sounds absolutely terrifying. Although the company says that the information has been de-identified and each device is instead assigned a device ID. However, the problem is that the device ID does not change for each user, so de-anonymisation becomes a big concern when the eventual end-user of Jumpshot’s data can them match it with their own data.

That’s because Jumpshot’s data tracks user behaviour and clicks down to the milisecond, so a company could theoretically compare that data with their own bank of customer data to identify them. And, according to experts, this isn’t impossible because it’s “almost impossible to de-identify data”.

Again, I would strongly encourage you to read the full report by Motherboard and PC Mag because it is a fascinating read to say the least. Although we’ve seen many reports like these break over the years, it can still be hard to fully grasp that sometimes we pay the most for the things in our life that are free.