In a sensational revelation, an investigation on Monday claimed that the popular Avast antivirus — installed on nearly 435 million Windows, Mac, and mobile devices globally — harvested users’ data via browser plugins and then sold it to third parties, including Microsoft and Google. The joint investigation by Motherboard and PCMag that relied on leaked user data and other company documents found that “the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it”.
The leaked documents accessed for the investigation were from a subsidiary of the antivirus giant Avast, called Jumpshot.
The Avast antivirus program was installed on a person’s computer that collected the data, and Jumpshot repackaged it into various different products which were sold to big companies.
“Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others,” the report claimed.
Some clients even paid millions of dollars for products that include a so-called “All Clicks Feed”, which can track user behaviour, clicks, and movement across websites in detail.
In copies of contracts with Jumpshot clients, one marketing firm paid over $2 million (roughly Rs. 14 crores) for data access last year.
In a statement shared with IANS, Ondrej Vlcek, Global CEO of Avast said that in December 2019, the company acted quickly to meet browser store standards and are now compliant with browser extension requirements for our online security extensions.
“At the same time, we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot,” said Vlcek.
Vlcek said it has ensured that Jumpshot does not acquire personal identification information, including name, email address or contact details.
“Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020,” explained the Avast CEO.
Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats.
According to the investigation, Avast also recorded “porn site visits that are anonymised, offered the date and time the user visited the sites, as well as search terms and viewed videos in some instances”.
Multiple Avast users told Motherboard they were not aware that Avast sold browsing data, raising questions about how informed that consent is.
The investigation also found that Avast is still harvesting the data, but via the antivirus software itself, rather than the browser plugins.