Avast cans data harvesting subsidiary after outcry

Consumer antivirus specialist Avast is to end its provision of data to its Jumpshot subsidiary and wind down the unit after a joint investigation by Motherboard and PCMag found it was harvesting user browsing information and data through its browser extensions and selling it through Jumpshot to corporate clients and advertisers.

Leaked documents obtained by the investigators revealed that Jumpshot had sold data from 100 million opted-in devices to clients including Condé Nast, Google, Home Depot, Intuit, McKinsey, Microsoft, Pepsi, and Yelp, among many others, charging them millions of dollars for a feed that tracked user behaviour, clicks and movement across websites.

Motherboard and PCMag saw data including search terms, locations and GPS coordinates, visits to company LinkedIn pages, YouTube videos and PornHub content.

Until last year, this data was collected through those who had installed Avast’s Online Security browser plugin, but in October 2019 this practice was exposed in a disclosure by security researcher Wladimir Palant. After this, Google, Mozilla and Opera all removed Avast’s extensions from their browser stores, and as a partial result of this, Avast ended the practice.

In response to the investigation, Avast at first issued a statement confirming it had taken steps to ensure that it was fully compliant with browser extension requirements and discontinued the practice of using any data from its browser extensions for any purpose other than its core security engine.

“We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt out of sharing data with Jumpshot,” said a spokesperson.

However, the leaked documents revealed that when Avast switched stopped scraping data from its extension software, it still took data from its actual anti-virus software. The report stated that it began asking users of the product to opt-in to data sharing in January 2020.

This was confirmed by Avast’s spokesperson, who said: “As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.

“Our privacy policy details the protections we put in place for all our users. Users can also choose to adjust their privacy levels using the broad range of settings available in our products, including control over any data sharing at any time.”

In a move that Avast has characterised as reflecting its “commitment to user safety and privacy protection”, it has now had a change of heart and dropped Jumpshot altogether.

“Avast’s core mission is to keep its users safe online and to give users control over their privacy. The bottom line is that any practices that jeopardise user trust are unacceptable to Avast,” said Avast CEO Ondrej Vlcek.

“We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company,”

Jumpshot was started in 2015 under the pretext of extending Avast’s data analytics capabilities beyond its core security business. At the time, Vlcek explained, the company took the view that cyber security was “going to be a big data game”.

Vlceck, who became CEO in the summer of 2019, said Avast had thought it could use its tools and resources to do this more securely than other data sales operations, providing marketers with trend analytics and statistics that were de-identified, rather than the historically pervasive specific user targeting.

He stressed that Avast had always known it was critical the data be handled ethically, including de-identification, and contractually requiring that no individual users would be targeted for marketing and advertising.

Moreover, he claimed, the Jumpshot unit had always operated in full compliance with relevant regulations, such as the General Data protection Regulation (GDPR), and users had always been given control over their data sharing – although the initial investigation spoke to several consumers of Avast products who said they had been entirely unaware of this and felt duped.

“Avast has a long track record of protecting users’ devices and data against malware through our award-winning products, and the company understands and takes seriously the responsibility to balance user privacy with the necessary use of data,” said Vlcek.

“With the ever-changing nature of threats to users online today and in the future, Avast is focused on innovating to enhance our products for the benefit of our users and the protection of their privacy. To that end, we will continue to demonstrate our innovative new products and security as we move forward with a singular vision in 2020 and beyond.”