Avast antivirus harvested user data, then sold to Google, Microsoft

Posted:
in General Discussion edited January 2020
The Mac and Windows version of Avast antivirus has been used to harvest user data, an investigation claims, with some sensitive info sold to third parties, including Google, Microsoft, and Intuit.




Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats. The tools are popular, with more than 435 million active users per month using it on Macs, PCs, and mobile devices, to keep their data safe from harm.

As part of its offerings, Avast's software provides the option to opt-in to allowing the firm to collect some types of user data, which it then sells on via subsidiary Jumpshot. An investigation by Vice and PC Mag using leaked user data, contracts, and other documents has revealed both the extent of these sales, as well as the breadth of the data being sold by the firm.

Data acquired for the investigation revealed the information collected by Avast is wide-ranging, including Google searches, location look-ups and GPS coordinates from Google Maps, LinkedIn pages, and YouTube video listings. More disturbingly, records porn site visits that are anonymized offer the date and time the user visited the sites, as well as search terms and viewed videos in some instances.

Despite the efforts to anonymize the data, some experts claimed the highly specific browsing data could be used to find out identities.

A wide net

The amount of data being collected may not be well advised to consumers of Avast, with the investigation advised by multiple users they were not aware of the sale of said browsing data.

The subsidiary claims it has data from 100 million devices, with the investigation claiming Jumpshot repackages data collected from Avast into a number of different packages. This also includes a so-called "All Clicks Feed" option, where clients paid millions of dollars to be able to track a user's behavior and movement across websites.

The list of clients include many major firms, such as Google, Yelp, Microsoft, and Pepsi.

Collecting the data was, until recently, conducted via Avast's browser plugin, one that provides warnings to the user about suspicious and malicious websites. A report by security researcher and AdBlock Plus creator Wladimir Palant in October revealed the plugin was used to harvest data in October, prompting Mozilla, Opera, and Google to remove access to Avast's extensions.

Avast told the investigation in a statement it has stopped providing browsing data collected by the extensions to Jumpshot.

The investigation further found from a source and leaked documents that Avast is still performing harvesting, but via the anti-virus software itself, rather than the browser plugins. In the last week, an internal document reveals Avast has started asking users of the free antivirus tool to opt-in to data collection once again.

"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," a line of text from an internal handbook advised. The data collected, according to the document, would answer questions about what URLs a user visited, as well as when and in what order.

Lucrative data

The data is a lucrative income for Avast. In copies of contracts with Jumpshot clients, one marketing firm paid over $2 million for data access in 2019, which provided an "Insight Feed" for 20 domains from 14 countries around the world.

That data included the inferred gender of users based on browsing behavior, their age, the "entire URL string" with personally identifiable information removed, and other details. Device IDs are "hashed" to prevent identification of individuals by clients, but as the device IDs do not change for a user unless they completely reinstalled Avast tools, this could allow for a large swathe of data on one user to be built up over time, leading to possible identification down the line.

Avast informed the investigation "because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address, or contact details, from people using our popular free antivirus software." The company went on in a statement to reiterate users had the ability to opt out of sharing data, and that it had started "implementing an explicit opt-in choice for all new downloads of our AV" as of July 2019, with all existing free users prompted to make a choice by February 2020.

It was also insisted Avast complies with the California Consumer Privacy Act and Europe's GDPR across its entire global user base. "We have a long track record of protecting users' devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data," the statement pressed.

Comments

  • Reply 1 of 20
    Ohhh snap!!!

    That is why I don't download Avast or any freebies. I wondered if CCleaner does the same thing by selling the infos to 3rd parties?
    CarnagecornchipCloudTalkintoysandmemagman1979watto_cobradysamoria
  • Reply 2 of 20
    GabyGaby Posts: 190member
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    toysandmemagman1979watto_cobradysamoria
  • Reply 3 of 20
    gatorguygatorguy Posts: 24,176member
    Ohhh snap!!!

    That is why I don't download Avast or any freebies. I wondered if CCleaner does the same thing by selling the infos to 3rd parties?
    The reportedly used to (at least share) a couple years ago and like Avast claimed it was all anonymized and unidentifiable. I thought an update last year gave users a lot more control over that but you'd have to research it to be sure. FWIW Avast does own them now. 
    edited January 2020
  • Reply 4 of 20
    gatorguygatorguy Posts: 24,176member
    Gaby said:
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    Sometimes companies call it analytics for "improving the app and/or user experience". It can still end up collecting user data for other purposes. We all tend to allow it tho when they make it sound so innocuous, and in fact it's the default in a lot of operating systems and applications. You have to actively opt out. 

    As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising. 

    The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading. 
    edited January 2020 viclauyycdysamoria
  • Reply 5 of 20
    mac anti virus software is the virus

    wow, so windows
    davenbloggerblogMacProtoysandmelkruppviclauyycanton zuykoviqatedomagman1979dysamoria
  • Reply 6 of 20
    spice-boyspice-boy Posts: 1,450member
    Ohhh snap!!!

    That is why I don't download Avast or any freebies. I wondered if CCleaner does the same thing by selling the infos to 3rd parties?
    Correct, free is never really free. 
    cornchiptoysandmeanton zuykovmagman1979watto_cobradysamoria
  • Reply 7 of 20
    chabigchabig Posts: 641member
    mac anti virus software is the virus

    wow, so windows
    Hasn't this always been known to be true?
    jeffharristoysandmemagman1979watto_cobra
  • Reply 8 of 20
    The removal of personally identifiable data from URL strings is almost certainly not done to a level that would produce anonymity.
    toysandmemagman1979watto_cobra
  • Reply 9 of 20
    MplsPMplsP Posts: 3,911member
    chabig said:
    mac anti virus software is the virus

    wow, so windows
    Hasn't this always been known to be true?
    True viruses are very rare for MacOS, but for some time, viruses haven't been the issue - malware has, and unfortunately, Malware is an issue for MacOS. 
    gatorguycornchiptoysandmewatto_cobradysamoria
  • Reply 10 of 20
    Rayz2016Rayz2016 Posts: 6,957member
    gatorguy said:
    Gaby said:
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    Sometimes companies call it analytics for "improving the app and/or user experience". It can still end up collecting user data for other purposes. We all tend to allow it tho when they make it sound so innocuous, and in fact it's the default in a lot of operating systems and applications. You have to actively opt out. 

    As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising. 

    The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading. 

    The point of buying more 'anonymised' information is simple: the more anonymous data you have then the easier it is to tie that data until you have a complete profile of someone that is not anonymous at all. And of course, you have the wonderful get-out clause built right in: we don't collect people's personal data, however we're happy to buy  as much of it as we can from shady third parties.

    The problem with selling this data (as Google does) is that you don't know what the buyer already has, so they can easily the data complete the profile from what you've given them, especially if you sold them a different facet of the data a year before.

    Oh, and your attempt to implicate Apple into this without a shred of evidence was  weak, woefully transparent  and, quite frankly, a little bit desperate.





    cornchippscooter63viclauyycmagman1979watto_cobrabadmonkdysamoria
  • Reply 11 of 20
    gatorguygatorguy Posts: 24,176member
    Rayz2016 said:
    gatorguy said:
    Gaby said:
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    Sometimes companies call it analytics for "improving the app and/or user experience". It can still end up collecting user data for other purposes. We all tend to allow it tho when they make it sound so innocuous, and in fact it's the default in a lot of operating systems and applications. You have to actively opt out. 

    As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising. 

    The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading. 

    The point of buying more 'anonymised' information is simple: the more anonymous data you have then the easier it is to tie that data until you have a complete profile of someone that is not anonymous at all. And of course, you have the wonderful get-out clause built right in: we don't collect people's personal data, however we're happy to buy  as much of it as we can from shady third parties.

    The problem with selling this data (as Google does) is that you don't know what the buyer already has, so they can easily the data complete the profile from what you've given them, especially if you sold them a different facet of the data a year before.

    Oh, and your attempt to implicate Apple into this without a shred of evidence was  weak, woefully transparent  and, quite frankly, a little bit desperate.





    Ummm... Yeah.... Ok then. Google sells anonymized user data?
    What user data is it you think Google is selling, and where do you purchase yours? I guess you don't get out and read a lot. 

    For this article the company selling data is Jumpshot who last year was purchased by Avast. That's why this is a story, not because Jumpstart has customers. And yes Apple buys data as well, if not from Jumpshot then some other company with empirical market data based on user visits and interactions. Did you know Apple has employees tasked with data-mining "anonymized" user data and marketing analytics such as the kind Jumpstart sells? One of their more recent facilities flying under the radar is in Austin with another in San Jose.
    https://www.glassdoor.com/Jobs/Apple-data-mining-scientist-Jobs-EI_IE1138.0,5_KO6,27.htm

    So whether Apple might have purchased data from Jumpshot too, and it would be no huge surprise if they did, matters not one whit for this particular AI story any more than any of the other companies mentioned as Jumpshot customers. The point is not that there's a market for analytical data. There is and a vibrant one.
    What makes this a story is that Jumpshot's new owner who sells malware detection software is mining the same customers it was tasked with protecting from intrusion when they use that malware protection software.

    Adding Google and Microsoft to the story is the clickbait part to get you to read it. Kinda like using "companies such as Apple" in a marginally connected story makes it more attractive as a lead-in. You know, the kinda thing you would typically complain about.

    Jumpshot has thousands of customers who purchase data, many of them world-class market leaders: Revlon, Conde Nast, Yelp, TripAdvisor, Google, Kimberley-Clark, Unilever, Nestle, Microsoft, IBM...
    It does not make those companies "evil" does it? A company whose primary business is protecting you from malware is the story.

    BTW, for those who have no idea what this "data" is, why any company would want to purchase it, and you're not interested enough to spend much time searching for the answer here's a time-saving link or two.
    https://www.jumpshot.com/solutions/industry/brands
    https://www.jumpshot.com/solutions/industry/retail
    edited January 2020 CloudTalkinMplsProundaboutnowviclauyyc
  • Reply 12 of 20
    Ohhh snap!!!

    That is why I don't download Avast or any freebies. I wondered if CCleaner does the same thing by selling the infos to 3rd parties?
    The "Freebies" aren't the only ones who do this.  the Paid companies often do the same thing.  this is usually hidden somewhere in the depths of the user agreement. 
    watto_cobra
  • Reply 13 of 20
    RIP Avast.  You’re dead to me.

    I don’t opt-in to anything, but still... bad behavior shouldn’t be rewarded.  I’ll never buy or install an Avast product.

    magman1979watto_cobra
  • Reply 14 of 20
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    Gaby said:
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    Sometimes companies call it analytics for "improving the app and/or user experience". It can still end up collecting user data for other purposes. We all tend to allow it tho when they make it sound so innocuous, and in fact it's the default in a lot of operating systems and applications. You have to actively opt out. 

    As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising. 

    The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading. 

    The point of buying more 'anonymised' information is simple: the more anonymous data you have then the easier it is to tie that data until you have a complete profile of someone that is not anonymous at all. And of course, you have the wonderful get-out clause built right in: we don't collect people's personal data, however we're happy to buy  as much of it as we can from shady third parties.

    The problem with selling this data (as Google does) is that you don't know what the buyer already has, so they can easily the data complete the profile from what you've given them, especially if you sold them a different facet of the data a year before.

    Oh, and your attempt to implicate Apple into this without a shred of evidence was  weak, woefully transparent  and, quite frankly, a little bit desperate.





    Ummm... Yeah.... Ok then. Google sells anonymized user data?
    What user data is it you think Google is selling, and where do you purchase yours? I guess you don't get out and read a lot. 

    For this article the company selling data is Jumpshot who last year was purchased by Avast. That's why this is a story, not because Jumpstart has customers. And yes Apple buys data as well, if not from Jumpshot then some other company with empirical market data based on user visits and interactions. Did you know Apple has employees tasked with data-mining "anonymized" user data and marketing analytics such as the kind Jumpstart sells? One of their more recent facilities flying under the radar is in Austin with another in San Jose.
    https://www.glassdoor.com/Jobs/Apple-data-mining-scientist-Jobs-EI_IE1138.0,5_KO6,27.htm

    So whether Apple might have purchased data from Jumpshot too, and it would be no huge surprise if they did, matters not one whit for this particular AI story any more than any of the other companies mentioned as Jumpshot customers. The point is not that there's a market for analytical data. There is and a vibrant one.
    What makes this a story is that Jumpshot's new owner who sells malware detection software is mining the same customers it was tasked with protecting from intrusion when they use that malware protection software.

    Adding Google and Microsoft to the story is the clickbait part to get you to read it. Kinda like using "companies such as Apple" in a marginally connected story makes it more attractive as a lead-in. You know, the kinda thing you would typically complain about.

    Jumpshot has thousands of customers who purchase data, many of them world-class market leaders: Revlon, Conde Nast, Yelp, TripAdvisor, Google, Kimberley-Clark, Unilever, Nestle, Microsoft, IBM...
    It does not make those companies "evil" does it? A company whose primary business is protecting you from malware is the story.

    BTW, for those who have no idea what this "data" is, why any company would want to purchase it, and you're not interested enough to spend much time searching for the answer here's a time-saving link or two.
    https://www.jumpshot.com/solutions/industry/brands
    https://www.jumpshot.com/solutions/industry/retail
    According to you, Google never does anything wrong!
    magman1979watto_cobra
  • Reply 15 of 20
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    Rayz2016 said:
    gatorguy said:
    Gaby said:
    So google, in an obvious PR stunt played the sheep and revoked access to the extension even though they were slyly paying for the data being collected. I guess they didn’t count on being outed as one of their customers...  
    Why anyone would willingly opt in to data collection in the first instance is what I will never understand. Their needs to be some sort of education for people to understand best practices for and why they should be protecting their identity and personal information. Not to mention some firm laws put in place governing any and all collection and or sale of that data because these conniving corporations will simply come up with ever more creative ways of spying on and monetising individuals. 
    Sometimes companies call it analytics for "improving the app and/or user experience". It can still end up collecting user data for other purposes. We all tend to allow it tho when they make it sound so innocuous, and in fact it's the default in a lot of operating systems and applications. You have to actively opt out. 

    As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising. 

    The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading. 

    The point of buying more 'anonymised' information is simple: the more anonymous data you have then the easier it is to tie that data until you have a complete profile of someone that is not anonymous at all. And of course, you have the wonderful get-out clause built right in: we don't collect people's personal data, however we're happy to buy  as much of it as we can from shady third parties.

    The problem with selling this data (as Google does) is that you don't know what the buyer already has, so they can easily the data complete the profile from what you've given them, especially if you sold them a different facet of the data a year before.

    Oh, and your attempt to implicate Apple into this without a shred of evidence was  weak, woefully transparent  and, quite frankly, a little bit desperate.





    Ummm... Yeah.... Ok then. Google sells anonymized user data?
    What user data is it you think Google is selling, and where do you purchase yours? I guess you don't get out and read a lot. 

    For this article the company selling data is Jumpshot who last year was purchased by Avast. That's why this is a story, not because Jumpstart has customers. And yes Apple buys data as well, if not from Jumpshot then some other company with empirical market data based on user visits and interactions. Did you know Apple has employees tasked with data-mining "anonymized" user data and marketing analytics such as the kind Jumpstart sells? One of their more recent facilities flying under the radar is in Austin with another in San Jose.
    https://www.glassdoor.com/Jobs/Apple-data-mining-scientist-Jobs-EI_IE1138.0,5_KO6,27.htm

    So whether Apple might have purchased data from Jumpshot too, and it would be no huge surprise if they did, matters not one whit for this particular AI story any more than any of the other companies mentioned as Jumpshot customers. The point is not that there's a market for analytical data. There is and a vibrant one.
    What makes this a story is that Jumpshot's new owner who sells malware detection software is mining the same customers it was tasked with protecting from intrusion when they use that malware protection software.

    Adding Google and Microsoft to the story is the clickbait part to get you to read it. Kinda like using "companies such as Apple" in a marginally connected story makes it more attractive as a lead-in. You know, the kinda thing you would typically complain about.

    Jumpshot has thousands of customers who purchase data, many of them world-class market leaders: Revlon, Conde Nast, Yelp, TripAdvisor, Google, Kimberley-Clark, Unilever, Nestle, Microsoft, IBM...
    It does not make those companies "evil" does it? A company whose primary business is protecting you from malware is the story.

    BTW, for those who have no idea what this "data" is, why any company would want to purchase it, and you're not interested enough to spend much time searching for the answer here's a time-saving link or two.
    https://www.jumpshot.com/solutions/industry/brands
    https://www.jumpshot.com/solutions/industry/retail
    According to you, Google never does anything wrong!
    Then you don't read pay all that much attention to what I write...

    EDIT: Nevermind, I see you've only visited here a dozen times in the past 9 years. You're forgiven for not knowing better. 
    edited January 2020 dysamoria
  • Reply 16 of 20
    pscooter63pscooter63 Posts: 1,080member
    gatorguy said:
    You're forgiven for not knowing better. 
    It's the self-healing Teflon that sets off the rest of us. ;)
    (Well, that, and the whole "damning with faint praise" thing.)
    watto_cobra
  • Reply 17 of 20
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    You're forgiven for not knowing better. 
    It's the self-healing Teflon that sets off the rest of us. ;)
    (Well, that, and the whole "damning with faint praise" thing.)
    :smile: 
  • Reply 18 of 20
    digitoldigitol Posts: 276member
    If you are any bit worth your salt on the Mac OS, you don't need any virus software! If you have it or have used it, chances are you fall mostly in 2 categories: 1) - Past windoze user. 2.) Novice, to intermediate Mac user. And yes I agree.. I see some google comments here... Yes I agree Google is a huge problem. They knowingly fund, funded by and propagate all sorts of shady illicit, illegal operations. Shame. 
    magman1979watto_cobra
  • Reply 19 of 20
    Come on people. If a company is offering you something for free then >> YOU << are the product. Common sense.
    watto_cobradysamoria
  • Reply 20 of 20
    dysamoriadysamoria Posts: 3,430member
    Fever905 said:
    Come on people. If a company is offering you something for free then >> YOU << are the product. Common sense.
    It’s not common sense. It’s stuff some of us learn by following news about this screwed-up industry.

    It should not be a requirement that people have to be constantly filling up on specialist info just to protect themselves from abuse. That’s why regulation is desperately needed in this business (and no, not from the current administration that only cares about being authoritarian over everyone and anything while helping keep corporations free of accountability).
Sign In or Register to comment.