Avast antivirus harvested user data, then sold to Google, Microsoft
The Mac and Windows version of Avast antivirus has been used to harvest user data, an investigation claims, with some sensitive info sold to third parties, including Google, Microsoft, and Intuit.
![](https://photos5.appleinsider.com/gallery/34298-61655-avast-on-mac-head-l.jpg)
Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats. The tools are popular, with more than 435 million active users per month using it on Macs, PCs, and mobile devices, to keep their data safe from harm.
As part of its offerings, Avast's software provides the option to opt-in to allowing the firm to collect some types of user data, which it then sells on via subsidiary Jumpshot. An investigation by Vice and PC Mag using leaked user data, contracts, and other documents has revealed both the extent of these sales, as well as the breadth of the data being sold by the firm.
Data acquired for the investigation revealed the information collected by Avast is wide-ranging, including Google searches, location look-ups and GPS coordinates from Google Maps, LinkedIn pages, and YouTube video listings. More disturbingly, records porn site visits that are anonymized offer the date and time the user visited the sites, as well as search terms and viewed videos in some instances.
Despite the efforts to anonymize the data, some experts claimed the highly specific browsing data could be used to find out identities.
The subsidiary claims it has data from 100 million devices, with the investigation claiming Jumpshot repackages data collected from Avast into a number of different packages. This also includes a so-called "All Clicks Feed" option, where clients paid millions of dollars to be able to track a user's behavior and movement across websites.
The list of clients include many major firms, such as Google, Yelp, Microsoft, and Pepsi.
Collecting the data was, until recently, conducted via Avast's browser plugin, one that provides warnings to the user about suspicious and malicious websites. A report by security researcher and AdBlock Plus creator Wladimir Palant in October revealed the plugin was used to harvest data in October, prompting Mozilla, Opera, and Google to remove access to Avast's extensions.
Avast told the investigation in a statement it has stopped providing browsing data collected by the extensions to Jumpshot.
The investigation further found from a source and leaked documents that Avast is still performing harvesting, but via the anti-virus software itself, rather than the browser plugins. In the last week, an internal document reveals Avast has started asking users of the free antivirus tool to opt-in to data collection once again.
"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," a line of text from an internal handbook advised. The data collected, according to the document, would answer questions about what URLs a user visited, as well as when and in what order.
That data included the inferred gender of users based on browsing behavior, their age, the "entire URL string" with personally identifiable information removed, and other details. Device IDs are "hashed" to prevent identification of individuals by clients, but as the device IDs do not change for a user unless they completely reinstalled Avast tools, this could allow for a large swathe of data on one user to be built up over time, leading to possible identification down the line.
Avast informed the investigation "because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address, or contact details, from people using our popular free antivirus software." The company went on in a statement to reiterate users had the ability to opt out of sharing data, and that it had started "implementing an explicit opt-in choice for all new downloads of our AV" as of July 2019, with all existing free users prompted to make a choice by February 2020.
It was also insisted Avast complies with the California Consumer Privacy Act and Europe's GDPR across its entire global user base. "We have a long track record of protecting users' devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data," the statement pressed.
![](https://photos5.appleinsider.com/gallery/34298-61655-avast-on-mac-head-l.jpg)
Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats. The tools are popular, with more than 435 million active users per month using it on Macs, PCs, and mobile devices, to keep their data safe from harm.
As part of its offerings, Avast's software provides the option to opt-in to allowing the firm to collect some types of user data, which it then sells on via subsidiary Jumpshot. An investigation by Vice and PC Mag using leaked user data, contracts, and other documents has revealed both the extent of these sales, as well as the breadth of the data being sold by the firm.
Data acquired for the investigation revealed the information collected by Avast is wide-ranging, including Google searches, location look-ups and GPS coordinates from Google Maps, LinkedIn pages, and YouTube video listings. More disturbingly, records porn site visits that are anonymized offer the date and time the user visited the sites, as well as search terms and viewed videos in some instances.
Despite the efforts to anonymize the data, some experts claimed the highly specific browsing data could be used to find out identities.
A wide net
The amount of data being collected may not be well advised to consumers of Avast, with the investigation advised by multiple users they were not aware of the sale of said browsing data.The subsidiary claims it has data from 100 million devices, with the investigation claiming Jumpshot repackages data collected from Avast into a number of different packages. This also includes a so-called "All Clicks Feed" option, where clients paid millions of dollars to be able to track a user's behavior and movement across websites.
The list of clients include many major firms, such as Google, Yelp, Microsoft, and Pepsi.
Collecting the data was, until recently, conducted via Avast's browser plugin, one that provides warnings to the user about suspicious and malicious websites. A report by security researcher and AdBlock Plus creator Wladimir Palant in October revealed the plugin was used to harvest data in October, prompting Mozilla, Opera, and Google to remove access to Avast's extensions.
Avast told the investigation in a statement it has stopped providing browsing data collected by the extensions to Jumpshot.
The investigation further found from a source and leaked documents that Avast is still performing harvesting, but via the anti-virus software itself, rather than the browser plugins. In the last week, an internal document reveals Avast has started asking users of the free antivirus tool to opt-in to data collection once again.
"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," a line of text from an internal handbook advised. The data collected, according to the document, would answer questions about what URLs a user visited, as well as when and in what order.
Lucrative data
The data is a lucrative income for Avast. In copies of contracts with Jumpshot clients, one marketing firm paid over $2 million for data access in 2019, which provided an "Insight Feed" for 20 domains from 14 countries around the world.That data included the inferred gender of users based on browsing behavior, their age, the "entire URL string" with personally identifiable information removed, and other details. Device IDs are "hashed" to prevent identification of individuals by clients, but as the device IDs do not change for a user unless they completely reinstalled Avast tools, this could allow for a large swathe of data on one user to be built up over time, leading to possible identification down the line.
Avast informed the investigation "because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address, or contact details, from people using our popular free antivirus software." The company went on in a statement to reiterate users had the ability to opt out of sharing data, and that it had started "implementing an explicit opt-in choice for all new downloads of our AV" as of July 2019, with all existing free users prompted to make a choice by February 2020.
It was also insisted Avast complies with the California Consumer Privacy Act and Europe's GDPR across its entire global user base. "We have a long track record of protecting users' devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data," the statement pressed.
Comments
That is why I don't download Avast or any freebies. I wondered if CCleaner does the same thing by selling the infos to 3rd parties?
As for Google, Microsoft etc buying data it was apparently from Jumpstart and almost certainly predated the Avast purchase of the company this past year. Jumpstart FWIW was a fairly well-regarded and very well-known "analytics" firm who dealt with a wide swath of big businesses who needed reliable information on internet marketing: Site traffic, where leads originate, browser shares, conversion rates, etc. Heck Apple themselves might have purchased data from them as they were a trusted source on various web metrics and site visits and a useful resource for those spending money on web advertising.
The problem is when the companies we trust to protect us from harvesting are doing the harvesting themselves. That's why all the large browsers, Mozilla, Google, Microsoft etc removed the Avast browser extensions after being advised that that they were pulling user data via their malware detection software without disclosing where and what it was being used for. At least that's what I'm reading.
wow, so windows
The point of buying more 'anonymised' information is simple: the more anonymous data you have then the easier it is to tie that data until you have a complete profile of someone that is not anonymous at all. And of course, you have the wonderful get-out clause built right in: we don't collect people's personal data, however we're happy to buy as much of it as we can from shady third parties.
The problem with selling this data (as Google does) is that you don't know what the buyer already has, so they can easily the data complete the profile from what you've given them, especially if you sold them a different facet of the data a year before.
Oh, and your attempt to implicate Apple into this without a shred of evidence was weak, woefully transparent and, quite frankly, a little bit desperate.
What user data is it you think Google is selling, and where do you purchase yours? I guess you don't get out and read a lot.
For this article the company selling data is Jumpshot who last year was purchased by Avast. That's why this is a story, not because Jumpstart has customers. And yes Apple buys data as well, if not from Jumpshot then some other company with empirical market data based on user visits and interactions. Did you know Apple has employees tasked with data-mining "anonymized" user data and marketing analytics such as the kind Jumpstart sells? One of their more recent facilities flying under the radar is in Austin with another in San Jose.
https://www.glassdoor.com/Jobs/Apple-data-mining-scientist-Jobs-EI_IE1138.0,5_KO6,27.htm
So whether Apple might have purchased data from Jumpshot too, and it would be no huge surprise if they did, matters not one whit for this particular AI story any more than any of the other companies mentioned as Jumpshot customers. The point is not that there's a market for analytical data. There is and a vibrant one.
What makes this a story is that Jumpshot's new owner who sells malware detection software is mining the same customers it was tasked with protecting from intrusion when they use that malware protection software.
Adding Google and Microsoft to the story is the clickbait part to get you to read it. Kinda like using "companies such as Apple" in a marginally connected story makes it more attractive as a lead-in. You know, the kinda thing you would typically complain about.
Jumpshot has thousands of customers who purchase data, many of them world-class market leaders: Revlon, Conde Nast, Yelp, TripAdvisor, Google, Kimberley-Clark, Unilever, Nestle, Microsoft, IBM...
It does not make those companies "evil" does it? A company whose primary business is protecting you from malware is the story.
BTW, for those who have no idea what this "data" is, why any company would want to purchase it, and you're not interested enough to spend much time searching for the answer here's a time-saving link or two.
https://www.jumpshot.com/solutions/industry/brands
https://www.jumpshot.com/solutions/industry/retail
I don’t opt-in to anything, but still... bad behavior shouldn’t be rewarded. I’ll never buy or install an Avast product.
EDIT: Nevermind, I see you've only visited here a dozen times in the past 9 years. You're forgiven for not knowing better.
It should not be a requirement that people have to be constantly filling up on specialist info just to protect themselves from abuse. That’s why regulation is desperately needed in this business (and no, not from the current administration that only cares about being authoritarian over everyone and anything while helping keep corporations free of accountability).