Czech Anti-Virus Giant Faced Outcry Over Privacy Risks Posed by Data Tracking
Avast’s headquarters in Prague. (Photo: Avast)
Facing intense criticism, anti-virus software maker Avast on Thursday said it will shut down its data-collecting side business Jumpshot. The Avast subsidiary has been funneling detailed internet browsing activity from the firm’s security products and browser extensions to marketers.
Prague-based Avast, founded in 1988, is one of the most popular providers of free anti-virus software, and counts 435 million users of its products, which include software from AVG, a security company it acquired in 2016.
But an investigation by Vice’s Motherboard and PCMag discovered that Avast was using its large installation base to collect users’ browsing histories, details of online purchases and even search engine queries, and then selling this data to third parties via Avast’s Jumpshot arm.
Avast promised that any collected data would be anonymized and user privacy preserved, and stripped out email addresses and personally identifiable information before selling the data to third parties. But Motherboard and PCMag found that the scrubbed browsing data being sold could still be used to identify specific individuals, thus invalidating Avast’s privacy assurances.
An excerpt from Jumpshots’s website promoting its tracking capabilities.
The finding echoes what many privacy and security experts have long warned about attempts to deanonymize data sets. Namely, even data that has been purportedly made anonymous can still often be linked back to individual users.
The situation also highlights a continuing gulf between increasingly strict data protection regulations and user expectations. Avast maintains that it and Jumpshot are compliant with the EU’s General Data Protection Regulation. But when the company’s data collection operations were laid bare, an outcry ensued.
Avast CEO Ondrej Vlcek, who started as CTO and COO with the company in Prague in 2014, apologized to users.
“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products,” Vlcek writes. “Anything to the contrary is unacceptable.”
‘Every Search, Click and Buy’
Jumpshot is a subsidiary of Avast that it acquired in 2013. Jumpshot started as a tool to optimize computers, cleaning junk files and “tuning” PCs. This category of applications is often watched by security researchers with intens scrutiny, since in the past they have often displayed shady behavior, leading to some being classified as “potentially unwanted programs” by other security vendors.
According to Jumpshot’s website, the company’s software evolved, adding tracking tools that could collect search data, click data and purchase data from 150 websites, including Amazon Google, Netflix and Walmart. One of Jumpshot’s promotional tags reads: “Examine every search, click and buy. On every site.”
Jumpshot’s customers included Google, Trip Advisor, Conde Nast and Unilever, according to its website. Its partners also included such prominent web-tracking companies as Quantcast, Kantar Media, Lotame, Neustar, LiveRamp and Connexity.
Avast wrapped Jumpshot into both its Avast and AVG anti-virus products, as well as browser apps. The security software vendor also offered a series of security extensions that contained Jumpshot. The tracking capabilities were further woven into Web Shield, an Avast tool that protects people from malicious domains by checking URLs and alerting users if they’re malicious.
Until July 2019, users were automatically enrolled in Jumpshot. In that month, however, Avast changed the default settings in its software, so that users had to actively opt in to having their personal data get collected. Avast also began querying users of its free anti-virus products about whether they wanted to share their personal data or not.
In October 2019, Wladimir Palant, one of the creators of the popular AdBlock Plus extension for browsers, wrote that the Avast extensions and browsers connected to Jumpshot were collecting extensive web browsing history from users, without clearing notifying them that it was doing so.
Palant maintained that the data collected went far beyond just what sites a person visited, but rather how many tabs were open in a browser, how often a site was visited, how long the person visited a site and what regions they clicked on different pages.
“All that is connected to a number of attributes allowing Avast to recognize you reliably, even a unique user identifier,” Palant warned.
There is a considerable body of evidence suggesting that #Jumpshot was selling data of #Avast users without any aggregation, despite Avast claiming the opposite. And their anonymization approach is inherently incomplete. https://t.co/FNSXb1NA8V
— Yellow Flag (@WPalant) January 29, 2020
Such revelations led some browser makers to crack down. By December 2019, Mozilla began blocking four Avast browser extensions, including Avast Online Security, AVG Online Security, Avast SafePrice and AVG SafePrice, PCMag reports. Opera soon followed suit. Subsequently, Sen. Ron Wyden, D-Ore., a strong consumer privacy advocate, said via Twitter that he planned to query Avast about its business practices.
As noted, the investigation revealed that after tracking data got fed to other companies, such as Amazon, they could use the data to identify the individual user, based on the purchase they’d made. In addition, URLs can contain identifying data that isn’t necessarily PII on its own, but which can still be identifying, for example, because they lead to comments on videos or tweets.
Anti-Virus Market Pressure
Why did Avast begin collecting detailed browsing data in 2015? The company detailed its rationale in a May 2015 blog post, when it began to roll out Jumpshot.
“Currently we do not make any money from this relationship but it is an experiment as to whether we can fund our security products indirectly instead of nagging our users to upgrade,” Vince Steckler, Avast’s CEO at the time, wrote in the blog post.
Avast went public in May 2018.
The consumer anti-virus market remains an extremely competitive business. Many AV companies have long offered a less-featured free product in hopes that consumers would upgrade to a subscription-based product.
Steckler assured users that the 150 billion URLs collected each month would be cleansed of personally identifiable data before the data was passed on from Avast’s servers.
“Nothing can be used to identify or target individuals,” he wrote.
Executive Editor Mathew Schwartz contributed to this story.